public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Sync from source-git
@ 2026-06-09 12:45 Sahana Prasad
0 siblings, 0 replies; only message in thread
From: Sahana Prasad @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 5e7eef698f99f3a76bf7b2771e96d9d8d9e7ef77
Author : Sahana Prasad <sahana@redhat.com>
Date : 2024-07-10T12:08:42+02:00
Stats : +185/-141 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/5e7eef698f99f3a76bf7b2771e96d9d8d9e7ef77?branch=rebase_40beta
Log:
Sync from source-git
Signed-off-by: Sahana Prasad <sahana@redhat.com>
---
diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch
index 9ba7947..558fc62 100644
--- a/0004-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch
@@ -1,21 +1,21 @@
-From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001
+From cb180c186ddcd46f3ffe13468d8ac4dff680b03e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:27 +0200
-Subject: [PATCH 04/35]
+Date: Mon, 8 Jul 2024 11:30:24 +0200
+Subject: [PATCH 04/50]
0004-Override-default-paths-for-the-CA-directory-tree.patch
Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch
Patch-id: 4
Patch-status: |
# Override default paths for the CA directory tree
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+From-dist-git-commit: e67e9d9c40cd2cb9547e539c658e2b63f2736762
---
apps/CA.pl.in | 2 +-
- apps/openssl.cnf | 20 ++++++++++++++++++--
- 2 files changed, 19 insertions(+), 3 deletions(-)
+ apps/openssl.cnf | 18 ++++++++++++++++--
+ 2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
-index c0afb96716..d6a5fabd16 100644
+index 2c31ee6c8d..009eafe685 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
@@ -27,10 +27,11 @@ index c0afb96716..d6a5fabd16 100644
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
-diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
---- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
-+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
-@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 00f0d24673..3ec80986b7 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -52,6 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
@@ -44,7 +45,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
# List of providers to load
[provider_sect]
-@@ -64,6 +66,13 @@ default = default_sect
+@@ -71,6 +78,13 @@ default = default_sect
[default_sect]
# activate = 1
@@ -58,7 +59,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
####################################################################
[ ca ]
-@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
+@@ -79,7 +93,7 @@ default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
@@ -67,7 +68,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
-@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
+@@ -311,7 +325,7 @@ default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
@@ -76,3 +77,6 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
+--
+2.41.0
+
diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch
index 1a65417..4603260 100644
--- a/0024-load-legacy-prov.patch
+++ b/0024-load-legacy-prov.patch
@@ -1,21 +1,22 @@
-From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
+From 8653f2213d3175fc558bf24b4bae67cab23f8a1e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
+Date: Mon, 8 Jul 2024 11:30:25 +0200
+Subject: [PATCH 14/50] 0024-load-legacy-prov.patch
Patch-name: 0024-load-legacy-prov.patch
Patch-id: 24
Patch-status: |
# Instructions to load legacy provider in openssl.cnf
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+From-dist-git-commit: e67e9d9c40cd2cb9547e539c658e2b63f2736762
---
- apps/openssl.cnf | 37 +++++++++++++++----------------------
+ apps/openssl.cnf | 40 ++++++++++++++++++----------------------
doc/man5/config.pod | 8 ++++++++
- 2 files changed, 23 insertions(+), 22 deletions(-)
+ 2 files changed, 26 insertions(+), 22 deletions(-)
-diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
---- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
-+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 3ec80986b7..84a9898fb4 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
@@ -31,16 +32,11 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
-@@ -42,23 +42,27 @@ [ evp_properties ]
+@@ -60,23 +52,27 @@ alg_section = evp_properties
#This section is intentionally added empty here
#to be tuned on particular systems
-# List of providers to load
--[provider_sect]
--default = default_sect
--# The fips section name should match the section name inside the
--# included fipsmodule.cnf.
--# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
@@ -49,7 +45,13 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
-
++
+ [provider_sect]
+ default = default_sect
+-# The fips section name should match the section name inside the
+-# included fipsmodule.cnf.
+-# fips = fips_sect
+-
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
@@ -58,13 +60,10 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
-# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
--[default_sect]
--# activate = 1
-+[provider_sect]
-+default = default_sect
+##legacy = legacy_sect
+##
-+[default_sect]
+ [default_sect]
+-# activate = 1
+activate = 1
+
+##[legacy_sect]
@@ -75,9 +74,10 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
[ ssl_module ]
-diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
---- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
-+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 8d312c661f..714a10437b 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.
@@ -93,3 +93,6 @@ diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/co
=head3 Default provider and its activation
If no providers are activated explicitly, the default one is activated implicitly.
+--
+2.41.0
+
diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch
index 6b740ce..4dae62e 100644
--- a/0056-strcasecmp.patch
+++ b/0056-strcasecmp.patch
@@ -1,18 +1,28 @@
-diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
---- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
-+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
-@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
- X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
- OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
- BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
-+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
-+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
- ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
- ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
-diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
---- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
-+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
-@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
+From 5f4614569d24ff4a98fd021efe5947cb54a6110a Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 8 Jul 2024 11:30:25 +0200
+Subject: [PATCH 23/50] 0056-strcasecmp.patch
+
+Patch-name: 0056-strcasecmp.patch
+Patch-id: 56
+Patch-status: |
+ # Originally from https://github.com/openssl/openssl/pull/18103
+ # As we rebased to 3.0.7 and used the version of the function
+ # not matching the upstream one, we have to use aliasing.
+ # When we eliminate this patch, the `-Wl,--allow-multiple-definition`
+ # should also be removed
+From-dist-git-commit: e67e9d9c40cd2cb9547e539c658e2b63f2736762
+---
+ crypto/o_str.c | 14 ++++++++++++--
+ test/recipes/01-test_symbol_presence.t | 1 +
+ util/libcrypto.num | 2 ++
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 065460336f..2ecf449b39 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -336,7 +336,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
#endif
}
@@ -26,7 +36,7 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
{
int t;
-@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
+@@ -346,7 +351,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
return t;
}
@@ -40,10 +50,11 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
{
int t;
size_t i;
-diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
---- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
-+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
-@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
+diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
+index 222b1886ae..84c76d29a1 100644
+--- a/test/recipes/01-test_symbol_presence.t
++++ b/test/recipes/01-test_symbol_presence.t
+@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
s| .*||;
# Drop OpenSSL dynamic version information if there is any
s|\@\@.+$||;
@@ -51,3 +62,18 @@ diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/
# Return the result
$_
}
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index 8046454025..bb99b1e2a4 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5536,5 +5536,7 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION:
+ X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
+ OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
+ BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
+--
+2.41.0
+
diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch
index 7376d02..54dad96 100644
--- a/0076-FIPS-140-3-DRBG.patch
+++ b/0076-FIPS-140-3-DRBG.patch
@@ -1,26 +1,29 @@
-From 0329eb6523363705946887d4f145dd77c741ae4a Mon Sep 17 00:00:00 2001
+From 151114825cb2e4197c095792c24599cae3bd01a1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
-Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 30/49] 0076-FIPS-140-3-DRBG.patch
+Date: Mon, 8 Jul 2024 11:30:25 +0200
+Subject: [PATCH 30/50] 0076-FIPS-140-3-DRBG.patch
Patch-name: 0076-FIPS-140-3-DRBG.patch
Patch-id: 76
Patch-status: |
- # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
- # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
-From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+ # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
+ # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
+From-dist-git-commit: e67e9d9c40cd2cb9547e539c658e2b63f2736762
---
crypto/rand/prov_seed.c | 9 ++-
+ crypto/rand/rand_lib.c | 10 +--
providers/implementations/rands/crngt.c | 6 +-
providers/implementations/rands/drbg.c | 11 ++-
providers/implementations/rands/drbg_local.h | 2 +-
+ providers/implementations/rands/seed_src.c | 18 ++++-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
- 5 files changed, 28 insertions(+), 68 deletions(-)
+ 7 files changed, 45 insertions(+), 79 deletions(-)
-diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
---- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
-+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
-@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
+diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
+index 2985c7f2d8..3202a28226 100644
+--- a/crypto/rand/prov_seed.c
++++ b/crypto/rand/prov_seed.c
+@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
size_t entropy_available;
RAND_POOL *pool;
@@ -36,10 +39,32 @@ diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/ran
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
-diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
---- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
-+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
-@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
+diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
+index 14999540ab..b05b84717b 100644
+--- a/crypto/rand/rand_lib.c
++++ b/crypto/rand/rand_lib.c
+@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
+ return ret;
+ }
+
+-#ifndef FIPS_MODULE
+- if (dgbl->seed == NULL) {
+- ERR_set_mark();
+- dgbl->seed = rand_new_seed(ctx);
+- ERR_pop_to_mark();
+- }
+-#endif
+-
+- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
++ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
+ PRIMARY_RESEED_INTERVAL,
+ PRIMARY_RESEED_TIME_INTERVAL, 1);
+ /*
+diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
+index fa4a2db14a..1f13fc759e 100644
+--- a/providers/implementations/rands/crngt.c
++++ b/providers/implementations/rands/crngt.c
+@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
@@ -52,10 +77,11 @@ diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
-diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
---- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
-+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
-@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
+diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
+index 46a056bc2a..742806a2ae 100644
+--- a/providers/implementations/rands/drbg.c
++++ b/providers/implementations/rands/drbg.c
+@@ -564,6 +564,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
#endif
}
@@ -65,7 +91,7 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
-@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
+@@ -685,8 +688,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
reseed_required = 1;
}
if (drbg->parent != NULL
@@ -81,9 +107,10 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
-diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
---- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
-+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
+diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
+index 902dfc937d..c7be09176b 100644
+--- a/providers/implementations/rands/drbg_local.h
++++ b/providers/implementations/rands/drbg_local.h
@@ -38,7 +38,7 @@
*
* The value is in bytes.
@@ -93,9 +120,46 @@ diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
-diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
---- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
-+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
+diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
+index e8f7ec9efc..092b9caf97 100644
+--- a/providers/implementations/rands/seed_src.c
++++ b/providers/implementations/rands/seed_src.c
+@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed, unsigned char *out, size_t outlen,
+ return 0;
+ }
+
+- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
++ /*
++ * OpenSSL still implements an internal entropy pool of
++ * some size that is hashed to get seed data.
++ * Note that this is a conditioning step for which SP800-90C requires
++ * 64 additional bits from the entropy source to claim the requested
++ * amount of entropy.
++ */
++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
+ if (pool == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+ return 0;
+@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
+ size_t i;
+ RAND_POOL *pool;
+
+- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++ /*
++ * OpenSSL still implements an internal entropy pool of
++ * some size that is hashed to get seed data.
++ * Note that this is a conditioning step for which SP800-90C requires
++ * 64 additional bits from the entropy source to claim the requested
++ * amount of entropy.
++ */
++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+ if (pool == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+ return 0;
+diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
+index 9a936d800d..56af1c803c 100644
+--- a/providers/implementations/rands/seeding/rand_unix.c
++++ b/providers/implementations/rands/seeding/rand_unix.c
@@ -48,6 +48,8 @@
# include <fcntl.h>
# include <unistd.h>
@@ -178,59 +242,6 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
-diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
---- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
-+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
-@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
- return 0;
- }
-
-- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
-+ /*
-+ * OpenSSL still implements an internal entropy pool of
-+ * some size that is hashed to get seed data.
-+ * Note that this is a conditioning step for which SP800-90C requires
-+ * 64 additional bits from the entropy source to claim the requested
-+ * amount of entropy.
-+ */
-+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
- if (pool == NULL) {
- ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
- return 0;
-@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
- size_t i;
- RAND_POOL *pool;
-
-- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
-+ /*
-+ * OpenSSL still implements an internal entropy pool of
-+ * some size that is hashed to get seed data.
-+ * Note that this is a conditioning step for which SP800-90C requires
-+ * 64 additional bits from the entropy source to claim the requested
-+ * amount of entropy.
-+ */
-+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
- if (pool == NULL) {
- ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
- return 0;
-diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
-index 14999540ab..b05b84717b 100644
---- a/crypto/rand/rand_lib.c
-+++ b/crypto/rand/rand_lib.c
-@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
- return ret;
- }
-
--#ifndef FIPS_MODULE
-- if (dgbl->seed == NULL) {
-- ERR_set_mark();
-- dgbl->seed = rand_new_seed(ctx);
-- ERR_pop_to_mark();
-- }
--#endif
--
-- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
-+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
- PRIMARY_RESEED_INTERVAL,
- PRIMARY_RESEED_TIME_INTERVAL, 1);
- /*
+--
+2.41.0
+
diff --git a/openssl.spec b/openssl.spec
index 7f8cf85..651d1b6 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -94,7 +94,7 @@ Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
# not matching the upstream one, we have to use aliasing.
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
# should also be removed
-Patch56: 0056-strcasecmp.patch
+Patch56: 0056-strcasecmp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Sync from source-git Sahana Prasad
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox