public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Synchronize patches from CentOS 9 that had additional fixes required
@ 2026-06-09 12:45 Sahana Prasad
0 siblings, 0 replies; only message in thread
From: Sahana Prasad @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : e5834712e5d68736e75ba1dce4dc85dfd38e4c9c
Author : Sahana Prasad <sahana@redhat.com>
Date : 2024-06-04T14:48:24+02:00
Stats : +291/-127 in 11 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/e5834712e5d68736e75ba1dce4dc85dfd38e4c9c?branch=rebase_40beta
Log:
Synchronize patches from CentOS 9 that had additional fixes required
for rebase to 3.2.1
Signed-off-by: Sahana Prasad <sahana@redhat.com>
---
diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch
index 7f20774..9ba7947 100644
--- a/0004-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch
@@ -11,11 +11,11 @@ Patch-status: |
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/CA.pl.in | 2 +-
- apps/openssl.cnf | 13 +++++++++++--
- 2 files changed, 12 insertions(+), 3 deletions(-)
+ apps/openssl.cnf | 20 ++++++++++++++++++--
+ 2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
-index f029470005..729f104a7e 100644
+index c0afb96716..d6a5fabd16 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
@@ -27,20 +27,24 @@ index f029470005..729f104a7e 100644
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
-diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 8141ab20cd..3956235fda 100644
---- a/apps/openssl.cnf
-+++ b/apps/openssl.cnf
-@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
+diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
+--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
++++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
+@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
++alg_section = evp_properties
++
++[ evp_properties ]
++#This section is intentionally added empty here
++#to be tuned on particular systems
# List of providers to load
[provider_sect]
-@@ -71,6 +73,13 @@ default = default_sect
+@@ -64,6 +66,13 @@ default = default_sect
[default_sect]
# activate = 1
@@ -54,7 +58,7 @@ index 8141ab20cd..3956235fda 100644
####################################################################
[ ca ]
-@@ -79,7 +88,7 @@ default_ca = CA_default # The default ca section
+@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
@@ -63,7 +67,7 @@ index 8141ab20cd..3956235fda 100644
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
-@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default TSA section
+@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
[ tsa_config1 ]
# These are used by the TSA reply generation only.
@@ -72,6 +76,3 @@ index 8141ab20cd..3956235fda 100644
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
---
-2.41.0
-
diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch
index 2997d1e..1a65417 100644
--- a/0024-load-legacy-prov.patch
+++ b/0024-load-legacy-prov.patch
@@ -13,11 +13,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
doc/man5/config.pod | 8 ++++++++
2 files changed, 23 insertions(+), 22 deletions(-)
-diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 3956235fda..bddb6bc029 100644
---- a/apps/openssl.cnf
-+++ b/apps/openssl.cnf
-@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
+diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
+--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
++++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
+@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
@@ -32,9 +31,16 @@ index 3956235fda..bddb6bc029 100644
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
- ssl_conf = ssl_module
+@@ -42,23 +42,27 @@ [ evp_properties ]
+ #This section is intentionally added empty here
+ #to be tuned on particular systems
-# List of providers to load
+-[provider_sect]
+-default = default_sect
+-# The fips section name should match the section name inside the
+-# included fipsmodule.cnf.
+-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
@@ -43,13 +49,7 @@ index 3956235fda..bddb6bc029 100644
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
-+
- [provider_sect]
- default = default_sect
--# The fips section name should match the section name inside the
--# included fipsmodule.cnf.
--# fips = fips_sect
--
+
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
@@ -58,21 +58,26 @@ index 3956235fda..bddb6bc029 100644
-# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
+-[default_sect]
+-# activate = 1
++[provider_sect]
++default = default_sect
+##legacy = legacy_sect
+##
- [default_sect]
--# activate = 1
++[default_sect]
+activate = 1
+
+##[legacy_sect]
+##activate = 1
++
++#Place the third party provider configuration files into this folder
++.include /etc/pki/tls/openssl.d
[ ssl_module ]
-diff --git a/doc/man5/config.pod b/doc/man5/config.pod
-index 8d312c661f..714a10437b 100644
---- a/doc/man5/config.pod
-+++ b/doc/man5/config.pod
+diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
+--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
++++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.
@@ -88,6 +93,3 @@ index 8d312c661f..714a10437b 100644
=head3 Default provider and its activation
If no providers are activated explicitly, the default one is activated implicitly.
---
-2.41.0
-
diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch
index 02abc6b..985fadf 100644
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@@ -33,7 +33,16 @@ index 058fb58837..5274265a70 100644
if (ok == 1) {
if (!ossl_provider_activate(prov, 1, 0)) {
-@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
+
+ if (ok <= 0)
+ ossl_provider_free(prov);
++ } else {
++ ok = 1;
+ }
+ CRYPTO_THREAD_unlock(pcgbl->lock);
+
+@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
return 0;
}
@@ -55,6 +64,9 @@ index 058fb58837..5274265a70 100644
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ }
++ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
++ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
++ return 0;
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch
index 6738304..4e11f02 100644
--- a/0033-FIPS-embed-hmac.patch
+++ b/0033-FIPS-embed-hmac.patch
@@ -391,6 +391,73 @@ index 18d9f3d204..71780d8caa 100644
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
---
-2.44.0
-
+diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c
+--- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200
++++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200
+@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI
+ EVP_MAC *mac = NULL;
+ EVP_MAC_CTX *ctx = NULL;
+ OSSL_PARAM params[2], *p = params;
+- Dl_info info;
+- void *extra_info = NULL;
+- struct link_map *lm = NULL;
+- unsigned long paddr;
+- unsigned long off = 0;
+
+ if (!integrity_self_test(ev, libctx))
+ goto err;
+
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+
+- if (!dladdr1 ((const void *)fips_hmac_container,
+- &info, &extra_info, RTLD_DL_LINKMAP))
+- goto err;
+- lm = extra_info;
+- paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+-
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+ if (mac == NULL)
+ goto err;
+@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+ goto err;
+
+- while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+- if (status != 1)
+- break;
+- if (!EVP_MAC_update(ctx, buf, bytes_read))
+- goto err;
+- off += bytes_read;
+- }
+-
+- if (off + INTEGRITY_BUF_SIZE > paddr) {
+- int delta = paddr - off;
+- status = read_ex_cb(bio, buf, delta, &bytes_read);
+- if (status != 1)
+- goto err;
+- if (!EVP_MAC_update(ctx, buf, bytes_read))
+- goto err;
+- off += bytes_read;
+-
+- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+- memset(buf, 0, HMAC_LEN);
+- if (status != 1)
+- goto err;
+- if (!EVP_MAC_update(ctx, buf, bytes_read))
+- goto err;
+- off += bytes_read;
+- }
+-
+- while (bytes_read > 0) {
+- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
++ while (1) {
++ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+- off += bytes_read;
+ }
+
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch
index 655691b..c5774c2 100644
--- a/0049-Allow-disabling-of-SHA1-signatures.patch
+++ b/0049-Allow-disabling-of-SHA1-signatures.patch
@@ -323,22 +323,6 @@ index 0d3acdbe56..fe694c4e96 100644
return mdnid;
}
-@@ -252,5 +262,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
- if (ossl_securitycheck_enabled(ctx))
- return ossl_digest_get_approved_nid(md) != NID_undef;
- # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
-+
-+#ifndef FIPS_MODULE
-+ {
-+ int mdnid = EVP_MD_nid(md);
-+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
-+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-+ return 0;
-+ }
-+#endif
-+
- return 1;
- }
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index 246323493e..2ca7a59f39 100644
--- a/providers/common/securitycheck_default.c
diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch
new file mode 100644
index 0000000..6b740ce
--- /dev/null
+++ b/0056-strcasecmp.patch
@@ -0,0 +1,53 @@
+diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
+--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
++++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
+@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
+ X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
+ OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
+ BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
+diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
+--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
+@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
+ #endif
+ }
+
+-int OPENSSL_strcasecmp(const char *s1, const char *s2)
++int
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strcasecmp(const char *s1, const char *s2)
+ {
+ int t;
+
+@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
+ return t;
+ }
+
+-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
++int
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+ {
+ int t;
+ size_t i;
+diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
+--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
+@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
+ s| .*||;
+ # Drop OpenSSL dynamic version information if there is any
+ s|\@\@.+$||;
++ s|\@.+$||;
+ # Return the result
+ $_
+ }
diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch
index 92495f8..7376d02 100644
--- a/0076-FIPS-140-3-DRBG.patch
+++ b/0076-FIPS-140-3-DRBG.patch
@@ -17,11 +17,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
5 files changed, 28 insertions(+), 68 deletions(-)
-diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
-index 2985c7f2d8..3202a28226 100644
---- a/crypto/rand/prov_seed.c
-+++ b/crypto/rand/prov_seed.c
-@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
+diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
+--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
++++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
+@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
size_t entropy_available;
RAND_POOL *pool;
@@ -37,11 +36,10 @@ index 2985c7f2d8..3202a28226 100644
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
-diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
-index fa4a2db14a..1f13fc759e 100644
---- a/providers/implementations/rands/crngt.c
-+++ b/providers/implementations/rands/crngt.c
-@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
+diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
+--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
++++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
+@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
@@ -54,11 +52,10 @@ index fa4a2db14a..1f13fc759e 100644
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
-diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
-index 1586288692..e6de65a23d 100644
---- a/providers/implementations/rands/drbg.c
-+++ b/providers/implementations/rands/drbg.c
-@@ -564,6 +564,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
+diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
+--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
++++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
+@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
#endif
}
@@ -68,7 +65,7 @@ index 1586288692..e6de65a23d 100644
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
-@@ -685,8 +688,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
@@ -84,10 +81,9 @@ index 1586288692..e6de65a23d 100644
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
-diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
-index 50f98a0b61..53d99c8c84 100644
---- a/providers/implementations/rands/drbg_local.h
-+++ b/providers/implementations/rands/drbg_local.h
+diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
+--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
@@ -38,7 +38,7 @@
*
* The value is in bytes.
@@ -97,10 +93,9 @@ index 50f98a0b61..53d99c8c84 100644
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
-diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
-index 9a936d800d..61d720efa9 100644
---- a/providers/implementations/rands/seeding/rand_unix.c
-+++ b/providers/implementations/rands/seeding/rand_unix.c
+diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
+--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
++++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
@@ -48,6 +48,8 @@
# include <fcntl.h>
# include <unistd.h>
@@ -178,11 +173,64 @@ index 9a936d800d..61d720efa9 100644
- errno = ENOSYS;
- return -1;
-# endif
-+ /* Red Hat uses downstream patch to always seed from getrandom() */
-+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
++ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
---
-2.44.0
-
+diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
+--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
++++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
+@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
+ return 0;
+ }
+
+- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
++ /*
++ * OpenSSL still implements an internal entropy pool of
++ * some size that is hashed to get seed data.
++ * Note that this is a conditioning step for which SP800-90C requires
++ * 64 additional bits from the entropy source to claim the requested
++ * amount of entropy.
++ */
++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
+ if (pool == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+ return 0;
+@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
+ size_t i;
+ RAND_POOL *pool;
+
+- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++ /*
++ * OpenSSL still implements an internal entropy pool of
++ * some size that is hashed to get seed data.
++ * Note that this is a conditioning step for which SP800-90C requires
++ * 64 additional bits from the entropy source to claim the requested
++ * amount of entropy.
++ */
++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+ if (pool == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+ return 0;
+diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
+index 14999540ab..b05b84717b 100644
+--- a/crypto/rand/rand_lib.c
++++ b/crypto/rand/rand_lib.c
+@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
+ return ret;
+ }
+
+-#ifndef FIPS_MODULE
+- if (dgbl->seed == NULL) {
+- ERR_set_mark();
+- dgbl->seed = rand_new_seed(ctx);
+- ERR_pop_to_mark();
+- }
+-#endif
+-
+- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
++ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
+ PRIMARY_RESEED_INTERVAL,
+ PRIMARY_RESEED_TIME_INTERVAL, 1);
+ /*
diff --git a/0115-skip-quic-pairwise.patch b/0115-skip-quic-pairwise.patch
index fccb8dd..98bfae5 100644
--- a/0115-skip-quic-pairwise.patch
+++ b/0115-skip-quic-pairwise.patch
@@ -28,18 +28,6 @@ index 41cf0fc7a8..0fb7492700 100644
#endif
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
-diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 222b1886ae..7e2f65cccb 100644
---- a/test/recipes/01-test_symbol_presence.t
-+++ b/test/recipes/01-test_symbol_presence.t
-@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) {
- }
- }
