public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Rebase to upstream version 3.0.8
Date: Tue, 09 Jun 2026 12:45:08 GMT [thread overview]
Message-ID: <178100910834.1.12115275563857196485.rpms-openssl-194ef7464a4a@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 194ef7464a4a825d24ffce8fb260dd79f95105d7
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2023-02-09T17:57:19+01:00
Stats : +32/-763 in 14 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/194ef7464a4a825d24ffce8fb260dd79f95105d7?branch=rebase_40beta
Log:
Rebase to upstream version 3.0.8
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
---
diff --git a/.gitignore b/.gitignore
index 54863fe..58e071b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,3 +56,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.0.3-hobbled.tar.gz
/openssl-3.0.5-hobbled.tar.xz
/openssl-3.0.7-hobbled.tar.gz
+/openssl-3.0.8-hobbled.tar.gz
diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
index 7a97dee..18ff59c 100644
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
- EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--
2.26.2
diff --git a/0009-Add-Kernel-FIPS-mode-flag-support.patch b/0009-Add-Kernel-FIPS-mode-flag-support.patch
index 30ff325..50c3343 100644
--- a/0009-Add-Kernel-FIPS-mode-flag-support.patch
+++ b/0009-Add-Kernel-FIPS-mode-flag-support.patch
@@ -2,8 +2,8 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
@@ -12,11 +12,46 @@
- #include "internal/provider.h"
#include "crypto/ctype.h"
+ #include "crypto/rand.h"
+# include <sys/types.h>
+# include <sys/stat.h>
diff --git a/0034.fipsinstall_disable.patch b/0034.fipsinstall_disable.patch
index c4f9efd..ab9d460 100644
--- a/0034.fipsinstall_disable.patch
+++ b/0034.fipsinstall_disable.patch
@@ -148,7 +148,7 @@ diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
+for more information.
- =head1 COPYRIGHT
+ =head1 HISTORY
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch
index 216c527..7485b95 100644
--- a/0049-Allow-disabling-of-SHA1-signatures.patch
+++ b/0049-Allow-disabling-of-SHA1-signatures.patch
@@ -493,8 +493,8 @@ index 10b4e57d79..2d3c363bb0 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex 5552 3_0_0 EXIST::FUNCTION:
- OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch
index 8a005e6..da64805 100644
--- a/0056-strcasecmp.patch
+++ b/0056-strcasecmp.patch
@@ -2,9 +2,9 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.nu
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
- EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch
index 6dcf7c0..5f13cc1 100644
--- a/0058-FIPS-limit-rsa-encrypt.patch
+++ b/0058-FIPS-limit-rsa-encrypt.patch
@@ -136,7 +136,7 @@ diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/t
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200
-@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
+@@ -263,13 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# RSA decrypt
@@ -147,6 +147,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
Output = "Hello World"
# Corrupted ciphertext
+-FIPSversion = <3.2.0
+Availablein = default
Decrypt = RSA-2048
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
diff --git a/0082-Propagate-selection-all-the-way-on-key-export.patch b/0082-Propagate-selection-all-the-way-on-key-export.patch
deleted file mode 100644
index d09fc63..0000000
--- a/0082-Propagate-selection-all-the-way-on-key-export.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 10 Nov 2022 10:46:32 -0500
-Subject: [PATCH 1/3] Propagate selection all the way on key export
-
-EVP_PKEY_eq() is used to check, among other things, if a certificate
-public key corresponds to a private key. When the private key belongs to
-a provider that does not allow to export private keys this currently
-fails as the internal functions used to import/export keys ignored the
-selection given (which specifies that only the public key needs to be
-considered) and instead tries to export everything.
-
-This patch allows to propagate the selection all the way down including
-adding it in the cache so that a following operation actually looking
-for other selection parameters does not mistakenly pick up an export
-containing only partial information.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19648)
-
-diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
-index b06730dc7a..2d0238ee27 100644
---- a/crypto/evp/keymgmt_lib.c
-+++ b/crypto/evp/keymgmt_lib.c
-@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
- export_cb, export_cbarg);
- }
-
--void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
-+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ int selection)
- {
- struct evp_keymgmt_util_try_import_data_st import_data;
- OP_CACHE_ELEM *op;
-@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
- */
- if (pk->dirty_cnt == pk->dirty_cnt_copy) {
- /* If this key is already exported to |keymgmt|, no more to do */
-- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
-+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
- if (op != NULL && op->keymgmt != NULL) {
- void *ret = op->keydata;
-
-@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
- /* Setup for the export callback */
- import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
- import_data.keymgmt = keymgmt;
-- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
-+ import_data.selection = selection;
-
- /*
- * The export function calls the callback (evp_keymgmt_util_try_import),
- * which does the import for us. If successful, we're done.
