public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Make openssl speed test signatures without errors
@ 2026-06-09 12:45
0 siblings, 0 replies; only message in thread
From: @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : b2287dfdd80df6005a1effbc9ca7017722711d1c
Author : Pavol Žáčik <pzacik@redhat.com>
Date : 2025-08-26T17:43:17+02:00
Stats : +181/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/b2287dfdd80df6005a1effbc9ca7017722711d1c?branch=rebase_40beta
Log:
Make openssl speed test signatures without errors
Backported from https://github.com/openssl/openssl/pull/28224.
---
diff --git a/0054-Speed-test-signatures-without-errors.patch b/0054-Speed-test-signatures-without-errors.patch
new file mode 100644
index 0000000..ac65c4e
--- /dev/null
+++ b/0054-Speed-test-signatures-without-errors.patch
@@ -0,0 +1,176 @@
+From 0db63fff91327d06502027441104665f462be922 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Mon, 11 Aug 2025 12:02:03 +0200
+Subject: [PATCH 1/2] apps/speed.c: Disable testing of composite signature
+ algorithms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Creating public key context from name would always fail
+for composite signature algorithms (such as RSA-SHA256)
+because the public key algorithm name (e.g., RSA) does
+not match the name of the composite algorithm.
+
+Relates to #27855.
+
+Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
+---
+ apps/speed.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index 2c3ec37d1239e..a6d239c8cda81 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -2281,9 +2281,11 @@ int speed_main(int argc, char **argv)
+ }
+ #endif /* OPENSSL_NO_DSA */
+ /* skipping these algs as tested elsewhere - and b/o setup is a pain */
+- else if (strcmp(sig_name, "ED25519") &&
+- strcmp(sig_name, "ED448") &&
+- strcmp(sig_name, "ECDSA") &&
++ else if (strncmp(sig_name, "RSA", 3) &&
++ strncmp(sig_name, "DSA", 3) &&
++ strncmp(sig_name, "ED25519", 7) &&
++ strncmp(sig_name, "ED448", 5) &&
++ strncmp(sig_name, "ECDSA", 5) &&
+ strcmp(sig_name, "HMAC") &&
+ strcmp(sig_name, "SIPHASH") &&
+ strcmp(sig_name, "POLY1305") &&
+
+From 30d98de47c63ca84df41ee57f9d230b2f56bf9ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Mon, 11 Aug 2025 12:19:59 +0200
+Subject: [PATCH 2/2] apps/speed.c: Support more signature algorithms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
+via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
+before reporting an error.
+
+Fixes #27108.
+
+Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
+---
+ apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 53 insertions(+), 16 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index a6d239c8cda81..059183ddc77d3 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -4254,6 +4254,7 @@ int speed_main(int argc, char **argv)
+ EVP_PKEY_CTX *sig_gen_ctx = NULL;
+ EVP_PKEY_CTX *sig_sign_ctx = NULL;
+ EVP_PKEY_CTX *sig_verify_ctx = NULL;
++ EVP_SIGNATURE *alg = NULL;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+ unsigned char *sig;
+ char sfx[MAX_ALGNAME_SUFFIX];
+@@ -4314,21 +4315,48 @@ int speed_main(int argc, char **argv)
+ sig_name);
+ goto sig_err_break;
+ }
++
++ /*
++ * Try explicitly fetching the signature algoritm implementation to
++ * use in case the algorithm does not support EVP_PKEY_sign_init
++ */
++ ERR_set_mark();
++ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
++ ERR_pop_to_mark();
++
+ /* Now prepare signature data structs */
+ sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
+ pkey,
+ app_get0_propq());
+- if (sig_sign_ctx == NULL
+- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
+- || (use_params == 1
+- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
+- RSA_PKCS1_PADDING) <= 0))
+- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
+- md, md_len) <= 0) {
+- BIO_printf(bio_err,
+- "Error while initializing signing data structs for %s.\n",
+- sig_name);
+- goto sig_err_break;
++ if (sig_sign_ctx == NULL) {
++ BIO_printf(bio_err,
++ "Error while initializing signing ctx for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_set_mark();
++ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
++ && (alg == NULL
++ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
++ ERR_clear_last_mark();
++ BIO_printf(bio_err,
++ "Error while initializing signing data structs for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_pop_to_mark();
++ if (use_params == 1 &&
++ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
++ BIO_printf(bio_err,
++ "Error while initializing padding for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
++ BIO_printf(bio_err,
++ "Error while obtaining signature bufffer length for %s.\n",
++ sig_name);
++ goto sig_err_break;
+ }
+ sig = app_malloc(sig_len = max_sig_len, "signature buffer");
+ if (sig == NULL) {
+@@ -4344,16 +4372,23 @@ int speed_main(int argc, char **argv)
+ sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
+ pkey,
+ app_get0_propq());
+- if (sig_verify_ctx == NULL
+- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
+- || (use_params == 1
+- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
+- RSA_PKCS1_PADDING) <= 0))) {
++ if (sig_verify_ctx == NULL) {
++ BIO_printf(bio_err,
++ "Error while initializing verify ctx for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_set_mark();
++ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
++ && (alg == NULL
++ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
++ ERR_clear_last_mark();
+ BIO_printf(bio_err,
+ "Error while initializing verify data structs for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
++ ERR_pop_to_mark();
+ if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
+ BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
+ goto sig_err_break;
+@@ -4369,12 +4404,14 @@ int speed_main(int argc, char **argv)
+ loopargs[i].sig_act_sig_len[testnum] = sig_len;
+ loopargs[i].sig_sig[testnum] = sig;
+ EVP_PKEY_free(pkey);
++ EVP_SIGNATURE_free(alg);
+ pkey = NULL;
+ continue;
+
+ sig_err_break:
+ dofail();
+ EVP_PKEY_free(pkey);
++ EVP_SIGNATURE_free(alg);
+ op_count = 1;
+ sig_checks = 0;
+ break;
diff --git a/openssl.spec b/openssl.spec
index 3eeba4f..4442715 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -34,7 +34,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -98,6 +98,7 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
+Patch0054: 0054-Speed-test-signatures-without-errors.patch
License: Apache-2.0
@@ -467,6 +468,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Tue Aug 26 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-3
+- Make openssl speed test signatures without errors
+
* Thu Jul 24 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Make openssl speed test signatures without errors
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox