Rebase to upstream version 3.0.1

Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl Resolves: rhbz#2038910, rhbz#2035148 Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-01-18 18:30:10 +01:00 · 2022-01-18 18:30:10 +01:00 · 78a467efcc
commit 78a467efcc
parent e63c4b68b2
9 changed files with 316 additions and 332 deletions
--- a/.gitignore
+++ b/.gitignore
@ -53,3 +53,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1j-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-3.0.0-hobbled.tar.xz
 /openssl-3.0.1-hobbled.tar.xz
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
         if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
             sk_SSL_CIPHER_free(cipherstack);
 +            OPENSSL_free(co_list);
             return NULL;
         }
     }
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
     *cipher_list = cipherstack;
--- a/0009-Add-Kernel-FIPS-mode-flag-support.patch
+++ b/0009-Add-Kernel-FIPS-mode-flag-support.patch
@ -56,12 +56,12 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
     return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
         && context_init(&default_context_int);
 }
-diff -up openssl-3.0.0/include/internal/provider.h.embed-fips openssl-3.0.0/include/internal/provider.h
+diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
--- openssl-3.0.0/include/internal/provider.h.embed-fips	2021-11-12 12:18:36.215333452 +0100
+--- openssl-3.0.1/include/internal/provider.h.embed-fips	2022-01-11 13:13:08.323238760 +0100
-+++ openssl-3.0.0/include/internal/provider.h	2021-11-12 12:22:41.298409269 +0100
+++ openssl-3.0.1/include/internal/provider.h	2022-01-11 13:13:43.522558909 +0100
-@@ -109,6 +109,9 @@ int ossl_provider_init_as_child(OSSL_LIB
+@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB
                                 const OSSL_CORE_HANDLE *handle,
                                 const OSSL_DISPATCH *in);
 void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
 +/* FIPS flag access */
 +int ossl_get_kernel_fips_flag(void);
--- a/0030-tmp-Fix-rng-seed-double-free.patch
+++ b/0030-tmp-Fix-rng-seed-double-free.patch
@ -1,18 +0,0 @@
 diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
 index 173c99ce1732..7a4b780bb469 100644
 --- a/providers/implementations/rands/seed_src.c
 +++ b/providers/implementations/rands/seed_src.c
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
         return 0;
     }
 -    *pout = p;
     if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
 -                          adin, adin_len) != 0)
 +                          adin, adin_len) != 0) {
 +        *pout = p;
         return bytes_needed;
 +    }
     OPENSSL_secure_clear_free(p, bytes_needed);
     return 0;
 }
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@ -1,139 +1,145 @@
-diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/provider_conf.c
+#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
--- openssl-3.0.0/crypto/provider_conf.c.fips-force	2021-11-12 14:21:01.878339467 +0100
+#(partial) of the function provider_conf_load() under the 'if (activate) section.
-+++ openssl-3.0.0/crypto/provider_conf.c	2021-11-12 16:13:19.301542866 +0100
+#If there is any change to this section, after deleting it in provider_conf_load()
-@@ -136,13 +136,73 @@ static int prov_already_activated(const
+#ensure that you also add those changes to the provider_conf_activate() function.
 #additionally please add this check for cnf explicitly as shown below.
 #'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
 diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c
 --- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE	2022-01-18 15:36:00.956141345 +0100
 +++ openssl-3.0.1/crypto/provider_conf.c	2022-01-18 15:42:36.345172203 +0100
@@ -136,58 +136,18 @@ static int prov_already_activated(const
     return 0;
 }
-+static int provider_conf_activate(OSSL_LIB_CTX *libctx, PROVIDER_CONF_GLOBAL *pcgbl,
+-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
-+                                  const char *name, const char *value, const char *path,
+-                              const char *value, const CONF *cnf)
 +static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
 +                                  const char *value, const char *path,
 +                                  int soft, const CONF *cnf)
-+{
+ {
-+    int ok = 0;
+-    int i;
 -    STACK_OF(CONF_VALUE) *ecmds;
 -    int soft = 0;
 -    OSSL_PROVIDER *prov = NULL, *actual = NULL;
 -    const char *path = NULL;
 -    long activate = 0;
     int ok = 0;
 -
 -    name = skip_dot(name);
 -    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
 -    /* Value is a section containing PROVIDER commands */
 -    ecmds = NCONF_get_section(cnf, value);
 -
 -    if (!ecmds) {
 -        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
 -                       "section=%s not found", value);
 -        return 0;
 -    }
 -
 -    /* Find the needed data first */
 -    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
 -        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
 -        const char *confname = skip_dot(ecmd->name);
 -        const char *confvalue = ecmd->value;
 -
 -        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
 -                    confname, confvalue);
 -
 -        /* First handle some special pseudo confs */
 -
 -        /* Override provider name to use */
 -        if (strcmp(confname, "identity") == 0)
 -            name = confvalue;
 -        else if (strcmp(confname, "soft_load") == 0)
 -            soft = 1;
 -        /* Load a dynamic PROVIDER */
 -        else if (strcmp(confname, "module") == 0)
 -            path = confvalue;
 -        else if (strcmp(confname, "activate") == 0)
 -            activate = 1;
 -    }
 -
 -    if (activate) {
 -        PROVIDER_CONF_GLOBAL *pcgbl
 -            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
 -                                    &provider_conf_ossl_ctx_method);
 +    OSSL_PROVIDER *prov = NULL, *actual = NULL;
-+
+    PROVIDER_CONF_GLOBAL *pcgbl
-+    if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
+        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
-+        ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+                                &provider_conf_ossl_ctx_method);
-+        return 0;
+ 
-+    }
+         if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
-+    if (!prov_already_activated(name, pcgbl->activated_providers)) {
+-            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
-+        /*
+           ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
-+        * There is an attempt to activate a provider, so we should disable
+             return 0;
-+        * loading of fallbacks. Otherwise a misconfiguration could mean the
+         }
-+        * intended provider does not get loaded. Subsequent fetches could
+         if (!prov_already_activated(name, pcgbl->activated_providers)) {
-+        * then fallback to the default provider - which may be the wrong
+@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
-+        * thing.
+             if (path != NULL)
-+        */
+                 ossl_provider_set_module_path(prov, path);
-+        if (!ossl_provider_disable_fallback_loading(libctx)) {
+ 
-+            CRYPTO_THREAD_unlock(pcgbl->lock);
+-            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
-+            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+            ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
-+            return 0;
+ 
-+        }
+             if (ok) {
-+        prov = ossl_provider_find(libctx, name, 1);
+                 if (!ossl_provider_activate(prov, 1, 0)) {
-+        if (prov == NULL)
+@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C
-+            prov = ossl_provider_new(libctx, name, NULL, 1);
+                 ossl_provider_free(prov);
-+        if (prov == NULL) {
+         }
-+            CRYPTO_THREAD_unlock(pcgbl->lock);
+         CRYPTO_THREAD_unlock(pcgbl->lock);
 +            if (soft)
 +                ERR_clear_error();
 +            return 0;
 +        }
 +
 +        if (path != NULL)
 +            ossl_provider_set_module_path(prov, path);
 +
 +        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
 +
 +        if (ok) {
 +            if (!ossl_provider_activate(prov, 1, 0)) {
 +                ok = 0;
 +            } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
 +                ossl_provider_deactivate(prov);
 +                ok = 0;
 +            } else {
 +                if (pcgbl->activated_providers == NULL)
 +                    pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
 +                sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
 +                ok = 1;
 +            }
 +        }
 +        if (!ok)
 +            ossl_provider_free(prov);
 +    }
 +    CRYPTO_THREAD_unlock(pcgbl->lock);
 +    return ok;
 +}
 +
 +static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
 +                              const char *value, const CONF *cnf)
 +{
 +    int i;
 +    STACK_OF(CONF_VALUE) *ecmds;
 +    int soft = 0;
 +    const char *path = NULL;
 +    long activate = 0;
 +    int ok = 0;
 +
 +    name = skip_dot(name);
 +    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
 +    /* Value is a section containing PROVIDER commands */
 +    ecmds = NCONF_get_section(cnf, value);
 +
- static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
+    if (!ecmds) {
-                               const char *value, const CONF *cnf)
+        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
- {
+                       "section=%s not found", value);
-     int i;
+        return 0;
-     STACK_OF(CONF_VALUE) *ecmds;
+    }
-     int soft = 0;
+
-    OSSL_PROVIDER *prov = NULL, *actual = NULL;
+    /* Find the needed data first */
-     const char *path = NULL;
+    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
-     long activate = 0;
+        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
-     int ok = 0;
+        const char *confname = skip_dot(ecmd->name);
-@@ -185,55 +245,7 @@ static int provider_conf_load(OSSL_LIB_C
+        const char *confvalue = ecmd->value;
-     }
+
- 
+        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
-     if (activate) {
+                    confname, confvalue);
-        if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
+
-            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+        /* First handle some special pseudo confs */
-            return 0;
+
-        }
+        /* Override provider name to use */
-        if (!prov_already_activated(name, pcgbl->activated_providers)) {
+        if (strcmp(confname, "identity") == 0)
-            /*
+            name = confvalue;
-            * There is an attempt to activate a provider, so we should disable
+        else if (strcmp(confname, "soft_load") == 0)
-            * loading of fallbacks. Otherwise a misconfiguration could mean the
+            soft = 1;
-            * intended provider does not get loaded. Subsequent fetches could
+        /* Load a dynamic PROVIDER */
-            * then fallback to the default provider - which may be the wrong
+        else if (strcmp(confname, "module") == 0)
-            * thing.
+            path = confvalue;
-            */
+        else if (strcmp(confname, "activate") == 0)
-            if (!ossl_provider_disable_fallback_loading(libctx)) {
+            activate = 1;
-                CRYPTO_THREAD_unlock(pcgbl->lock);
+    }
-                ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+
-                return 0;
+    if (activate) {
-            }
+       ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
 -            prov = ossl_provider_find(libctx, name, 1);
 -            if (prov == NULL)
 -                prov = ossl_provider_new(libctx, name, NULL, 1);
 -            if (prov == NULL) {
 -                CRYPTO_THREAD_unlock(pcgbl->lock);
 -                if (soft)
 -                    ERR_clear_error();
 -                return 0;
 -            }
 -
 -            if (path != NULL)
 -                ossl_provider_set_module_path(prov, path);
 -
 -            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
 -
 -            if (ok) {
 -                if (!ossl_provider_activate(prov, 1, 0)) {
 -                    ok = 0;
 -                } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
 -                    ossl_provider_deactivate(prov);
 -                    ok = 0;
 -                } else {
 -                    if (pcgbl->activated_providers == NULL)
 -                        pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
 -                    sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
 -                    ok = 1;
 -                }
 -            }
 -            if (!ok)
 -                ossl_provider_free(prov);
 -        }
 -        CRYPTO_THREAD_unlock(pcgbl->lock);
 +        ok = provider_conf_activate(libctx, pcgbl, name, value, path, soft, cnf);
     } else {
         OSSL_PROVIDER_INFO entry;
-@@ -294,6 +306,19 @@ static int provider_conf_init(CONF_IMODU
+@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU
             return 0;
     }
@ -142,9 +148,9 @@ diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/pr
 +        PROVIDER_CONF_GLOBAL *pcgbl
 +            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
 +                                    &provider_conf_ossl_ctx_method);
-+        if (provider_conf_activate(libctx, pcgbl, "fips", NULL, NULL, 0, NULL) != 1)
+        if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
 +            return 0;
-+        if (provider_conf_activate(libctx, pcgbl, "base", NULL, NULL, 0, NULL) != 1)
+        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
 +            return 0;
 +        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
 +            return 0;
--- a/0034.fipsinstall_disable.patch
+++ b/0034.fipsinstall_disable.patch
@ -11,10 +11,160 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
     if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
         goto end;
-diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in
+diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
--- openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx	2021-11-22 13:19:55.192959061 +0100
+--- openssl-3.0.0/doc/man1/openssl.pod.xxx	2021-11-22 13:18:51.081406990 +0100
-+++ openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in	2021-11-22 13:20:56.978491104 +0100
+++ openssl-3.0.0/doc/man1/openssl.pod	2021-11-22 13:19:02.897508738 +0100
-@@ -8,224 +8,10 @@ openssl-fipsinstall - perform FIPS confi
+@@ -158,10 +158,6 @@ Engine (loadable module) information and
 Error Number to Error String Conversion.
 -=item B<fipsinstall>
 -
 -FIPS configuration installation.
 -
 =item B<gendsa>
 Generation of DSA Private Key from Parameters. Superseded by
 diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
 --- openssl-3.0.0/doc/man5/config.pod.xxx	2021-11-22 13:24:51.359509501 +0100
 +++ openssl-3.0.0/doc/man5/config.pod	2021-11-22 13:26:02.360121820 +0100
@@ -573,7 +573,6 @@ configuration files using that syntax wi
 =head1 SEE ALSO
 L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
 -L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
 L<CONF_modules_load(3)>,
 diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
 --- openssl-3.0.0/doc/man5/fips_config.pod.xxx	2021-11-22 13:21:13.812636065 +0100
 +++ openssl-3.0.0/doc/man5/fips_config.pod	2021-11-22 13:24:12.278172847 +0100
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
 =head1 DESCRIPTION
 -A separate configuration file, using the OpenSSL L<config(5)> syntax,
 -is used to hold information about the FIPS module. This includes a digest
 -of the shared library file, and status about the self-testing.
 -This data is used automatically by the module itself for two
 -purposes:
 -
 -=over 4
 -
 -=item - Run the startup FIPS self-test known answer tests (KATS).
 -
 -This is normally done once, at installation time, but may also be set up to
 -run each time the module is used.
 -
 -=item - Verify the module's checksum.
 -
 -This is done each time the module is used.
 -
 -=back
 -
 -This file is generated by the L<openssl-fipsinstall(1)> program, and
 -used internally by the FIPS module during its initialization.
 -
 -The following options are supported. They should all appear in a section
 -whose name is identified by the B<fips> option in the B<providers>
 -section, as described in L<config(5)/Provider Configuration Module>.
 -
 -=over 4
 -
 -=item B<activate>
 -
 -If present, the module is activated. The value assigned to this name is not
 -significant.
 -
 -=item B<install-version>
 -
 -A version number for the fips install process. Should be 1.
 -
 -=item B<conditional-errors>
 -
 -The FIPS module normally enters an internal error mode if any self test fails.
 -Once this error mode is active, no services or cryptographic algorithms are
 -accessible from this point on.
 -Continuous tests are a subset of the self tests (e.g., a key pair test during key
 -generation, or the CRNG output test).
 -Setting this value to C<0> allows the error mode to not be triggered if any
 -continuous test fails. The default value of C<1> will trigger the error mode.
 -Regardless of the value, the operation (e.g., key generation) that called the
 -continuous test will return an error code if its continuous test fails. The
 -operation may then be retried if the error mode has not been triggered.
 -
 -=item B<security-checks>
 -
 -This indicates if run-time checks related to enforcement of security parameters
 -such as minimum security strength of keys and approved curve names are used.
 -A value of '1' will perform the checks, otherwise if the value is '0' the checks
 -are not performed and FIPS compliance must be done by procedures documented in
 -the relevant Security Policy.
 -
 -=item B<module-mac>
 -
 -The calculated MAC of the FIPS provider file.
 -
 -=item B<install-status>
 -
 -An indicator that the self-tests were successfully run.
 -This should only be written after the module has
 -successfully passed its self tests during installation.
 -If this field is not present, then the self tests will run when the module
 -loads.
 -
 -=item B<install-mac>
 -
 -A MAC of the value of the B<install-status> option, to prevent accidental
 -changes to that value.
 -It is written-to at the same time as B<install-status> is updated.
 -
 -=back
 -
 -For example:
 -
 - [fips_sect]
 - activate = 1
 - install-version = 1
 - conditional-errors = 1
 - security-checks = 1
 - module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
 - install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
 - install-status = INSTALL_SELF_TEST_KATS_RUN
 -
 -=head1 NOTES
 -
 -When using the FIPS provider, it is recommended that the
 -B<config_diagnostics> option is enabled to prevent accidental use of
 -non-FIPS validated algorithms via broken or mistaken configuration.
 -See L<config(5)>.
 -
 -=head1 SEE ALSO
 -
 -L<config(5)>
 -L<openssl-fipsinstall(1)>
 +This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
 +automatically loaded when the system is booted in FIPS mode, or when the
 +environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
 +for more information.
 =head1 COPYRIGHT
 diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
 --- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx	2021-11-22 13:18:13.850086386 +0100
 +++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod	2021-11-22 13:18:24.607179038 +0100
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
 =head1 SEE ALSO
 -L<openssl-fipsinstall(1)>,
 L<fips_config(5)>,
 L<OSSL_SELF_TEST_set_callback(3)>,
 L<OSSL_SELF_TEST_new(3)>,
 diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
 --- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac	2022-01-11 13:26:33.279906225 +0100
 +++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in	2022-01-11 13:33:18.757994419 +0100
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
 =head1 SYNOPSIS
 B<openssl fipsinstall>
@ -37,7 +187,7 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
 -[B<-config> I<parent_config>]
 =head1 DESCRIPTION
- 
+-
 -This command is used to generate a FIPS module configuration file.
 -This configuration file can be used each time a FIPS module is loaded
 -in order to pass data to the FIPS module self tests. The FIPS module always
@ -207,6 +357,18 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
 -
 -=back
 -
 -=head1 NOTES
 -
 -Self tests results are logged by default if the options B<-quiet> and B<-noout>
 -are not specified, or if either of the options B<-corrupt_desc> or
 -B<-corrupt_type> are used.
 -If the base configuration file is set up to autoload the fips module, then the
 -fips module will be loaded and self tested BEFORE the fipsinstall application
 -has a chance to set up its own self test callback. As a result of this the self
 -test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
 -For normal usage the base configuration file should use the default provider
 -when generating the fips configuration file.
 -
 -=head1 EXAMPLES
 -
 -Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
@ -236,157 +398,9 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
 -L<fips_config(5)>,
 -L<OSSL_PROVIDER-FIPS(7)>,
 -L<EVP_MAC(3)>
-+This command is disabled. Please consult Red Hat Enterprise Linux documentation to learn how to correctly enable FIPS mode on Red Hat Enterprise Linux.
+This command is disabled.
 +Please consult Red Hat Enterprise Linux documentation to learn how to correctly
 +enable FIPS mode on Red Hat Enterprise
 =head1 COPYRIGHT
 diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
 --- openssl-3.0.0/doc/man1/openssl.pod.xxx	2021-11-22 13:18:51.081406990 +0100
 +++ openssl-3.0.0/doc/man1/openssl.pod	2021-11-22 13:19:02.897508738 +0100
@@ -158,10 +158,6 @@ Engine (loadable module) information and
 Error Number to Error String Conversion.
 -=item B<fipsinstall>
 -
 -FIPS configuration installation.
 -
 =item B<gendsa>
 Generation of DSA Private Key from Parameters. Superseded by
 diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
 --- openssl-3.0.0/doc/man5/config.pod.xxx	2021-11-22 13:24:51.359509501 +0100
 +++ openssl-3.0.0/doc/man5/config.pod	2021-11-22 13:26:02.360121820 +0100
@@ -573,7 +573,6 @@ configuration files using that syntax wi
 =head1 SEE ALSO
 L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
 -L<openssl-fipsinstall(1)>,
 L<ASN1_generate_nconf(3)>,
 L<EVP_set_default_properties(3)>,
 L<CONF_modules_load(3)>,
 diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
 --- openssl-3.0.0/doc/man5/fips_config.pod.xxx	2021-11-22 13:21:13.812636065 +0100
 +++ openssl-3.0.0/doc/man5/fips_config.pod	2021-11-22 13:24:12.278172847 +0100
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
 =head1 DESCRIPTION
 -A separate configuration file, using the OpenSSL L<config(5)> syntax,
 -is used to hold information about the FIPS module. This includes a digest
 -of the shared library file, and status about the self-testing.
 -This data is used automatically by the module itself for two
 -purposes:
 -
 -=over 4
 -
 -=item - Run the startup FIPS self-test known answer tests (KATS).
 -
 -This is normally done once, at installation time, but may also be set up to
 -run each time the module is used.
 -
 -=item - Verify the module's checksum.
 -
 -This is done each time the module is used.
 -
 -=back
 -
 -This file is generated by the L<openssl-fipsinstall(1)> program, and
 -used internally by the FIPS module during its initialization.
 -
 -The following options are supported. They should all appear in a section
 -whose name is identified by the B<fips> option in the B<providers>
 -section, as described in L<config(5)/Provider Configuration Module>.
 -
 -=over 4
 -
 -=item B<activate>
 -
 -If present, the module is activated. The value assigned to this name is not
 -significant.
 -
 -=item B<install-version>
 -
 -A version number for the fips install process. Should be 1.
 -
 -=item B<conditional-errors>
 -
 -The FIPS module normally enters an internal error mode if any self test fails.
 -Once this error mode is active, no services or cryptographic algorithms are
 -accessible from this point on.
 -Continuous tests are a subset of the self tests (e.g., a key pair test during key
 -generation, or the CRNG output test).
 -Setting this value to C<0> allows the error mode to not be triggered if any
 -continuous test fails. The default value of C<1> will trigger the error mode.
 -Regardless of the value, the operation (e.g., key generation) that called the
 -continuous test will return an error code if its continuous test fails. The
 -operation may then be retried if the error mode has not been triggered.
 -
 -=item B<security-checks>
 -
 -This indicates if run-time checks related to enforcement of security parameters
 -such as minimum security strength of keys and approved curve names are used.
 -A value of '1' will perform the checks, otherwise if the value is '0' the checks
 -are not performed and FIPS compliance must be done by procedures documented in
 -the relevant Security Policy.
 -
 -=item B<module-mac>
 -
 -The calculated MAC of the FIPS provider file.
 -
 -=item B<install-status>
 -
 -An indicator that the self-tests were successfully run.
 -This should only be written after the module has
 -successfully passed its self tests during installation.
 -If this field is not present, then the self tests will run when the module
 -loads.
 -
 -=item B<install-mac>
 -
 -A MAC of the value of the B<install-status> option, to prevent accidental
 -changes to that value.
 -It is written-to at the same time as B<install-status> is updated.
 -
 -=back
 -
 -For example:
 -
 - [fips_sect]
 - activate = 1
 - install-version = 1
 - conditional-errors = 1
 - security-checks = 1
 - module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
 - install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
 - install-status = INSTALL_SELF_TEST_KATS_RUN
 -
 -=head1 NOTES
 -
 -When using the FIPS provider, it is recommended that the
 -B<config_diagnostics> option is enabled to prevent accidental use of
 -non-FIPS validated algorithms via broken or mistaken configuration.
 -See L<config(5)>.
 -
 -=head1 SEE ALSO
 -
 -L<config(5)>
 -L<openssl-fipsinstall(1)>
 +This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
 +automatically loaded when the system is boots in FIPS mode, or when the
 +environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
 +for more information.
 =head1 COPYRIGHT
 diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
 --- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx	2021-11-22 13:18:13.850086386 +0100
 +++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod	2021-11-22 13:18:24.607179038 +0100
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
 =head1 SEE ALSO
 -L<openssl-fipsinstall(1)>,
 L<fips_config(5)>,
 L<OSSL_SELF_TEST_set_callback(3)>,
 L<OSSL_SELF_TEST_new(3)>,
--- a/0100-coverity.patch
+++ b/0100-coverity.patch
@ -1,12 +0,0 @@
 diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c
 --- openssl-3.0.0/apps/s_client.c.coverity	2021-10-07 16:59:37.938432118 +0200
 +++ openssl-3.0.0/apps/s_client.c	2021-10-07 17:00:52.994075755 +0200
@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv)
 #endif
     OPENSSL_free(connectstr);
     OPENSSL_free(bindstr);
 +    OPENSSL_free(bindhost);
 +    OPENSSL_free(bindport);
     OPENSSL_free(host);
     OPENSSL_free(port);
     OPENSSL_free(thost);
--- a/openssl.spec
+++ b/openssl.spec
@ -14,8 +14,8 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.0.0
+Version: 3.0.1
-Release: 7%{?dist}
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -55,8 +55,6 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
 Patch11: 0011-Remove-EC-curves.patch
 # Instructions to load legacy provider in openssl.cnf
 Patch24: 0024-load-legacy-prov.patch
 # Tmp: Upstream #16636
 Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
 # Tmp: test name change
 Patch31: 0031-tmp-Fix-test-names.patch
 # We load FIPS provider and set FIPS properties implicitly
@ -71,8 +69,6 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
 Patch45: 0045-FIPS-services-minimize.patch
 # Enable SHA1 HMAC in FIPS mode
 Patch46: 0046-FIPS-permitsha1-hmac.patch
 # Tmp: coverity
 Patch100: 0100-coverity.patch
 License: ASL 2.0
 URL: http://www.openssl.org/
@ -400,6 +396,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 %changelog
 * Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1
 - Rebase to upstream version 3.0.1
 - Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
 - Resolves: rhbz#2038910, rhbz#2035148
 * Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
 - Remove algorithms we don't plan to certify from fips module
 - Remove native fipsmodule.cnf
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27
+SHA512 (openssl-3.0.1-hobbled.tar.xz) = 8819d02a6961c2398d0fb4003f25a322f752254b5c3440cd3e9456df5c56dadbc8a1aa6f821f176941293d67771304b3a565b3b8ce7a3ac0b7ad221da97c4dfe
`@ -1 +1 @@`
	`SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27`	`SHA512 (openssl-3.0.1-hobbled.tar.xz) = 8819d02a6961c2398d0fb4003f25a322f752254b5c3440cd3e9456df5c56dadbc8a1aa6f821f176941293d67771304b3a565b3b8ce7a3ac0b7ad221da97c4dfe`