- my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
-+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
- if (@duplicates) {
- note "Duplicates:";
- note join('\n', @duplicates);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index c837d48fb4..f06ef04b1a 100644
--- a/test/recipes/30-test_pairwise_fail.t
diff --git a/0116-version-aliasing.patch b/0116-version-aliasing.patch
index 67d632d..73f7981 100644
--- a/0116-version-aliasing.patch
+++ b/0116-version-aliasing.patch
@@ -53,17 +53,18 @@ index e9faf31057..5a29b8dbb7 100644
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7e2f65cccb..cc947d4821 100644
+index 222b1886ae..7e2f65cccb 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
-@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
- s| .*||;
- # Drop OpenSSL dynamic version information if there is any
- s|\@\@.+$||;
-+ s|\@.+$||;
- # Return the result
- $_
- }
+@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
+ }
+ }
+ my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
++@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
+ if (@duplicates) {
+ note "Duplicates:";
+ note join('\n', @duplicates);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8046454025..068e9904e2 100644
--- a/util/libcrypto.num
diff --git a/0120-Allow-disabling-of-SHA1-signatures.patch b/0120-Allow-disabling-of-SHA1-signatures.patch
index 01ad338..a4fc66f 100644
--- a/0120-Allow-disabling-of-SHA1-signatures.patch
+++ b/0120-Allow-disabling-of-SHA1-signatures.patch
@@ -147,22 +147,6 @@ index f635b5aec8..b061125291 100644
#endif
return mdnid;
-@@ -267,9 +272,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
- #ifndef FIPS_MODULE
- {
- int mdnid = EVP_MD_nid(md);
-- if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
-- && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-- return 0;
-+ if (mdnid == NID_sha1 || mdnid == NID_md5_sha1) {
-+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-+ return 0;
-+ else
-+ DTRACE_PROBE1(libcrypto, fedora_ossl_digest_is_allowed_1, mdnid);
-+ }
- }
- #endif
-
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index 2ca7a59f39..13993b5eb1 100644
--- a/providers/common/securitycheck_default.c
diff --git a/openssl.spec b/openssl.spec
index b8f7ac7..4169f7d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.2.1
-Release: 8%{?dist}
+Release: 9%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -91,6 +91,12 @@ Patch47: 0047-FIPS-early-KATS.patch
Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
# Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
+# Originally from https://github.com/openssl/openssl/pull/18103
+# As we rebased to 3.0.7 and used the version of the function
+# not matching the upstream one, we have to use aliasing.
+# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
+# should also be removed
+Patch56: 0056-strcasecmp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
@@ -184,6 +190,9 @@ Recommends: pkcs11-provider%{?_isa}
%else
Recommends: openssl-pkcs11%{?_isa}
%endif
+%if ( %{defined rhel} && (! %{defined centos}) )
+Requires: openssl-fips-provider
+%endif
%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
@@ -297,7 +306,7 @@ export HASHBANGPERL=/usr/bin/perl
%endif
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
- enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE \
+ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-Wl,--allow-multiple-definition
@@ -329,14 +338,12 @@ patch -p1 < %{SOURCE14}
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
-%if 0%{?rhel}
OPENSSL_ENABLE_SHA1_SIGNATURES=
export OPENSSL_ENABLE_SHA1_SIGNATURES
-%endif
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
-OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
#run tests itself
@@ -345,6 +352,14 @@ make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library
# We manually copy standard definition of __spec_install_post
# and add hmac calculation/embedding to fips.so
+%if ( %{defined rhel} && (! %{defined centos}) )
+%define __spec_install_post \
+ rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+%{nil}
+%else
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
@@ -354,6 +369,7 @@ make test HARNESS_JOBS=8
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}
+%endif
%define __provides_exclude_from %{_libdir}/openssl
@@ -377,6 +393,7 @@ done
# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
@@ -436,6 +453,7 @@ cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
install -m644 %{SOURCE9} \
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
%endif
+ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_local.cnf
%files
%{!?_licensedir:%global license %%doc}
@@ -458,8 +476,10 @@ install -m644 %{SOURCE9} \
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
+%dir %{_sysconfdir}/pki/tls/openssl.d
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
+%config %{_sysconfdir}/pki/tls/fips_local.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
@@ -489,6 +509,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-9
+- Synchronize patches from CentOS 9 that had additional fixes required
+ for rebase to 3.2.1
+
* Tue May 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 1:3.2.1-8
- Instrument with USDT probes related to SHA-1 deprecation
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Synchronize patches from CentOS 9 that had additional fixes required Sahana Prasad
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox