[rpms/openssl] rebase_40beta: Slightly rearranged the patches we have

[rpms/openssl] rebase_40beta: Slightly rearranged the patches we have

[Dmitry Belyavskiy]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 5c67b5adc311af297f425c09e3e1ac7ca8483911
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date   : 2023-08-31T17:23:53+02:00
Stats  : +27/-78 in 5 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/5c67b5adc311af297f425c09e3e1ac7ca8483911?branch=rebase_40beta

Log:
Slightly rearranged the patches we have

---
diff --git a/0031-tmp-Fix-test-names.patch b/0031-tmp-Fix-test-names.patch
deleted file mode 100644
index 9647978..0000000
--- a/0031-tmp-Fix-test-names.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/test/sslapitest.c b/test/sslapitest.c
-index e95d2657f46c..7af0eab3fce0 100644
---- a/test/sslapitest.c
-+++ b/test/sslapitest.c
-@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
-         goto end;
-     }
- 
-+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
-+        testresult = TEST_skip("CHACHA is not supported in FIPS");
-+        goto end;
-+    }
-+
-     /* Create a session based on SHA-256 */
-     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                        TLS_client_method(),
-@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
-         goto end;
-     }
- 
-+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
-+        testresult = TEST_skip("CHACHA is not supported in FIPS");
-+        goto end;
-+    }
-+
-     /* Create a session based on SHA-256 */
-     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                        TLS_client_method(),

diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch
index 9e4e579..adab1f1 100644
--- a/0033-FIPS-embed-hmac.patch
+++ b/0033-FIPS-embed-hmac.patch
@@ -1,7 +1,7 @@
-From 538665f6c210f876bf2733afe63460b36f2c9929 Mon Sep 17 00:00:00 2001
+From ed02a8b9e767224dc7512a4a176e4aae045b3573 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 17/35] 0033-FIPS-embed-hmac.patch
+Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
 
 Patch-name: 0033-FIPS-embed-hmac.patch
 Patch-id: 33
@@ -9,7 +9,7 @@ Patch-status: |
     # Embed HMAC into the fips.so
 From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
 ---
- providers/fips/self_test.c            | 69 ++++++++++++++++++++++++---
+ providers/fips/self_test.c            | 70 ++++++++++++++++++++++++---
  test/fipsmodule.cnf                   |  2 +
  test/recipes/00-prep_fipsmodule_cnf.t |  2 +-
  test/recipes/01-test_fipsmodule_cnf.t |  2 +-
@@ -17,11 +17,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
  test/recipes/30-test_defltfips.t      |  2 +-
  test/recipes/80-test_ssl_new.t        |  2 +-
  test/recipes/90-test_sslapi.t         |  2 +-
- 8 files changed, 70 insertions(+), 13 deletions(-)
+ 8 files changed, 71 insertions(+), 13 deletions(-)
  create mode 100644 test/fipsmodule.cnf
 
 diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index 10804d9f59..ef56002854 100644
+index 10804d9f59..5e418a2c11 100644
 --- a/providers/fips/self_test.c
 +++ b/providers/fips/self_test.c
 @@ -231,11 +231,27 @@ err:
@@ -121,7 +121,15 @@ index 10804d9f59..ef56002854 100644
      if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
          goto err;
  
-@@ -349,8 +405,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -283,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+         goto err;
+     ret = 1;
+ err:
++    OPENSSL_cleanse(out, sizeof(out));
+     OSSL_SELF_TEST_onend(ev, ret);
+     EVP_MAC_CTX_free(ctx);
+     EVP_MAC_free(mac);
+@@ -349,8 +406,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
          CRYPTO_THREAD_unlock(fips_state_lock);
      }
  
@@ -131,7 +139,7 @@ index 10804d9f59..ef56002854 100644
          ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
          goto end;
      }
-@@ -359,8 +414,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -359,8 +415,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
      if (ev == NULL)
          goto end;
  
@@ -143,7 +151,7 @@ index 10804d9f59..ef56002854 100644
      if (module_checksum == NULL) {
          ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
          goto end;
-@@ -434,7 +490,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -434,7 +491,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
  end:
      EVP_RAND_free(testrand);
      OSSL_SELF_TEST_free(ev);

diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch
index 0d1170b..31cb772 100644
--- a/0058-FIPS-limit-rsa-encrypt.patch
+++ b/0058-FIPS-limit-rsa-encrypt.patch
@@ -6,8 +6,6 @@ Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
 Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
 Patch-id: 58
 Patch-status: |
-    # https://github.com/openssl/openssl/pull/18175
-    # Patch57: 0057-strcasecmp-fix.patch
     # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
 From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
 ---

diff --git a/0109-fips-Zeroize-out-in-fips-selftest.patch b/0109-fips-Zeroize-out-in-fips-selftest.patch
deleted file mode 100644
index d76ecc6..0000000
--- a/0109-fips-Zeroize-out-in-fips-selftest.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 3e24e76dfaf7367e0790c22aa1e740f3b68d91a3 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Mon, 21 Aug 2023 16:08:39 +0200
-Subject: [PATCH 44/48] 0109-fips-Zeroize-out-in-fips-selftest.patch
-
-Patch-name: 0109-fips-Zeroize-out-in-fips-selftest.patch
-Patch-id: 109
----
- providers/fips/self_test.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index 062d9df84a..64107d054b 100644
---- a/providers/fips/self_test.c
-+++ b/providers/fips/self_test.c
-@@ -339,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
-         goto err;
-     ret = 1;
- err:
-+    OPENSSL_cleanse(out, sizeof(out));
-     OSSL_SELF_TEST_onend(ev, ret);
-     EVP_MAC_CTX_free(ctx);
-     EVP_MAC_free(mac);
--- 
-2.41.0
-

diff --git a/openssl.spec b/openssl.spec
index c6127e2..4bda214 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.1.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
@@ -71,8 +71,6 @@ Patch12:  0012-Disable-explicit-ec.patch
 Patch13:  0013-skipped-tests-EC-curves.patch
 # # Instructions to load legacy provider in openssl.cnf
 Patch24:  0024-load-legacy-prov.patch
-# # Tmp: test name change
-Patch31:  0031-tmp-Fix-test-names.patch
 # # We load FIPS provider and set FIPS properties implicitly
 Patch32:  0032-Force-fips.patch
 # # Embed HMAC into the fips.so
@@ -95,8 +93,6 @@ Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 # # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
 # # so the patch should persist
 Patch56:  0056-strcasecmp.patch
-# # https://github.com/openssl/openssl/pull/18175
-# # Patch57: 0057-strcasecmp-fix.patch
 # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
 Patch58:  0058-FIPS-limit-rsa-encrypt.patch
 # # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
@@ -105,7 +101,7 @@ Patch61:  0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
 Patch62:  0062-fips-Expose-a-FIPS-indicator.patch
 # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
 Patch73:  0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
-# [PATCH 30/48] 
+# [PATCH 29/46] 
 #  0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 Patch74:  0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
@@ -122,13 +118,13 @@ Patch79:  0079-RSA-PKCS15-implicit-rejection.patch
 # # We believe that some changes present in CentOS are not necessary
 # # because ustream has a check for FIPS version
 Patch80:  0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
-# [PATCH 37/48] 
+# [PATCH 36/46] 
 #  0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
 Patch81:  0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
-# [PATCH 38/48] 
+# [PATCH 37/46] 
 #  0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
 Patch83:  0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
-# [PATCH 39/48] 
+# [PATCH 38/46] 
 #  0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
 Patch84:  0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
 # 0085-FIPS-RSA-disable-shake.patch
@@ -137,15 +133,13 @@ Patch85:  0085-FIPS-RSA-disable-shake.patch
 Patch88:  0088-signature-Add-indicator-for-PSS-salt-length.patch
 # 0091-FIPS-RSA-encapsulate.patch
 Patch91:  0091-FIPS-RSA-encapsulate.patch
-# [PATCH 43/48] 
+# [PATCH 42/46] 
 #  0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
 Patch93:  0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
-# 0109-fips-Zeroize-out-in-fips-selftest.patch
-Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
-# [PATCH 45/48] 
+# [PATCH 43/46] 
 #  0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
-# [PATCH 46/48] 
+# [PATCH 44/46] 
 #  0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
 Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
 # 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
@@ -484,6 +478,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Aug 31 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-4
+- Drop duplicated patch and do some contamination
+
 * Tue Aug 22 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-3
 - Integrate FIPS patches from CentOS