- */
-- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
-+ if (!evp_keymgmt_util_export(pk, selection,
- &evp_keymgmt_util_try_import, &import_data))
- /* If there was an error, bail out */
- return NULL;
-@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
- return NULL;
- }
- /* Check to make sure some other thread didn't get there first */
-- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
-+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
- if (op != NULL && op->keydata != NULL) {
- void *ret = op->keydata;
-
-@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
- evp_keymgmt_util_clear_operation_cache(pk, 0);
-
- /* Add the new export to the operation cache */
-- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
-+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
-+ selection)) {
- CRYPTO_THREAD_unlock(pk->lock);
- evp_keymgmt_freedata(keymgmt, import_data.keydata);
- return NULL;
-@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
- }
-
- OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt)
-+ EVP_KEYMGMT *keymgmt,
-+ int selection)
- {
- int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
- OP_CACHE_ELEM *p;
-@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
- */
- for (i = 0; i < end; i++) {
- p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
-- if (keymgmt == p->keymgmt)
-+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
- return p;
- }
- return NULL;
- }
-
--int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt, void *keydata)
-+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ void *keydata, int selection)
- {
- OP_CACHE_ELEM *p = NULL;
-
-@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
- return 0;
- p->keydata = keydata;
- p->keymgmt = keymgmt;
-+ p->selection = selection;
-
- if (!EVP_KEYMGMT_up_ref(keymgmt)) {
- OPENSSL_free(p);
-@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
- ok = 1;
- if (keydata1 != NULL) {
- tmp_keydata =
-- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
-+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
-+ selection);
- ok = (tmp_keydata != NULL);
- }
- if (ok) {
-@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
- ok = 1;
- if (keydata2 != NULL) {
- tmp_keydata =
-- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
-+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
-+ selection);
- ok = (tmp_keydata != NULL);
- }
- if (ok) {
-diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
-index 70d17ec37e..905e9c9ce4 100644
---- a/crypto/evp/p_lib.c
-+++ b/crypto/evp/p_lib.c
-@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
- {
- EVP_KEYMGMT *allocated_keymgmt = NULL;
- EVP_KEYMGMT *tmp_keymgmt = NULL;
-+ int selection = OSSL_KEYMGMT_SELECT_ALL;
- void *keydata = NULL;
- int check;
-
-@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
- if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
- if (!CRYPTO_THREAD_read_lock(pk->lock))
- goto end;
-- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
-+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
-+ selection);
-
- /*
- * If |tmp_keymgmt| is present in the operation cache, it means
-@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
- EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
-
- /* Check to make sure some other thread didn't get there first */
-- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
-+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
- if (op != NULL && op->keymgmt != NULL) {
- void *tmp_keydata = op->keydata;
-
-@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
- }
-
- /* Add the new export to the operation cache */
-- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
-+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
-+ selection)) {
- CRYPTO_THREAD_unlock(pk->lock);
- evp_keymgmt_freedata(tmp_keymgmt, keydata);
- keydata = NULL;
-@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
- }
- #endif /* FIPS_MODULE */
-
-- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
-+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
-
- end:
- /*
-diff --git a/include/crypto/evp.h b/include/crypto/evp.h
-index f601b72807..dbbdcccbda 100644
---- a/include/crypto/evp.h
-+++ b/include/crypto/evp.h
-@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
- typedef struct {
- EVP_KEYMGMT *keymgmt;
- void *keydata;
-+ int selection;
- } OP_CACHE_ELEM;
-
- DEFINE_STACK_OF(OP_CACHE_ELEM)
-@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
-
- int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
- OSSL_CALLBACK *export_cb, void *export_cbarg);
--void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
-+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ int selection);
- OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt);
-+ EVP_KEYMGMT *keymgmt,
-+ int selection);
- int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
--int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt, void *keydata);
-+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ void *keydata, int selection);
- void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
- void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
- int selection, const OSSL_PARAM params[]);
---
-2.38.1
-
diff --git a/0083-Update-documentation-for-keymgmt-export-utils.patch b/0083-Update-documentation-for-keymgmt-export-utils.patch
deleted file mode 100644
index 9639360..0000000
--- a/0083-Update-documentation-for-keymgmt-export-utils.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Thu, 10 Nov 2022 16:58:28 -0500
-Subject: [PATCH 2/3] Update documentation for keymgmt export utils
-
-Change function prototypes and explain how to use the selection
-argument.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19648)
-
-diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
-index 1fee9f6ff9..7099e44964 100644
---- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
-+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
-@@ -20,12 +20,14 @@ OP_CACHE_ELEM
-
- int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
- OSSL_CALLBACK *export_cb, void *export_cbarg);
-- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
-+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ int selection);
- OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt);
-+ EVP_KEYMGMT *keymgmt,
-+ int selection);
- int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
-- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
-- EVP_KEYMGMT *keymgmt, void *keydata);
-+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
-+ void *keydata, int selection);
- void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
- void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
- int selection, const OSSL_PARAM params[]);
-@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
- given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
- helper for L<EVP_PKEY_fromdata(3)>.
-
-+In all functions that take a I<selection> argument, the selection is used to
-+constraint the information requested on export. It is also used in the cache
-+so that key data is guaranteed to contain all the information requested in
-+the selection.
-+
- =head1 RETURN VALUES
-
- evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
---
-2.38.1
-
diff --git a/0084-Add-test-for-EVP_PKEY_eq.patch b/0084-Add-test-for-EVP_PKEY_eq.patch
deleted file mode 100644
index 06a3bae..0000000
--- a/0084-Add-test-for-EVP_PKEY_eq.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 11 Nov 2022 12:18:26 -0500
-Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
-
-This tests that the comparison work even if a provider can only return
-a public key.
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19648)
-
-diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
-index d556551bb6..5e92e72d4b 100644
---- a/test/fake_rsaprov.c
-+++ b/test/fake_rsaprov.c
-@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
- static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
- static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
- static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
-+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
-+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
- static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
-
- static int has_selection;
- static int imptypes_selection;
-+static int exptypes_selection;
- static int query_id;
-
-+struct fake_rsa_keydata {
-+ int selection;
-+ int status;
-+};
-+
- static void *fake_rsa_keymgmt_new(void *provctx)
- {
-- unsigned char *keydata = OPENSSL_zalloc(1);
-+ struct fake_rsa_keydata *key;
-
-- TEST_ptr(keydata);
-+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
-+ return NULL;
-
- /* clear test globals */
- has_selection = 0;
- imptypes_selection = 0;
-+ exptypes_selection = 0;
- query_id = 0;
-
-- return keydata;
-+ return key;
- }
-
- static void fake_rsa_keymgmt_free(void *keydata)
-@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
- static int fake_rsa_keymgmt_import(void *keydata, int selection,
- const OSSL_PARAM *p)
- {
-- unsigned char *fake_rsa_key = keydata;
-+ struct fake_rsa_keydata *fake_rsa_key = keydata;
-
- /* key was imported */
-- *fake_rsa_key = 1;
-+ fake_rsa_key->status = 1;
-
- return 1;
- }
-
-+static unsigned char fake_rsa_n[] =
-+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
-+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
-+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
-+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
-+ "\xF5";
-+
-+static unsigned char fake_rsa_e[] = "\x11";
-+
-+static unsigned char fake_rsa_d[] =
-+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
-+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
-+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
-+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
-+
-+static unsigned char fake_rsa_p[] =
-+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
-+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
-+ "\x0D";
-+
-+static unsigned char fake_rsa_q[] =
-+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
-+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
-+ "\x89";
-+
-+static unsigned char fake_rsa_dmp1[] =
-+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
-+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
-+
-+static unsigned char fake_rsa_dmq1[] =
-+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
-+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
-+ "\x51";
-+
-+static unsigned char fake_rsa_iqmp[] =
-+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
-+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
-+
-+OSSL_PARAM *fake_rsa_key_params(int priv)
-+{
-+ if (priv) {
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
-+ sizeof(fake_rsa_n) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
-+ sizeof(fake_rsa_e) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
-+ sizeof(fake_rsa_d) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
-+ sizeof(fake_rsa_p) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
-+ sizeof(fake_rsa_q) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
-+ sizeof(fake_rsa_dmp1) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
-+ sizeof(fake_rsa_dmq1) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
-+ sizeof(fake_rsa_iqmp) -1),
-+ OSSL_PARAM_END
-+ };
-+ return OSSL_PARAM_dup(params);
-+ } else {
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
-+ sizeof(fake_rsa_n) -1),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
-+ sizeof(fake_rsa_e) -1),
-+ OSSL_PARAM_END
-+ };
-+ return OSSL_PARAM_dup(params);
-+ }
-+}
-+
-+static int fake_rsa_keymgmt_export(void *keydata, int selection,
-+ OSSL_CALLBACK *param_callback, void *cbarg)
-+{
-+ OSSL_PARAM *params = NULL;
-+ int ret;
-+
-+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
-+ return 0;
-+
-+ if (!TEST_ptr(params = fake_rsa_key_params(0)))
-+ return 0;
-+
-+ ret = param_callback(params, cbarg);
-+ OSSL_PARAM_free(params);
-+ return ret;
-+}
-+
- static const OSSL_PARAM fake_rsa_import_key_types[] = {
- OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
- OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
-@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
- return fake_rsa_import_key_types;
- }
-
-+static const OSSL_PARAM fake_rsa_export_key_types[] = {
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
-+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
-+ OSSL_PARAM_END
-+};
-+
-+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
-+{
-+ /* record global for checking */
-+ exptypes_selection = selection;
-+
-+ return fake_rsa_export_key_types;
-+}
-+
- static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
- {
-- unsigned char *key = NULL;
-+ struct fake_rsa_keydata *key = NULL;
-
-- if (reference_sz != sizeof(key))
-+ if (reference_sz != sizeof(*key))
- return NULL;
-
-- key = *(unsigned char **)reference;
-- if (*key != 1)
-+ key = *(struct fake_rsa_keydata **)reference;
-+ if (key->status != 1)
- return NULL;
-
- /* detach the reference */
-- *(unsigned char **)reference = NULL;
-+ *(struct fake_rsa_keydata **)reference = NULL;
-
- return key;
- }
-@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
- {
- unsigned char *gctx = genctx;
- static const unsigned char inited[] = { 1 };
-- unsigned char *keydata;
-+ struct fake_rsa_keydata *keydata;
-
- if (!TEST_ptr(gctx)
- || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
-@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
- if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
- return NULL;
-
-- *keydata = 2;
-+ keydata->status = 2;
- return keydata;
- }
-
-@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
- { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
- { OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
- (void (*)(void))fake_rsa_keymgmt_imptypes },
-+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
-+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
-+ (void (*)(void))fake_rsa_keymgmt_exptypes },
- { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
- { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
- { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
-@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
- const OSSL_PARAM params[])
- {
- unsigned char *sigctx = ctx;
-- unsigned char *keydata = provkey;
-+ struct fake_rsa_keydata *keydata = provkey;
-
- /* we must have a ctx */
- if (!TEST_ptr(sigctx))
- return 0;
-
- /* we must have some initialized key */
-- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
-+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
- return 0;
-
- /* record that sign init was called */
-@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
- unsigned char *storectx = loaderctx;
- OSSL_PARAM params[4];
- int object_type = OSSL_OBJECT_PKEY;
-- void *key = NULL;
-+ struct fake_rsa_keydata *key = NULL;
- int rv = 0;
-
- switch (*storectx) {
-@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
- /* The address of the key becomes the octet string */
- params[2] =
- OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
-- &key, sizeof(key));
-+ &key, sizeof(*key));
- params[3] = OSSL_PARAM_construct_end();
- rv = object_cb(params, object_cbarg);
- *storectx = 1;
-diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
-index 57de1ecf8d..190c46a285 100644
---- a/test/fake_rsaprov.h
-+++ b/test/fake_rsaprov.h
-@@ -12,3 +12,4 @@
- /* Fake RSA provider implementation */
- OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
- void fake_rsa_finish(OSSL_PROVIDER *p);
-+OSSL_PARAM *fake_rsa_key_params(int priv);
-diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
-index 5c398398f4..3b190baa5e 100644
---- a/test/provider_pkey_test.c
-+++ b/test/provider_pkey_test.c
-@@ -176,6 +176,67 @@ end:
- return ret;
- }
-
-+static int test_pkey_eq(void)
-+{
-+ OSSL_PROVIDER *deflt = NULL;
-+ OSSL_PROVIDER *fake_rsa = NULL;
-+ EVP_PKEY *pkey_fake = NULL;
-+ EVP_PKEY *pkey_dflt = NULL;
-+ EVP_PKEY_CTX *ctx = NULL;
-+ OSSL_PARAM *params = NULL;
-+ int ret = 0;
-+
-+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
-+ return 0;
-+
-+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
-+ goto end;
-+
-+ /* Construct a public key for fake-rsa */
-+ if (!TEST_ptr(params = fake_rsa_key_params(0))
-+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
-+ "provider=fake-rsa"))
-+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
-+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
-+ params))
-+ || !TEST_ptr(pkey_fake))
-+ goto end;
-+
-+ EVP_PKEY_CTX_free(ctx);
-+ ctx = NULL;
-+ OSSL_PARAM_free(params);
-+ params = NULL;
-+
-+ /* Construct a public key for default */
-+ if (!TEST_ptr(params = fake_rsa_key_params(0))
-+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
-+ "provider=default"))
-+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
-+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
-+ params))
-+ || !TEST_ptr(pkey_dflt))
-+ goto end;
-+
-+ EVP_PKEY_CTX_free(ctx);
-+ ctx = NULL;
-+ OSSL_PARAM_free(params);
-+ params = NULL;
-+
-+ /* now test for equality */
-+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
-+ goto end;
-+
-+ ret = 1;
-+end:
-+ fake_rsa_finish(fake_rsa);
-+ OSSL_PROVIDER_unload(deflt);
-+ EVP_PKEY_CTX_free(ctx);
-+ EVP_PKEY_free(pkey_fake);
-+ EVP_PKEY_free(pkey_dflt);
-+ OSSL_PARAM_free(params);
-+ return ret;
-+}
-+
- static int test_pkey_store(int idx)
- {
- OSSL_PROVIDER *deflt = NULL;
-@@ -235,6 +296,7 @@ int setup_tests(void)
-
- ADD_TEST(test_pkey_sig);
- ADD_TEST(test_alternative_keygen_init);
-+ ADD_TEST(test_pkey_eq);
- ADD_ALL_TESTS(test_pkey_store, 2);
-
- return 1;
---
-2.38.1
-
diff --git a/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch b/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
deleted file mode 100644
index 57a0919..0000000
--- a/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Mon, 14 Nov 2022 10:25:15 -0500
-Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
-
-The providers indication should always indicate that this is not a
-legacy request.
-This makes a check for engines redundant as the default return is that
-legacy is ok if there are no explicit providers.
-
-Fixes #19662
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19671)
----
- apps/lib/apps.c | 8 --------
- test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
- 2 files changed, 23 insertions(+), 8 deletions(-)
- create mode 100755 test/recipes/20-test_legacy_okay.t
-
-diff --git a/apps/lib/apps.c b/apps/lib/apps.c
-index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
---- a/apps/lib/apps.c
-+++ b/apps/lib/apps.c
-@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
- {
- int provider_options = opt_provider_option_given();
- int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
--#ifndef OPENSSL_NO_ENGINE
-- ENGINE *e = ENGINE_get_first();
--
-- if (e != NULL) {
-- ENGINE_free(e);
-- return 1;
-- }
--#endif
- /*
- * Having a provider option specified or a custom library context or
- * property query, is a sure sign we're not using legacy.
-diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
-new file mode 100755
-index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
---- /dev/null
-+++ b/test/recipes/20-test_legacy_okay.t
-@@ -0,0 +1,23 @@
-+#! /usr/bin/env perl
-+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License"). You may not use
-+# this file except in compliance with the License. You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use warnings;
-+
-+use OpenSSL::Test;
-+
-+setup("test_legacy");
-+
-+plan tests => 3;
-+
-+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
-+
-+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
-+
-+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
-+ 'rand.txt'])), "Fail to generate a digest");
---
-2.38.1
-
diff --git a/0100-RSA-PKCS15-implicit-rejection.patch b/0100-RSA-PKCS15-implicit-rejection.patch
index 56c460d..40b8078 100644
--- a/0100-RSA-PKCS15-implicit-rejection.patch
+++ b/0100-RSA-PKCS15-implicit-rejection.patch
@@ -104,9 +104,9 @@ index 54e2a1c61ca..094a6632b66 100644
/* make data into a big number */
if (BN_bin2bn(from, (int)flen, f) == NULL)
goto err;
-@@ -471,14 +490,92 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
- goto err;
+@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BN_free(d);
+ }
+ /*
+ * derive the Key Derivation Key from private exponent and public
@@ -183,9 +183,11 @@ index 54e2a1c61ca..094a6632b66 100644
+ }
+ }
+
- j = BN_bn2binpad(ret, buf, num);
- if (j < 0)
- goto err;
+ if (blinding) {
+ /*
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
+@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ }
switch (padding) {
- case RSA_PKCS1_PADDING:
@@ -698,8 +700,8 @@ index ac3f6271969..cb770c9e857 100644
--- a/doc/man7/provider-asym_cipher.pod
+++ b/doc/man7/provider-asym_cipher.pod
@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client.
- The negotiated TLS protocol version. See
- B<RSA_PKCS1_WITH_TLS_PADDING> on the page L<EVP_PKEY_CTX_set_rsa_padding(3)>.
+
+ The negotiated TLS protocol version.
+=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
+
diff --git a/openssl.spec b/openssl.spec
index 38abc51..1f38342 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.0.7
-Release: 4%{?dist}
+Version: 3.0.8
+Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -71,12 +71,6 @@ Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/17981
-# Patch13: 0013-FIPS-provider-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/17998
-# Patch14: 0014-FIPS-disable-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/18609
-# Patch15: 0015-FIPS-decoded-from-explicit.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# Tmp: test name change
@@ -93,12 +87,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
Patch44: 0044-FIPS-140-3-keychecks.patch
# Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
-# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
-# Patch46: 0046-FIPS-s390x-hardening.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
-# Backport of correctly handle 2^14 byte long records #17538
-# Patch48: 0048-correctly-handle-records.patch
%if 0%{?rhel}
# Selectively disallow SHA1 signatures
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
@@ -121,10 +111,6 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
# Instrument with USDT probes related to SHA-1 deprecation
Patch53: 0053-Add-SHA1-probes.patch
%endif
-# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62
-# Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
-# https://github.com/openssl/openssl/pull/17324
-# Patch55: 0055-nonlegacy-fetch-null-deref.patch
# https://github.com/openssl/openssl/pull/18103
# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
# so the patch should persist
@@ -138,25 +124,6 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
-# https://github.com/openssl/openssl/pull/18141
-# Patch63: 0063-CVE-2022-1473.patch
-# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
-# Patch64: 0064-CVE-2022-1343.diff
-# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
-# Patch65: 0065-CVE-2022-1292.patch
-# https://github.com/openssl/openssl/pull/18444
-# https://github.com/openssl/openssl/pull/18467
-# Patch66: 0066-replace-expired-certs.patch
-# https://github.com/openssl/openssl/pull/18512
-# Patch67: 0067-fix-ppc64-montgomery.patch
-#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa
-#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739
-# Patch68: 0068-CVE-2022-2068.patch
-# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
-# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
-# Patch69: 0069-CVE-2022-2097.patch
-# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
-# Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
# Regression on Power8, see rhbz2124845, https://github.com/openssl/openssl/issues/19163; fix in 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
@@ -184,14 +151,6 @@ Patch77: 0077-FIPS-140-3-zeroization.patch
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
-# #CVE-2022-3602
-# Patch80: 0080-CVE-2022-3602.patch
-# #Provider interface fixes
-# Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
-Patch82: 0082-Propagate-selection-all-the-way-on-key-export.patch
-Patch83: 0083-Update-documentation-for-keymgmt-export-utils.patch
-Patch84: 0084-Add-test-for-EVP_PKEY_eq.patch
-Patch85: 0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
# https://github.com/openssl/openssl/pull/13817
Patch100: 0100-RSA-PKCS15-implicit-rejection.patch
@@ -532,6 +491,17 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Thu Feb 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-1
+- Rebase to upstream version 3.0.8
+ Resolves: CVE-2022-4203
+ Resolves: CVE-2022-4304
+ Resolves: CVE-2022-4450
+ Resolves: CVE-2023-0215
+ Resolves: CVE-2023-0216
+ Resolves: CVE-2023-0217
+ Resolves: CVE-2023-0286
+ Resolves: CVE-2023-0401
+
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
diff --git a/sources b/sources
index 32e6de8..a36ca9a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.0.7-hobbled.tar.gz) = 3580f7c2f4b9f2fb0997ddaac31034a9ce2ee288ec1cc58dc48704f43a9116733d0b07c1b262ff55ce58ac89af4abb9bfd559e746338c7b497eb223c473f6751
+SHA512 (openssl-3.0.8-hobbled.tar.gz) = 42f2a59aa8c39c21b66b528329ace126b870f6d7c3a1da2f2ee18ab875923c5bcf3d9046f884201556799a8ab1d915112a1f124cfaf1ab77b2eac834d1f88c60
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100910834.1.12115275563857196485.rpms-openssl-194ef7464a4a@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox