public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Synchronizing patches from CentOS
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 5f6b768be7292599484898f90de07ddeb50cb82c
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2024-04-04T13:16:44+02:00
Stats : +153/-43 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/5f6b768be7292599484898f90de07ddeb50cb82c?branch=rebase_40beta
Log:
Synchronizing patches from CentOS
---
diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch
index 13a61b3..02c4031 100644
--- a/0044-FIPS-140-3-keychecks.patch
+++ b/0044-FIPS-140-3-keychecks.patch
@@ -1,23 +1,25 @@
-From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
+From 4512f620199126e6b87433ef184f0450652ee28a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Mon, 21 Aug 2023 12:05:23 +0200
-Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
+Date: Thu, 4 Apr 2024 11:42:18 +0200
+Subject: [PATCH 19/50] 0044-FIPS-140-3-keychecks.patch
Patch-name: 0044-FIPS-140-3-keychecks.patch
Patch-id: 44
Patch-status: |
# Extra public/private key checks required by FIPS-140-3
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/dh/dh_key.c | 26 ++++++++++
+ crypto/rsa/rsa_gen.c | 3 ++
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
- 6 files changed, 162 insertions(+), 9 deletions(-)
+ 7 files changed, 165 insertions(+), 9 deletions(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 4e9705beef..83773cceea 100644
+index 7132b9b68e..189bfc3e8b 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@@ -30,7 +32,7 @@ index 4e9705beef..83773cceea 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
return 0;
}
@@ -44,7 +46,7 @@ index 4e9705beef..83773cceea 100644
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
-@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
+@@ -271,6 +281,9 @@ static int generate_key(DH *dh)
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
@@ -54,7 +56,7 @@ index 4e9705beef..83773cceea 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
+@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@@ -76,8 +78,22 @@ index 4e9705beef..83773cceea 100644
dh->dirty_cnt++;
ok = 1;
err:
+diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
+index 0cdbb3fde2..65ff9d2d47 100644
+--- a/crypto/rsa/rsa_gen.c
++++ b/crypto/rsa/rsa_gen.c
+@@ -464,6 +464,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
+ rsa->dmp1 = NULL;
+ rsa->dmq1 = NULL;
+ rsa->iqmp = NULL;
++#ifdef FIPS_MODULE
++ abort();
++#endif /* defined(FIPS_MODULE) */
+ }
+ }
+ return ok;
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
-index 43caedb6df..73873f9758 100644
+index 5b8412aba1..1d98eba132 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
@@ -107,10 +123,10 @@ index 43caedb6df..73873f9758 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
-index a37cbbdba8..bca3f3c674 100644
+index 9390935394..1399be1751 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
-@@ -989,8 +989,17 @@ struct ec_gen_ctx {
+@@ -991,8 +991,17 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
@@ -128,7 +144,7 @@ index a37cbbdba8..bca3f3c674 100644
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
-@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
+@@ -1011,6 +1020,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
@@ -139,7 +155,7 @@ index a37cbbdba8..bca3f3c674 100644
return gctx;
}
-@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -1291,6 +1304,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@@ -152,7 +168,7 @@ index a37cbbdba8..bca3f3c674 100644
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
-@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
+@@ -1361,7 +1380,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@@ -165,7 +181,7 @@ index a37cbbdba8..bca3f3c674 100644
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
-index 3ba12c4889..ff49f8fcd8 100644
+index c24cb8da88..4462afa041 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
@@ -222,10 +238,10 @@ index 3ba12c4889..ff49f8fcd8 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 865d49d100..ebeb30e002 100644
+index fe65ed8dc6..f158105e71 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
-@@ -32,7 +32,7 @@
+@@ -33,7 +33,7 @@
#include "crypto/ec.h"
#include "prov/der_ec.h"
@@ -234,7 +250,7 @@ index 865d49d100..ebeb30e002 100644
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
-@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
+@@ -44,7 +44,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
@@ -243,7 +259,7 @@ index 865d49d100..ebeb30e002 100644
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
-@@ -104,7 +104,7 @@ typedef struct {
+@@ -107,7 +107,7 @@ typedef struct {
unsigned int nonce_type;
} PROV_ECDSA_CTX;
@@ -252,7 +268,7 @@ index 865d49d100..ebeb30e002 100644
{
PROV_ECDSA_CTX *ctx;
-@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+@@ -380,7 +380,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}
@@ -261,7 +277,7 @@ index 865d49d100..ebeb30e002 100644
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
-@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+@@ -601,6 +601,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
@@ -298,7 +314,7 @@ index 865d49d100..ebeb30e002 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index cd5de6bd51..d4261e8f7d 100644
+index 76db37dd02..22d93ead53 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -34,7 +34,7 @@
@@ -328,7 +344,7 @@ index cd5de6bd51..d4261e8f7d 100644
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
-@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+@@ -974,7 +974,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
}
@@ -337,7 +353,7 @@ index cd5de6bd51..d4261e8f7d 100644
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
-@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+@@ -1451,6 +1451,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
@@ -384,5 +400,5 @@ index cd5de6bd51..d4261e8f7d 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
-2.41.0
+2.44.0
diff --git a/0115-skip-quic-pairwise.patch b/0115-skip-quic-pairwise.patch
index 0d96f4d..fccb8dd 100644
--- a/0115-skip-quic-pairwise.patch
+++ b/0115-skip-quic-pairwise.patch
@@ -1,17 +1,17 @@
-From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
+From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Thu, 7 Mar 2024 17:37:09 +0100
-Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
+Date: Thu, 4 Apr 2024 11:50:58 +0200
+Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
Patch-status: |
- # skip quic and pairwise tests temporarily
+ # Amend tests according to Fedora/RHEL code
---
test/quicapitest.c | 4 +++-
test/recipes/01-test_symbol_presence.t | 1 +
- test/recipes/30-test_pairwise_fail.t | 10 ++++++++--
- 3 files changed, 12 insertions(+), 3 deletions(-)
+ test/recipes/30-test_pairwise_fail.t | 13 +++++++++++--
+ 3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 41cf0fc7a8..0fb7492700 100644
@@ -41,7 +41,7 @@ index 222b1886ae..7e2f65cccb 100644
note "Duplicates:";
note join('\n', @duplicates);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
-index c837d48fb4..6291c08c49 100644
+index c837d48fb4..f06ef04b1a 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
@@ -53,7 +53,18 @@ index c837d48fb4..6291c08c49 100644
use OpenSSL::Test::Utils;
BEGIN {
-@@ -39,20 +39,26 @@ SKIP: {
+@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
+ SKIP: {
+ skip "Skip RSA test because of no rsa in this build", 1
+ if disabled("rsa");
++ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
++ sub {
+ ok(run(test(["pairwise_fail_test", "-config", $provconf,
+ "-pairwise", "rsa"])),
+ "fips provider rsa keygen pairwise failure test");
++ });
+ }
+
SKIP: {
skip "Skip EC test because of no ec in this build", 2
if disabled("ec");
diff --git a/0121-FIPS-cms-defaults.patch b/0121-FIPS-cms-defaults.patch
new file mode 100644
index 0000000..7add39d
--- /dev/null
+++ b/0121-FIPS-cms-defaults.patch
@@ -0,0 +1,84 @@
+From 097bcf136d444ee2383569e296b21ffc85f46e48 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Thu, 4 Apr 2024 11:54:14 +0200
+Subject: [PATCH 50/50] 0121-FIPS-cms-defaults.patch
+
+Patch-name: 0121-FIPS-cms-defaults.patch
+Patch-id: 121
+Patch-status: |
+ # From CentOS 9
+---
+ apps/cms.c | 11 ++++++++---
+ crypto/cms/cms_env.c | 10 ++++++++++
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/apps/cms.c b/apps/cms.c
+index f93c98ac92..cd8dafe14f 100644
+--- a/apps/cms.c
++++ b/apps/cms.c
+@@ -20,6 +20,7 @@
+ #include <openssl/x509_vfy.h>
+ #include <openssl/x509v3.h>
+ #include <openssl/cms.h>
++#include <openssl/fips.h>
+
+ static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+ static int cms_cb(int ok, X509_STORE_CTX *ctx);
+@@ -820,12 +821,16 @@ int cms_main(int argc, char **argv)
+
+ if (operation == SMIME_ENCRYPT) {
+ if (!cipher) {
++ if (FIPS_mode()) {
++ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
++ } else {
+ #ifndef OPENSSL_NO_DES
+- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
++ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+ #else
+- BIO_printf(bio_err, "No cipher selected\n");
+- goto end;
++ BIO_printf(bio_err, "No cipher selected\n");
++ goto end;
+ #endif
++ }
+ }
+
+ if (secret_key && !secret_keyid) {
+diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
+index b877e10619..f50f930ec2 100644
+--- a/crypto/cms/cms_env.c
++++ b/crypto/cms/cms_env.c
+@@ -14,6 +14,7 @@
+ #include <openssl/err.h>
+ #include <openssl/cms.h>
+ #include <openssl/evp.h>
++#include <openssl/fips.h>
+ #include "internal/sizes.h"
+ #include "crypto/asn1.h"
+ #include "crypto/evp.h"
+@@ -378,6 +379,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
+ return 0;
+ if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
+ return 0;
++ if (FIPS_mode()) {
++ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
++ return 0;
++ }
+ } else if (!ossl_cms_env_asn1_ctrl(ri, 0))
+ return 0;
+ return 1;
+@@ -543,6 +548,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
+
+ if (EVP_PKEY_encrypt_init(pctx) <= 0)
+ goto err;
++
++ if (FIPS_mode()) {
++ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
++ goto err;
++ }
+ }
+
+ if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
+--
+2.44.0
+
diff --git a/openssl.spec b/openssl.spec
index 504e052..d0a1e41 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.2.1
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -99,7 +99,6 @@ Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
-# [PATCH 29/46]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
@@ -114,13 +113,10 @@ Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
-# [PATCH 36/46]
# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
-# [PATCH 37/46]
# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
-# [PATCH 38/46]
# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
# 0085-FIPS-RSA-disable-shake.patch
@@ -129,13 +125,10 @@ Patch85: 0085-FIPS-RSA-disable-shake.patch
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
# 0091-FIPS-RSA-encapsulate.patch
Patch91: 0091-FIPS-RSA-encapsulate.patch
-# [PATCH 42/46]
# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
-# [PATCH 43/46]
# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
-# [PATCH 44/46]
# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
@@ -143,7 +136,7 @@ Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
Patch114: 0114-FIPS-enforce-EMS-support.patch
-# skip quic and pairwise tests temporarily
+# Amend tests according to Fedora/RHEL code
Patch115: 0115-skip-quic-pairwise.patch
# Add version aliasing due to
# https://github.com/openssl/openssl/issues/23534
@@ -154,6 +147,8 @@ Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
Patch118: 0118-no-crl-memleak.patch
# https://github.com/openssl/openssl/issues/22779
Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
+# From CentOS 9
+Patch121: 0121-FIPS-cms-defaults.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -298,7 +293,7 @@ export HASHBANGPERL=/usr/bin/perl
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE \
- no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++ \
+ no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-Wl,--allow-multiple-definition
@@ -489,6 +484,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Thu Apr 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-5
+- Restoring missing part of 0044-
+- Backporting CMS FIPS defaults from CentOS 9
+
* Mon Mar 25 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4
- Add no-engine support. The previous commit was a mistake.
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Synchronizing patches from CentOS Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox