Update to openssl 3.0.2

Related: rhbz#2064453

.gitignore

@@ -53,3 +53,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1j-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-3.0.0-hobbled.tar.xz
+/openssl-3.0.2-hobbled.tar.gz

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644
      /* Add TLSv1.3 ciphers first - we always prefer those if possible */
      for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
          const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
- 
-         if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
-             sk_SSL_CIPHER_free(cipherstack);
-+            OPENSSL_free(co_list);
-             return NULL;
-         }
-     }
 @@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      *cipher_list = cipherstack;
  

0012-Disable-explicit-ec.patch

@@ -0,0 +1,80 @@
+diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
+--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec	2022-02-22 09:08:48.557823665 +0100
++++ openssl-3.0.1/crypto/ec/ec_lib.c	2022-02-22 09:09:26.634133847 +0100
+@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
+                 goto err;
+         }
+     } else {
+-        ret_group = (EC_GROUP *)group;
++        goto err;
+     }
+     EC_GROUP_free(dup);
+     return ret_group;
+diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
+--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec	2022-02-22 13:04:16.850856612 +0100
++++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c	2022-02-22 14:16:19.848369641 +0100
+@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
+     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+         int flags = EC_KEY_get_flags(eck);
+ 
+-        if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
+-            ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+-                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+-        else
+-            ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
++        ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
++                      (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+     }
+ 
+     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
+         ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
+         return 0;
+     }
++    if (EC_GROUP_get_curve_name(group) == NID_undef) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
++        return 0;
++    }
+     return EC_KEY_set_group(ec, group) > 0;
+ }
+ 
+diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
+--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec	2022-02-25 11:44:19.554673396 +0100
++++ openssl-3.0.1/providers/common/securitycheck.c	2022-02-25 12:16:38.168610089 +0100
+@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
+ int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
+ {
+ # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
+-    if (ossl_securitycheck_enabled(ctx)) {
+-        int nid, strength;
+-        const char *curve_name;
+-        const EC_GROUP *group = EC_KEY_get0_group(ec);
++    int nid, strength;
++    const char *curve_name;
++    const EC_GROUP *group = EC_KEY_get0_group(ec);
+ 
+-        if (group == NULL) {
+-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+-            return 0;
+-        }
+-        nid = EC_GROUP_get_curve_name(group);
+-        if (nid == NID_undef) {
+-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+-                           "Explicit curves are not allowed in fips mode");
+-            return 0;
+-        }
++    if (group == NULL) {
++        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
++        return 0;
++    }
++    nid = EC_GROUP_get_curve_name(group);
++    if (nid == NID_undef) {
++        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
++                       "Explicit curves are not allowed in this build");
++        return 0;
++    }
+ 
++    if (ossl_securitycheck_enabled(ctx)) {
+         curve_name = EC_curve_nid2nist(nid);
+         if (curve_name == NULL) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

ectest.c

@@ -2300,8 +2300,8 @@ int setup_tests(void)
     ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
     ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
     ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
-    ADD_ALL_TESTS(custom_generator_test, crv_len);
-    ADD_ALL_TESTS(custom_params_test, crv_len);
+    /* ADD_ALL_TESTS(custom_generator_test, crv_len);
+    ADD_ALL_TESTS(custom_params_test, crv_len); */
     return 1;
 }
 

openssl.spec

@@ -14,13 +14,13 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.0.0
-Release: 2%{?dist}
+Version: 3.0.2
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.gz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source3: genpatches
@@ -52,8 +52,12 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
 #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
 # remove unsupported EC curves
 Patch11: 0011-Remove-EC-curves.patch
+# Disable explicit EC curves
+Patch12: 0012-Disable-explicit-ec.patch
 # Instructions to load legacy provider in openssl.cnf
 Patch24: 0024-load-legacy-prov.patch
+# Backport of patch for RHEL for Edge rhbz #2027261
+Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -177,6 +181,10 @@ sslflags=enable-ec_nistp_64_gcc_128
 %ifarch riscv64
 sslarch=linux-generic64
 %endif
+ktlsopt=enable-ktls
+%ifarch armv7hl
+ktlsopt=disable-ktls
+%endif
 
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
 # marked as not requiring an executable stack.
@@ -194,7 +202,7 @@ export HASHBANGPERL=/usr/bin/perl
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
-	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
+	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
 	no-mdc2 no-ec2m no-sm2 no-sm4 \
 	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
 
@@ -376,6 +384,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri Mar 18 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-1
+- Rebase to upstream version 3.0.2
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27
+SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5