diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index bfee965..2ba9aab 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -737,3 +737,19 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; +diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c +--- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200 ++++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200 +@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + +- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) + continue; + + if (comment == NULL) diff --git a/openssl.spec b/openssl.spec index 5ca4f1e..e4b4eeb 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 20%{?dist} +Release: 21%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Jun 26 2023 Sahana Prasad - 1:3.0.7-21 +- Remove the listing of brainpool curves in FIPS mode. + Related: rhbz#2188180 + * Tue May 30 2023 Dmitry Belyavskiy - 1:3.0.7-20 - Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650