jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Merge branch 'c10s' into a10s

Browse Source
This commit is contained in:
eabdullin 2024-09-02 23:25:52 +03:00
commit 16d731ff99
9 changed files with 2309 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -1,30 +1,29 @@
From 66b728801f141c9db8e647ab02421c83694ade79 Mon Sep 17 00:00:00 2001
From 8be4ef77c64fcada41041c00e02c34b07658ba66 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 07/35]
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 07/49]
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch-id: 7
Patch-status: |
# Add support for PROFILE=SYSTEM system default cipherlist
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
# # Add support for PROFILE=SYSTEM system default cipherlist
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 11 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 87 +++++++++++++++++++++++++++----
ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
util/libcrypto.num | 1 +
8 files changed, 110 insertions(+), 14 deletions(-)
7 files changed, 109 insertions(+), 13 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index f29cdc7f38..c0df026de3 100644
index 5d61ce9550..e9fba957f1 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -35,7 +34,7 @@ index f29cdc7f38..c0df026de3 100644
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@ -44,7 +43,7 @@ index f29cdc7f38..c0df026de3 100644
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff --git a/Configure b/Configure
index 456995240b..93be83be94 100755
index cca1ac8d16..2ae1cd0bc2 100755
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
@ -67,7 +66,7 @@ index 456995240b..93be83be94 100755
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -387,6 +391,7 @@ $config{prefix}="";
@@ -394,6 +398,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@ -75,7 +74,7 @@ index 456995240b..93be83be94 100755
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -989,6 +994,10 @@ while (@argvcopy)
@@ -1047,6 +1052,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
@ -87,10 +86,10 @@ index 456995240b..93be83be94 100755
{
$banner = $1 . "\n";
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index 658730ec53..04e66bcebe 100644
index d4df30686f..cec4835268 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -107,10 +106,10 @@ index 658730ec53..04e66bcebe 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index f03f52fbd8..0b6de603e2 100644
index 9f91039f8a..fc34d4ca61 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -208,6 +208,11 @@ extern "C" {
@@ -209,6 +209,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
@ -123,10 +122,10 @@ index f03f52fbd8..0b6de603e2 100644
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 93de9cf8fd..a5e60e8839 100644
index 8360991ce4..33c23efb0d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
@ -180,7 +179,7 @@ index 93de9cf8fd..a5e60e8839 100644
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -208,7 +207,16 @@ index 93de9cf8fd..a5e60e8839 100644
/*
* To reduce the work to do we only want to process the compiled
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -218,7 +226,17 @@ index 93de9cf8fd..a5e60e8839 100644
}
/*
@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1611,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1637,8 +1693,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -228,7 +246,7 @@ index 93de9cf8fd..a5e60e8839 100644
}
/*
@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1646,10 +1701,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -244,7 +262,7 @@ index 93de9cf8fd..a5e60e8839 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1701,6 +1759,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;
return cipherstack;
@ -260,10 +278,10 @@ index 93de9cf8fd..a5e60e8839 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index f12ad6d034..a059bcd83b 100644
index cf59d2dfa5..1329841aaf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
@@ -700,7 +700,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -272,7 +290,7 @@ index f12ad6d034..a059bcd83b 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -3966,7 +3966,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -282,10 +300,10 @@ index f12ad6d034..a059bcd83b 100644
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 2d166e2b46..4ff2aa12d6 100644
index c46e431b00..19d05e860b 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
@@ -261,7 +261,9 @@ end:
int setup_tests(void)
{
@ -296,26 +314,5 @@ index 2d166e2b46..4ff2aa12d6 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
2.41.0
2.44.0
diff -up openssl-3.2.0/ssl/ssl_ciph.c.7patch openssl-3.2.0/ssl/ssl_ciph.c
--- openssl-3.2.0/ssl/ssl_ciph.c.7patch 2023-11-30 13:43:03.510620566 +0100
+++ openssl-3.2.0/ssl/ssl_ciph.c 2023-11-30 13:44:21.275313230 +0100
@@ -1556,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1667,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
OPENSSL_free(co_list);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,

16
0122-TMP-KTLS-test-skip.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
- if (!ktls_enable(sock))
+/* if (!ktls_enable(sock))
return 0;
- return 1;
+ return 1; */
+ return 0;
}
static int ping_pong_query(SSL *clientssl, SSL *serverssl)

1525
0124-PBMAC1-PKCS12-FIPS-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

21
0125-PBMAC1-PKCS12-FIPS-default.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c
--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200
+++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200
@@ -17,6 +17,7 @@
#include <openssl/asn1.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
+ if (EVP_default_properties_is_fips_enabled(NULL))
+ pbmac1_pbkdf2 = 1;
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,

430
0126-pkeyutl-encap.patch Normal file
View File

@ -0,0 +1,430 @@
From 77a0eabe15b9c8c0fb5fde27f6ce1c593c278e20 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 7 Aug 2024 17:17:18 +0200
Subject: [PATCH 1/3] Support of en/decapsulation in the pkeyutl command
---
apps/pkeyutl.c | 83 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 69 insertions(+), 14 deletions(-)
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index b5390c64c2a81..a14ad88217823 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int impl, int rawin, EVP_PKEY **ppkey,
- EVP_MD_CTX *mctx, const char *digestname,
+ EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
OSSL_LIB_CTX *libctx, const char *propq);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
@@ -32,7 +32,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
- const unsigned char *in, size_t inlen);
+ const unsigned char *in, size_t inlen,
+ unsigned char *secret, size_t *psecretlen);
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
@@ -47,6 +48,7 @@ typedef enum OPTION_choice {
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
+ OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
OPT_CONFIG,
OPT_RAWIN, OPT_DIGEST
} OPTION_CHOICE;
@@ -64,6 +66,8 @@ const OPTIONS pkeyutl_options[] = {
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret"},
+ {"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
+ {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
@@ -81,12 +85,13 @@ const OPTIONS pkeyutl_options[] = {
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
{"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{"verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify with public key, recover original data"},
- OPT_SECTION("Signing/Derivation"),
+ OPT_SECTION("Signing/Derivation/Encapsulation"),
{"digest", OPT_DIGEST, 's',
"Specify the digest algorithm when signing the raw input data"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
@@ -94,6 +99,7 @@ const OPTIONS pkeyutl_options[] = {
"Public key option that is read as a passphrase argument opt:passphrase"},
{"kdf", OPT_KDF, 's', "Use KDF algorithm"},
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
+ {"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
@@ -103,23 +109,23 @@ const OPTIONS pkeyutl_options[] = {
int pkeyutl_main(int argc, char **argv)
{
CONF *conf = NULL;
- BIO *in = NULL, *out = NULL;
+ BIO *in = NULL, *out = NULL, *secout = NULL;
ENGINE *e = NULL;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
- char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
+ char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL;
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
- unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
+ unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
OPTION_CHOICE o;
int buf_inlen = 0, siglen = -1;
int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
int engine_impl = 0;
int ret = 1, rv = -1;
- size_t buf_outlen;
+ size_t buf_outlen = 0, secretlen = 0;
const char *inkey = NULL;
const char *peerkey = NULL;
- const char *kdfalg = NULL, *digestname = NULL;
+ const char *kdfalg = NULL, *digestname = NULL, *kemop = NULL;
int kdflen = 0;
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
@@ -147,6 +153,9 @@ int pkeyutl_main(int argc, char **argv)
case OPT_OUT:
outfile = opt_arg();
break;
+ case OPT_SECOUT:
+ secoutfile = opt_arg();
+ break;
case OPT_SIGFILE:
sigfile = opt_arg();
break;
@@ -216,6 +225,15 @@ int pkeyutl_main(int argc, char **argv)
case OPT_DERIVE:
pkey_op = EVP_PKEY_OP_DERIVE;
break;
+ case OPT_DECAP:
+ pkey_op = EVP_PKEY_OP_DECAPSULATE;
+ break;
+ case OPT_ENCAP:
+ pkey_op = EVP_PKEY_OP_ENCAPSULATE;
+ break;
+ case OPT_KEMOP:
+ kemop = opt_arg();
+ break;
case OPT_KDF:
pkey_op = EVP_PKEY_OP_DERIVE;
key_type = KEY_NONE;
@@ -303,7 +321,7 @@ int pkeyutl_main(int argc, char **argv)
}
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
passinarg, pkey_op, e, engine_impl, rawin, &pkey,
- mctx, digestname, libctx, app_get0_propq());
+ mctx, digestname, kemop, libctx, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
goto end;
@@ -387,7 +405,7 @@ int pkeyutl_main(int argc, char **argv)
goto end;
}
- if (pkey_op != EVP_PKEY_OP_DERIVE) {
+ if (pkey_op != EVP_PKEY_OP_DERIVE && pkey_op != EVP_PKEY_OP_ENCAPSULATE) {
in = bio_open_default(infile, 'r', FORMAT_BINARY);
if (infile != NULL) {
struct stat st;
@@ -402,6 +420,16 @@ int pkeyutl_main(int argc, char **argv)
if (out == NULL)
goto end;
+ if (pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
+ if (secoutfile == NULL) {
+ BIO_printf(bio_err, "Encapsulation requires '-secret' argument\n");
+ goto end;
+ }
+ secout = bio_open_default(secoutfile, 'w', FORMAT_BINARY);
+ if (secout == NULL)
+ goto end;
+ }
+
if (sigfile != NULL) {
BIO *sigbio = BIO_new_file(sigfile, "rb");
@@ -473,13 +501,15 @@ int pkeyutl_main(int argc, char **argv)
rv = 1;
} else {
rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
+ buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
}
if (rv > 0 && buf_outlen != 0) {
buf_out = app_malloc(buf_outlen, "buffer output");
+ if (secretlen > 0)
+ secret = app_malloc(secretlen, "secret output");
rv = do_keyop(ctx, pkey_op,
buf_out, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
+ buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
}
}
if (rv <= 0) {
@@ -500,6 +530,8 @@ int pkeyutl_main(int argc, char **argv)
} else {
BIO_write(out, buf_out, buf_outlen);
}
+ if (secretlen > 0)
+ BIO_write(secout, secret, secretlen);
end:
if (ret != 0)
@@ -510,9 +542,11 @@ int pkeyutl_main(int argc, char **argv)
release_engine(e);
BIO_free(in);
BIO_free_all(out);
+ BIO_free_all(secout);
OPENSSL_free(buf_in);
OPENSSL_free(buf_out);
OPENSSL_free(sig);
+ OPENSSL_free(secret);
sk_OPENSSL_STRING_free(pkeyopts);
sk_OPENSSL_STRING_free(pkeyopts_passin);
NCONF_free(conf);
@@ -524,7 +558,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
- OSSL_LIB_CTX *libctx, const char *propq)
+ const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
@@ -642,6 +676,18 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
case EVP_PKEY_OP_DERIVE:
rv = EVP_PKEY_derive_init(ctx);
break;
+
+ case EVP_PKEY_OP_ENCAPSULATE:
+ rv = EVP_PKEY_encapsulate_init(ctx, NULL);
+ if (rv > 0 && kemop != NULL)
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
+ break;
+
+ case EVP_PKEY_OP_DECAPSULATE:
+ rv = EVP_PKEY_decapsulate_init(ctx, NULL);
+ if (rv > 0 && kemop != NULL)
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
+ break;
}
}
@@ -679,7 +725,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
- const unsigned char *in, size_t inlen)
+ const unsigned char *in, size_t inlen,
+ unsigned char *secret, size_t *pseclen)
{
int rv = 0;
switch (pkey_op) {
@@ -703,6 +750,14 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
rv = EVP_PKEY_derive(ctx, out, poutlen);
break;
+ case EVP_PKEY_OP_ENCAPSULATE:
+ rv = EVP_PKEY_encapsulate(ctx, out, poutlen, secret, pseclen);
+ break;
+
+ case EVP_PKEY_OP_DECAPSULATE:
+ rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen);
+ break;
+
}
return rv;
}
From 1598da873df55887c2d878549f74b7aaed6d5fde Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 7 Aug 2024 17:50:51 +0200
Subject: [PATCH 2/3] Encap/decap in pkeyutl - documentation
---
doc/man1/openssl-pkeyutl.pod.in | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 50c2030aa353c..9de50dd6cee8f 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -13,6 +13,7 @@ B<openssl> B<pkeyutl>
[B<-rawin>]
[B<-digest> I<algorithm>]
[B<-out> I<file>]
+[B<-secret> I<file>]
[B<-sigfile> I<file>]
[B<-inkey> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
@@ -28,8 +29,11 @@ B<openssl> B<pkeyutl>
[B<-encrypt>]
[B<-decrypt>]
[B<-derive>]
+[B<-encap>]
+[B<-decap>]
[B<-kdf> I<algorithm>]
[B<-kdflen> I<length>]
+[B<-kemop> I<operation>]
[B<-pkeyopt> I<opt>:I<value>]
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
@@ -79,6 +83,10 @@ then the B<-rawin> option must be also specified.
Specifies the output filename to write to or standard output by
default.
+=item B<-secret> I<filename>
+
+Specifies the output filename to write the secret to on I<-encap>.
+
=item B<-sigfile> I<file>
Signature file, required for B<-verify> operations only
@@ -147,6 +155,31 @@ Decrypt the input data using a private key.
Derive a shared secret using the peer key.
+=item B<-encap>
+
+Encapsulate a generated secret using a private key.
+The encapsulated result (binary data) is written to standard output by default,
+or else to the file specified with I<-out>.
+The I<-secret> option must also be provided to specify the output file for the
+secret value generated in the encapsulation process.
+
+=item B<-decap>
+
+Decapsulate the secret using a private key.
+The result (binary data) is written to standard output by default, or else to
+the file specified with I<-out>.
+
+=item B<-kemop> I<operation>
+
+This option is used for I<-encap>/I<-decap> commands and specifies the KEM
+operation specific for the key algorithm when there is no default KEM
+operation.
+If the algorithm has the default KEM operation, this option can be omitted.
+
+See L<EVP_PKEY_CTX_set_kem_op(3)> and algorithm-specific KEM documentation e.g.
+L<EVP_KEM-RSA(7)>, L<EVP_KEM-EC(7)>, L<EVP_KEM-X25519(7)>, and
+L<EVP_KEM-X448(7)>.
+
=item B<-kdf> I<algorithm>
Use key derivation function I<algorithm>. The supported algorithms are
From 1fe7d5b3d96e2ce1e822a4e6e042959af55b0145 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Thu, 8 Aug 2024 13:45:19 +0200
Subject: [PATCH 3/3] Encap/decap in pkeyutl - tests
---
test/decap_out.bin | 3 +++
test/encap_out.bin | 4 ++++
test/encap_secret.bin | 3 +++
test/recipes/20-test_pkeyutl.t | 34 ++++++++++++++++++++++++++++++++--
4 files changed, 42 insertions(+), 2 deletions(-)
create mode 100644 test/decap_out.bin
create mode 100644 test/encap_out.bin
create mode 100644 test/encap_secret.bin
diff --git a/test/decap_out.bin b/test/decap_out.bin
new file mode 100644
index 0000000000000..b94441ed1c002
--- /dev/null
+++ b/test/decap_out.bin
@@ -0,0 +1,3 @@
+6žW«¡ŠòÌn©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³xñe¡ƒŽbòé)G¿fõÈ"¨ýË­ÊýJÝ)ïþÜ<02>ì {ªHm\P ú<C383>+¸¸%èÄ/jÏ™%ç؆È<_æ~
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê ×È-g,A4<E280B9>
+l<>ÚtÚN­)~\<5C>HU4y០}qJŸ ”t# <0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=ü¨nmv<6D>{—éÅ¿Ô‹È£®
\ No newline at end of file
diff --git a/test/encap_out.bin b/test/encap_out.bin
new file mode 100644
index 0000000000000..024fc40550f15
--- /dev/null
+++ b/test/encap_out.bin
@@ -0,0 +1,4 @@
:÷ÙyÄ<E2809A>ã ÿÙ[Û2ê<¾ê?«î±qÕª1·µŒ¸ºæÝ>YÎM寬3PÝ
+ìÛO2rÈÙŠíùAd" Gç„m‡2mÏÄ7x•Ñhú7-ÿ@:?NµÇrSêœKÁ¡žè`«t¥ÉŸªÓxié头' Mhøñ˜3r<><1F>ÞÚƒSd¦ðO±£ãHT„F§þ
kZ'xšFÛKùx”q"ÐÒúl@04E‰†ÌûŽ;c¾iA}U÷ÆŒ P6ýk0ó%DôòLÄ.U aO¨(L<>Iý®QÇç¢ÏA
+Œ[´uÔžØ4s$¨†Ò%tÕB
\ No newline at end of file
diff --git a/test/encap_secret.bin b/test/encap_secret.bin
new file mode 100644
index 0000000000000..b94441ed1c002
--- /dev/null
+++ b/test/encap_secret.bin
@@ -0,0 +1,3 @@
+6žW«¡ŠòÌn©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³xñe¡ƒŽbòé)G¿fõÈ"¨ýË­ÊýJÝ)ïþÜ<02>ì {ªHm\P ú<C383>+¸¸%èÄ/jÏ™%ç؆È<_æ~
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê ×È-g,A4<E280B9>
+l<>ÚtÚN­)~\<5C>HU4y០}qJŸ ”t# <0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=ü¨nmv<6D>{—éÅ¿Ô‹È£®
\ No newline at end of file
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 76e4f0a869459..e9472a21352e2 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -13,11 +13,11 @@ use File::Spec;
use File::Basename;
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
use OpenSSL::Test::Utils;
-use File::Compare qw/compare_text/;
+use File::Compare qw/compare_text compare/;
setup("test_pkeyutl");
-plan tests => 14;
+plan tests => 19;
# For the tests below we use the cert itself as the TBS file
@@ -200,3 +200,33 @@ SKIP: {
"-rawin");
};
}
+
+#Encap/decap tests
+# openssl pkeyutl -encap -pubin -inkey rsa_pub.pem -secret secret.bin -out encap_out.bin
+# openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin
+# decap_out is equal to secret
+SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 3
+ if disabled("rsa");
+
+ # Self-compat
+ ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-pubin', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048pub.pem'),
+ '-out', 'encap_out.bin', '-secret', 'secret.bin']))),
+ "RSA pubkey encapsulation");
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
+ '-in', 'encap_out.bin', '-out', 'decap_out.bin']))),
+ "RSA pubkey decapsulation");
+ is(compare("secret.bin", "decap_out.bin"), 0, "Secret is correctly decapsulated");
+
+ # Pregenerated
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
+ '-in', srctop_file('test', 'encap_out.bin'), '-out', 'decap_out_etl.bin']))),
+ "RSA pubkey decapsulation - pregenerated");
+
+ is(compare(srctop_file('test', 'encap_secret.bin'), "decap_out_etl.bin"), 0,
+ "Secret is correctly decapsulated - pregenerated");
+}
+

201
0127-speedup-SSL_add_cert_subjects_to_stack.patch Normal file
View File

@ -0,0 +1,201 @@
From e2e469593a15681983d16e36d856bf8fb7de8589 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 31 Jul 2024 12:45:11 +0200
Subject: [PATCH] Speed up SSL_add_{file,dir}_cert_subjects_to_stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The X509_NAME comparison function converts its arguments to DER using
i2d_X509_NAME before comparing the results using memcmp(). For every
invocation of the comparison function (of which there are many when
loading many certificates), it allocates two buffers of the appropriate
size for the DER encoding.
Switching to static buffers (possibly of X509_NAME_MAX size as defined
in crypto/x509/x_name.c) would not work with multithreaded use, e.g.,
when two threads sort two separate STACK_OF(X509_NAME)s at the same
time. A suitable re-usable buffer could have been added to the
STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument,
or a pointer to the STACK_OF(X509_NAME) but it does not.
Instead, copy the solution chosen in SSL_load_client_CA_file() by
filling an LHASH_OF(X509_NAME) with all existing names in the stack and
using that to deduplicate, rather than relying on sk_X509_NAME_find(),
which ends up being very slow.
Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local
LHASH_OF(X509_NAME)s over the complete directory it is processing.
In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack()
twice, once on a directory with one entry, and once with a directory
with 1000 certificates, and repeats this in a loop 10 times, this change
yields a speed-up of 5.32:
| Benchmark 1: ./bench 10 dir-1 dir-1000
| Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s]
| Range (min … max): 6.658 s … 6.711 s 10 runs
|
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000
| Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s]
| Range (min … max): 1.244 s … 1.286 s 10 runs
|
| Summary
| LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran
| 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000
In the worst case scenario where many entries are added to a stack that
is then repeatedly used to add more certificates, and with a larger test
size, the speedup is still very significant. With 15000 certificates,
a single pass to load them, followed by attempting to load a subset of
1000 of these 15000 certificates, followed by a single certificate, the
new approach is ~85 times faster:
| Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1
| Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s]
| Range (min … max): 173.774 s … 185.594 s 10 runs
|
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1
| Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s]
| Range (min … max): 2.057 s … 2.167 s 10 runs
|
| Summary
| LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran
| 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
ssl/ssl_cert.c | 74 ++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 65 insertions(+), 9 deletions(-)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0ff407bf55edc..5e5ffe39d0655 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -813,16 +813,14 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
return SSL_load_client_CA_file_ex(file, NULL, NULL);
}
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
- const char *file)
+static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *file,
+ LHASH_OF(X509_NAME) *name_hash)
{
BIO *in;
X509 *x = NULL;
X509_NAME *xn = NULL;
int ret = 1;
- int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b);
-
- oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
in = BIO_new(BIO_s_file());
@@ -842,12 +840,15 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
xn = X509_NAME_dup(xn);
if (xn == NULL)
goto err;
- if (sk_X509_NAME_find(stack, xn) >= 0) {
+ if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) {
/* Duplicate. */
X509_NAME_free(xn);
} else if (!sk_X509_NAME_push(stack, xn)) {
X509_NAME_free(xn);
goto err;
+ } else {
+ /* Successful insert, add to hash table */
+ lh_X509_NAME_insert(name_hash, xn);
}
}
@@ -859,7 +860,42 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
done:
BIO_free(in);
X509_free(x);
- (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
+ return ret;
+}
+
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *file)
+{
+ X509_NAME *xn = NULL;
+ int ret = 1;
+ int idx = 0;
+ int num = 0;
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
+
+ if (name_hash == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
+
+ /*
+ * Pre-populate the lhash with the existing entries of the stack, since
+ * using the LHASH_OF is much faster for duplicate checking. That's because
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
+ * for every single invocation of the comparison function.
+ */
+ num = sk_X509_NAME_num(stack);
+ for (idx = 0; idx < num; idx++) {
+ xn = sk_X509_NAME_value(stack, idx);
+ lh_X509_NAME_insert(name_hash, xn);
+ }
+
+ ret = add_file_cert_subjects_to_stack(stack, file, name_hash);
+ goto done;
+
+ err:
+ ret = 0;
+ done:
+ lh_X509_NAME_free(name_hash);
return ret;
}
@@ -869,8 +905,27 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
OPENSSL_DIR_CTX *d = NULL;
const char *filename;
int ret = 0;
+ X509_NAME *xn = NULL;
+ int idx = 0;
+ int num = 0;
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
+
+ if (name_hash == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
- /* Note that a side effect is that the CAs will be sorted by name */
+ /*
+ * Pre-populate the lhash with the existing entries of the stack, since
+ * using the LHASH_OF is much faster for duplicate checking. That's because
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
+ * for every single invocation of the comparison function.
+ */
+ num = sk_X509_NAME_num(stack);
+ for (idx = 0; idx < num; idx++) {
+ xn = sk_X509_NAME_value(stack, idx);
+ lh_X509_NAME_insert(name_hash, xn);
+ }
while ((filename = OPENSSL_DIR_read(&d, dir))) {
char buf[1024];
@@ -899,7 +954,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
#endif
if (r <= 0 || r >= (int)sizeof(buf))
goto err;
- if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
+ if (!add_file_cert_subjects_to_stack(stack, buf, name_hash))
goto err;
}
@@ -915,6 +970,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
err:
if (d)
OPENSSL_DIR_end(&d);
+ lh_X509_NAME_free(name_hash);
return ret;
}

24
0128-SAST-findings.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c
--- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx 2024-08-14 14:22:48.733407808 +0200
+++ openssl-3.2.2/crypto/rsa/rsa_oaep.c 2024-08-14 14:23:32.994483135 +0200
@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
mdlen = EVP_MD_get_size(md);
- if (tlen <= 0 || flen <= 0)
+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
return -1;
/*
* |num| is the length of the modulus; |flen| is the length of the
diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c
--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx 2024-08-14 14:14:13.144850097 +0200
+++ openssl-3.2.2/crypto/x509/pcy_tree.c 2024-08-14 14:14:53.213826481 +0200
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
*ptree = NULL;
+ if (n < 0)
+ return X509_PCY_TREE_INTERNAL;
/* Can't do anything with just a trust anchor */
if (n == 0)
return X509_PCY_TREE_EMPTY;

12
gating.yaml
View File

@ -3,10 +3,10 @@ product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-tier1.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-tier2.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-disabled-explicitCI.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-tier1.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-tier2.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./Plan/ci/fips-enabled-explicitCI.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-tier1.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-tier2.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-explicitCI.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-tier1.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-tier2.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-explicitCI.functional}
# - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

41
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.2.2
Release: 7%{?dist}.alma.1
Release: 10%{?dist}.alma.1
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@ -156,8 +156,19 @@ Patch116: 0116-version-aliasing.patch
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
Patch121: 0121-FIPS-cms-defaults.patch
# skip KTLS tests on infrastructure
Patch122: 0122-TMP-KTLS-test-skip.patch
# HKDF regression with older provider implementations
Patch122: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/issues/24577
Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch
# Downstream patch: enforce PBMAC1 in FIPS mode
Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch
# https://github.com/openssl/openssl/issues/25127
Patch126: 0126-pkeyutl-encap.patch
# https://github.com/openssl/openssl/issues/25056
Patch127: 0127-speedup-SSL_add_cert_subjects_to_stack.patch
Patch128: 0128-SAST-findings.patch
License: Apache-2.0
URL: http://www.openssl.org/
@ -278,7 +289,7 @@ sslflags=enable-ec_nistp_64_gcc_128
sslarch=linux-generic64
%endif
#temporarily disable ktls to unblock c10s builds
ktlsopt=disable-ktls
ktlsopt=enable-ktls
%ifarch armv7hl
ktlsopt=disable-ktls
%endif
@ -506,9 +517,31 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
* Fri Jul 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-7.alma.1
* Mon Sep 02 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-10.alma.1
- Redefine sslarch for x86_64_v2 arch
* Wed Aug 14 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-10
- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode
Related: RHEL-36659
- Support key encapsulation/decapsulation in openssl pkeyutl command
Resolves: RHEL-54156
- Fix typo in the patch numeration
Related: RHEL-41261
- Enable KTLS, temporary disable KTLS tests
Related: RHEL-47335
- Speedup SSL_add_{file,dir}_cert_subjects_to_stack
Resolves: RHEL-54232
- Resolve SAST package scan results
Resolves: RHEL-37561
* Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9
- An interface to create PKCS #12 files in FIPS compliant way
Related: RHEL-36659
* Wed Aug 07 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-8
- An interface to create PKCS #12 files in FIPS compliant way
Resolves: RHEL-36659
* Wed Jul 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-7
- Disallow SHA1 at SECLEVEL2 in OpenSSL
Resolves: RHEL-39962