From 4855397272f7585ea8fa9f9659a7d4e410bd7a65 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 2 Sep 2022 14:57:07 +0200 Subject: [PATCH] openssl.spec is synced with RHEL Related: rhbz#2123755 --- openssl.spec | 142 ++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 123 insertions(+), 19 deletions(-) diff --git a/openssl.spec b/openssl.spec index f45c316..5c449d8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -10,12 +10,26 @@ # also be handled in opensslconf-new.h. %define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/openssl.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} + %global _performance_build 1 Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -31,6 +45,7 @@ Source9: configuration-switch.h Source10: configuration-prefix.h Source12: ec_curve.c Source13: ectest.c +Source14: 0025-for-tests.patch # Patches exported from source git # Aarch64 and ppc64le use lib64 @@ -50,13 +65,40 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # Add FIPS_mode() compatibility macro Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel -#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Disable explicit EC curves +# https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch +# https://github.com/openssl/openssl/pull/17981 +# Patch13: 0013-FIPS-provider-explicit-ec.patch +# https://github.com/openssl/openssl/pull/17998 +# Patch14: 0014-FIPS-disable-explicit-ec.patch +# https://github.com/openssl/openssl/pull/18609 +# Patch15: 0015-FIPS-decoded-from-explicit.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch +# Tmp: test name change +Patch31: 0031-tmp-Fix-test-names.patch +# We load FIPS provider and set FIPS properties implicitly +Patch32: 0032-Force-fips.patch +# Embed HMAC into the fips.so +Patch33: 0033-FIPS-embed-hmac.patch +# Comment out fipsinstall command-line utility +Patch34: 0034.fipsinstall_disable.patch +# Skip unavailable algorithms running `openssl speed` +Patch35: 0035-speed-skip-unavailable-dgst.patch +# Extra public/private key checks required by FIPS-140-3 +Patch44: 0044-FIPS-140-3-keychecks.patch +# Minimize fips services +Patch45: 0045-FIPS-services-minimize.patch +# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486 +# Patch46: 0046-FIPS-s390x-hardening.patch +# Execute KATS before HMAC verification +Patch47: 0047-FIPS-early-KATS.patch +# Backport of correctly handle 2^14 byte long records #17538 +# Patch48: 0048-correctly-handle-records.patch %if 0%{?rhel} # Selectively disallow SHA1 signatures Patch49: 0049-Selectively-disallow-SHA1-signatures.patch @@ -79,14 +121,66 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch # Instrument with USDT probes related to SHA-1 deprecation Patch53: 0053-Add-SHA1-probes.patch %endif +# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 +# Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch +# https://github.com/openssl/openssl/pull/17324 +# Patch55: 0055-nonlegacy-fetch-null-deref.patch # https://github.com/openssl/openssl/pull/18103 # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1 # so the patch should persist Patch56: 0056-strcasecmp.patch +# https://github.com/openssl/openssl/pull/18175 +# Patch57: 0057-strcasecmp-fix.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +Patch58: 0058-FIPS-limit-rsa-encrypt.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2069235 +Patch60: 0060-FIPS-KAT-signature-tests.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2087147 +Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch +Patch62: 0062-fips-Expose-a-FIPS-indicator.patch +# https://github.com/openssl/openssl/pull/18141 +# Patch63: 0063-CVE-2022-1473.patch +# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a +# Patch64: 0064-CVE-2022-1343.diff +# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 +# Patch65: 0065-CVE-2022-1292.patch +# https://github.com/openssl/openssl/pull/18444 +# https://github.com/openssl/openssl/pull/18467 +# Patch66: 0066-replace-expired-certs.patch +# https://github.com/openssl/openssl/pull/18512 +# Patch67: 0067-fix-ppc64-montgomery.patch +#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa +#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739 +# Patch68: 0068-CVE-2022-2068.patch +# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93 +# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 +# Patch69: 0069-CVE-2022-2097.patch +# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483 +# Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch +# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c +# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd +Patch71: 0071-AES-GCM-performance-optimization.patch +# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 +# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa +# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 +Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch +# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) +# https://bugzilla.redhat.com/show_bug.cgi?id=2102541 +Patch76: 0076-FIPS-140-3-DRBG.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102542 +Patch77: 0077-FIPS-140-3-zeroization.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2114772 +Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch License: ASL 2.0 URL: http://www.openssl.org/ -BuildRequires: gcc +BuildRequires: gcc g++ BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename @@ -220,6 +314,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not export HASHBANGPERL=/usr/bin/perl +%define fips %{version}-%{srpmhash} # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and @@ -229,8 +324,8 @@ export HASHBANGPERL=/usr/bin/perl --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\ - no-mdc2 no-ec2m no-sm2 no-sm4 \ - shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' + no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -254,6 +349,8 @@ done # We must revert patch4 before tests otherwise they will fail patch -p1 -R < %{PATCH4} +#We must disable default provider before tests otherwise they will fail +patch -p1 < %{SOURCE14} OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY @@ -263,18 +360,25 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES %endif OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE +#embed HMAC into fips provider for test run +LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so +#run tests itself make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library -#%define __spec_install_post \ -# %{?__debug_package:%{__debug_install_post}} \ -# %{__arch_install_post} \ -# %{__os_install_post} \ -# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ -# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ -# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ -# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ -#%{nil} +# We manually copy standard definition of __spec_install_post +# and add hmac calculation/embedding to fips.so +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ + objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ + mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ + rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ +%{nil} %define __provides_exclude_from %{_libdir}/openssl @@ -324,9 +428,8 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist -%ifarch i686 +#we don't use native fipsmodule.cnf because FIPS module is loaded automatically rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf -%endif # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} @@ -388,9 +491,6 @@ install -m644 %{SOURCE9} \ %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/ossl-modules -%ifnarch i686 -%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf -%endif %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el @@ -414,6 +514,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Sep 01 2022 Dmitry Belyavskiy - 1:3.0.5-3 +- Sync patches with RHEL + Related: rhbz#2123755 + * Fri Jul 22 2022 Fedora Release Engineering - 1:3.0.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild