public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.5
Date: Tue, 09 Jun 2026 12:45:37 GMT [thread overview]
Message-ID: <178100913729.1.17451608550532427009.rpms-openssl-4a9e2d5b1aa1@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 4a9e2d5b1aa1cdc8adbe434abcee3c282707b33c
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2026-01-28T14:59:50+01:00
Stats : +196/-383 in 9 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/4a9e2d5b1aa1cdc8adbe434abcee3c282707b33c?branch=rebase_40beta
Log:
Rebase to OpenSSL 3.5.5
Resolving CVE-2025-15467, CVE-2025-15468, CVE-2025-15469,
CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420,
CVE-2025-69421, CVE-2025-69419, CVE-2026-22795, CVE-2026-22796,
CVE-2025-11187
---
diff --git a/.gitignore b/.gitignore
index c813a35..efab622 100644
--- a/.gitignore
+++ b/.gitignore
@@ -68,3 +68,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.5.0.tar.gz
/openssl-3.5.1.tar.gz
/openssl-3.5.4.tar.gz
+/openssl-3.5.5.tar.gz
diff --git a/0056-Add-targets-to-skip-build-of-non-installable-program.patch b/0056-Add-targets-to-skip-build-of-non-installable-program.patch
new file mode 100644
index 0000000..af91d35
--- /dev/null
+++ b/0056-Add-targets-to-skip-build-of-non-installable-program.patch
@@ -0,0 +1,158 @@
+From 4b634bdcc4dedc8516529d39062adc1305c7bf9b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Tue, 19 Aug 2025 14:26:07 +0200
+Subject: [PATCH 56/57] Add targets to skip build of non-installable programs
+
+These make it possible to split the build into two
+parts, e.g., when tests should be built with different
+compiler flags than installed software.
+
+Also use these as dependecies where appropriate.
+
+Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/28302)
+---
+ Configurations/descrip.mms.tmpl | 7 +++++--
+ Configurations/unix-Makefile.tmpl | 9 ++++++---
+ Configurations/windows-makefile.tmpl | 8 ++++++--
+ util/help.pl | 2 +-
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
+index db6a1b1799..bc7fc36b46 100644
+--- a/Configurations/descrip.mms.tmpl
++++ b/Configurations/descrip.mms.tmpl
+@@ -491,6 +491,8 @@ NODEBUG=@
+ {- dependmagic('build_libs'); -} : build_libs_nodep
+ {- dependmagic('build_modules'); -} : build_modules_nodep
+ {- dependmagic('build_programs'); -} : build_programs_nodep
++{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
++{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
+
+ build_generated_pods : $(GENERATED_PODS)
+ build_docs : build_html_docs
+@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
+ build_libs_nodep : $(LIBS), $(SHLIBS)
+ build_modules_nodep : $(MODULES)
+ build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
++build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests : build_programs
+@@ -606,7 +609,7 @@ install_docs : install_html_docs
+ uninstall_docs : uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips : build_sw $(INSTALL_FIPSMODULECONF)
++install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
+ - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
+@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
+ @install_shlibs) -}
+ @ {- output_on() if $disabled{shared}; "" -} !
+
+-install_programs : check_INSTALLTOP install_runtime_libs build_programs
++install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
+ @ {- output_off() if $disabled{apps}; "" -} !
+ @ ! Install the main program
+ - CREATE/DIR ossl_installroot:[EXE.'arch']
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 1920d38655..bfede44ce4 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -547,7 +547,9 @@ LANG=C
+ {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
+ {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
+ {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
+-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
++{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
++{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
+
+ all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
+ debuginfo: $(SHLIBS)
+@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
+ build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
+ build_modules_nodep: $(MODULES)
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
+ $(RM) -r "$(DESTDIR)$(DOCDIR)"
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
+@@ -966,7 +969,7 @@ install_runtime_libs: build_libs
+ : {- output_on() if windowsdll(); "" -}; \
+ done
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
+ @$(ECHO) "*** Installing runtime programs"
+diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
+index 894834cfb7..b5872124de 100644
+--- a/Configurations/windows-makefile.tmpl
++++ b/Configurations/windows-makefile.tmpl
+@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
+ {- dependmagic('build_libs'); -}: build_libs_nodep
+ {- dependmagic('build_modules'); -}: build_modules_nodep
+ {- dependmagic('build_programs'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
++{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
+
+ build_docs: build_html_docs
+ build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
+@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
+ @
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
+ @
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
++ @
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -507,7 +511,7 @@ install_docs: install_html_docs
+ uninstall_docs: uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
+@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
+ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
+ "$(INSTALLTOP)\bin"
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
+ @$(ECHO) "*** Installing runtime programs"
+ @if not "$(INSTALL_PROGRAMS)"=="" \
+diff --git a/util/help.pl b/util/help.pl
+index a1614fe8a9..e88ff4bae1 100755
+--- a/util/help.pl
++++ b/util/help.pl
+@@ -14,7 +14,7 @@ while (<>) {
+ chomp; # strip record separator
+ @Fld = split($FS, $_, -1);
+ if (/^[a-zA-Z0-9_\-]+:.*?##/) {
+- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
++ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
+ }
+ if (/^##@/) {
+ printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
+--
+2.52.0
+
diff --git a/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch b/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
deleted file mode 100644
index 67f7286..0000000
--- a/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From bd015ab1f56008f17404ac9511025812646e5e2d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:02:03 +0200
-Subject: [PATCH 56/59] apps/speed.c: Disable testing of composite signature
- algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Creating public key context from name would always fail
-for composite signature algorithms (such as RSA-SHA256)
-because the public key algorithm name (e.g., RSA) does
-not match the name of the composite algorithm.
-
-Relates to #27855.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/28224)
----
- apps/speed.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index ae2f166d24..a51d6a57d4 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -2275,9 +2275,11 @@ int speed_main(int argc, char **argv)
- }
- #endif /* OPENSSL_NO_DSA */
- /* skipping these algs as tested elsewhere - and b/o setup is a pain */
-- else if (strcmp(sig_name, "ED25519") &&
-- strcmp(sig_name, "ED448") &&
-- strcmp(sig_name, "ECDSA") &&
-+ else if (strncmp(sig_name, "RSA", 3) &&
-+ strncmp(sig_name, "DSA", 3) &&
-+ strncmp(sig_name, "ED25519", 7) &&
-+ strncmp(sig_name, "ED448", 5) &&
-+ strncmp(sig_name, "ECDSA", 5) &&
- strcmp(sig_name, "HMAC") &&
- strcmp(sig_name, "SIPHASH") &&
- strcmp(sig_name, "POLY1305") &&
---
-2.51.0
-
diff --git a/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch b/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
new file mode 100644
index 0000000..c02fb9f
--- /dev/null
+++ b/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
@@ -0,0 +1,27 @@
+From 3ffdc68f16d6b326ff0854053fc9206be3dabcc2 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Wed, 21 Jan 2026 18:13:43 +0100
+Subject: [PATCH 57/57] Disable RSA-PKCS1.5 FIPS POST, not relevant for RHEL
+
+---
+ providers/fips/self_test_kats.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index f453b2f2fb..5b37387d83 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ ret = 0;
+ if (!self_test_kems(st, libctx))
+ ret = 0;
+- if (!self_test_asym_ciphers(st, libctx))
+- ret = 0;
++/* if (!self_test_asym_ciphers(st, libctx))
++ ret = 0; */
+
+ RAND_set0_private(libctx, saved_rand);
+ return ret;
+--
+2.52.0
+
diff --git a/0057-apps-speed.c-Support-more-signature-algorithms.patch b/0057-apps-speed.c-Support-more-signature-algorithms.patch
deleted file mode 100644
index ae49a34..0000000
--- a/0057-apps-speed.c-Support-more-signature-algorithms.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From eeb05d8b4b63fdda732fb49201c6769082922c11 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:19:59 +0200
-Subject: [PATCH 57/59] apps/speed.c: Support more signature algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
-via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
-before reporting an error.
-
-Fixes #27108.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/28224)
----
- apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 53 insertions(+), 16 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index a51d6a57d4..4050f46bce 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -4248,6 +4248,7 @@ int speed_main(int argc, char **argv)
- EVP_PKEY_CTX *sig_gen_ctx = NULL;
- EVP_PKEY_CTX *sig_sign_ctx = NULL;
- EVP_PKEY_CTX *sig_verify_ctx = NULL;
-+ EVP_SIGNATURE *alg = NULL;
- unsigned char md[SHA256_DIGEST_LENGTH];
- unsigned char *sig;
- char sfx[MAX_ALGNAME_SUFFIX];
-@@ -4308,21 +4309,48 @@ int speed_main(int argc, char **argv)
- sig_name);
- goto sig_err_break;
- }
-+
-+ /*
-+ * Try explicitly fetching the signature algoritm implementation to
-+ * use in case the algorithm does not support EVP_PKEY_sign_init
-+ */
-+ ERR_set_mark();
-+ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
-+ ERR_pop_to_mark();
-+
- /* Now prepare signature data structs */
- sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_sign_ctx == NULL
-- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
-- RSA_PKCS1_PADDING) <= 0))
-- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
-- md, md_len) <= 0) {
-- BIO_printf(bio_err,
-- "Error while initializing signing data structs for %s.\n",
-- sig_name);
-- goto sig_err_break;
-+ if (sig_sign_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing signing ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
-+ BIO_printf(bio_err,
-+ "Error while initializing signing data structs for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_pop_to_mark();
-+ if (use_params == 1 &&
-+ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while initializing padding for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while obtaining signature bufffer length for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
- }
- sig = app_malloc(sig_len = max_sig_len, "signature buffer");
- if (sig == NULL) {
-@@ -4338,16 +4366,23 @@ int speed_main(int argc, char **argv)
- sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_verify_ctx == NULL
-- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
-- RSA_PKCS1_PADDING) <= 0))) {
-+ if (sig_verify_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing verify ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
- BIO_printf(bio_err,
- "Error while initializing verify data structs for %s.\n",
- sig_name);
- goto sig_err_break;
- }
-+ ERR_pop_to_mark();
- if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
- BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
- goto sig_err_break;
-@@ -4363,12 +4398,14 @@ int speed_main(int argc, char **argv)
- loopargs[i].sig_act_sig_len[testnum] = sig_len;
- loopargs[i].sig_sig[testnum] = sig;
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- pkey = NULL;
- continue;
-
- sig_err_break:
- dofail();
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- op_count = 1;
- sig_checks = 0;
- break;
---
-2.51.0
-
diff --git a/0058-Add-targets-to-skip-build-of-non-installable-program.patch b/0058-Add-targets-to-skip-build-of-non-installable-program.patch
deleted file mode 100644
index c87c278..0000000
--- a/0058-Add-targets-to-skip-build-of-non-installable-program.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From f320da46f706a8013de532ee1a34703bd814be06 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Tue, 19 Aug 2025 14:26:07 +0200
-Subject: [PATCH 58/59] Add targets to skip build of non-installable programs
-
-These make it possible to split the build into two
-parts, e.g., when tests should be built with different
-compiler flags than installed software.
-
-Also use these as dependecies where appropriate.
-
-Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/28302)
----
- Configurations/descrip.mms.tmpl | 7 +++++--
- Configurations/unix-Makefile.tmpl | 9 ++++++---
- Configurations/windows-makefile.tmpl | 8 ++++++--
- util/help.pl | 2 +-
- 4 files changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
-index db6a1b1799..bc7fc36b46 100644
---- a/Configurations/descrip.mms.tmpl
-+++ b/Configurations/descrip.mms.tmpl
-@@ -491,6 +491,8 @@ NODEBUG=@
- {- dependmagic('build_libs'); -} : build_libs_nodep
- {- dependmagic('build_modules'); -} : build_modules_nodep
- {- dependmagic('build_programs'); -} : build_programs_nodep
-+{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
-+{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
-
- build_generated_pods : $(GENERATED_PODS)
- build_docs : build_html_docs
-@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
- build_libs_nodep : $(LIBS), $(SHLIBS)
- build_modules_nodep : $(MODULES)
- build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
-+build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests : build_programs
-@@ -606,7 +609,7 @@ install_docs : install_html_docs
- uninstall_docs : uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips : build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
- @ WRITE SYS$OUTPUT "*** Installing FIPS module"
- - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
-@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
- @install_shlibs) -}
- @ {- output_on() if $disabled{shared}; "" -} !
-
--install_programs : check_INSTALLTOP install_runtime_libs build_programs
-+install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
- @ {- output_off() if $disabled{apps}; "" -} !
- @ ! Install the main program
- - CREATE/DIR ossl_installroot:[EXE.'arch']
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 74139ec228..16aab9cd76 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -547,7 +547,9 @@ LANG=C
- {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
- {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
- {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
--{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
-+{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
-+{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
-
- all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
- debuginfo: $(SHLIBS)
-@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
- build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
- build_modules_nodep: $(MODULES)
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
- $(RM) -r "$(DESTDIR)$(DOCDIR)"
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
-@@ -965,7 +968,7 @@ install_runtime_libs: build_libs
- : {- output_on() if windowsdll(); "" -}; \
- done
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
- @$(ECHO) "*** Installing runtime programs"
-diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
-index 894834cfb7..b5872124de 100644
---- a/Configurations/windows-makefile.tmpl
-+++ b/Configurations/windows-makefile.tmpl
-@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
- {- dependmagic('build_libs'); -}: build_libs_nodep
- {- dependmagic('build_modules'); -}: build_modules_nodep
- {- dependmagic('build_programs'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
-+{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
-
- build_docs: build_html_docs
- build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
-@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
- @
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
- @
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-+ @
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -507,7 +511,7 @@ install_docs: install_html_docs
- uninstall_docs: uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
-@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
- "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
- "$(INSTALLTOP)\bin"
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
- @$(ECHO) "*** Installing runtime programs"
- @if not "$(INSTALL_PROGRAMS)"=="" \
-diff --git a/util/help.pl b/util/help.pl
-index a1614fe8a9..e88ff4bae1 100755
---- a/util/help.pl
-+++ b/util/help.pl
-@@ -14,7 +14,7 @@ while (<>) {
- chomp; # strip record separator
- @Fld = split($FS, $_, -1);
- if (/^[a-zA-Z0-9_\-]+:.*?##/) {
-- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
-+ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
- }
- if (/^##@/) {
- printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
---
-2.51.0
-
diff --git a/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch b/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
deleted file mode 100644
index 5323d6a..0000000
--- a/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 4b91d0604643eff849a480f37b22f3bd7029d897 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 17 Oct 2025 17:45:48 +0200
-Subject: [PATCH 59/59] RSA_encrypt/decrypt with padding NONE is not supported
- in
-
-RHEL/CentOS/Fedora FIPS mode
----
- providers/fips/self_test_kats.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
-index acb0b85f73..c69c81bc9c 100644
---- a/providers/fips/self_test_kats.c
-+++ b/providers/fips/self_test_kats.c
-@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
- ret = 0;
- if (!self_test_kems(st, libctx))
- ret = 0;
-- if (!self_test_asym_ciphers(st, libctx))
-- ret = 0;
-+/* if (!self_test_asym_ciphers(st, libctx))
-+ ret = 0; */
-
- RAND_set0_private(libctx, saved_rand);
- return ret;
---
-2.51.0
-
diff --git a/openssl.spec b/openssl.spec
index cd2a7ae..3522651 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -33,8 +33,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.5.4
-Release: 2%{?dist}
+Version: 3.5.5
+Release: 1%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -100,10 +100,8 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
-Patch0056: 0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
-Patch0057: 0057-apps-speed.c-Support-more-signature-algorithms.patch
-Patch0058: 0058-Add-targets-to-skip-build-of-non-installable-program.patch
-Patch0059: 0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
+Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
+Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -476,6 +474,11 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Wed Jan 28 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.5-1
+- Rebase to OpenSSL 3.5.5, resolving CVE-2025-15467, CVE-2025-15468,
+ CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420,
+ CVE-2025-69421, CVE-2025-69419, CVE-2026-22795, CVE-2026-22796, CVE-2025-11187
+
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.5.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
diff --git a/sources b/sources
index 07e4fea..8551fe3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.5.4.tar.gz) = 365aca6f2e59b5c8261fba683425d177874cf6024b0d216ca309112b879c1f4e8da78617e23c3c95d0b4a26b83ecd0d8348038b999d30e597d19f466c4761227
+SHA512 (openssl-3.5.5.tar.gz) = 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec
next reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 12:45 Dmitry Belyavskiy [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.5 Dmitry Belyavskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100913729.1.17451608550532427009.rpms-openssl-4a9e2d5b1aa1@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox