Update to 3.0.2

2022-03-18 12:01:31 +01:00 · 2022-03-18 12:01:31 +01:00 · 390f40b74c
commit 390f40b74c
parent 0553c648a9
7 changed files with 2245 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,3 +12,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1c-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-3.0.0-hobbled.tar.xz
+/openssl-3.0.2-hobbled.tar.gz
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
- 
-         if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
-             sk_SSL_CIPHER_free(cipherstack);
-+            OPENSSL_free(co_list);
-             return NULL;
-         }
-     }
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
     *cipher_list = cipherstack;
 
--- a/0012-Disable-explicit-ec.patch
+++ b/0012-Disable-explicit-ec.patch
@ -0,0 +1,80 @@
+diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
+--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec	2022-02-22 09:08:48.557823665 +0100
+++ openssl-3.0.1/crypto/ec/ec_lib.c	2022-02-22 09:09:26.634133847 +0100
+@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
+                 goto err;
+         }
+     } else {
+-        ret_group = (EC_GROUP *)group;
+        goto err;
+     }
+     EC_GROUP_free(dup);
+     return ret_group;
+diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
+--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec	2022-02-22 13:04:16.850856612 +0100
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c	2022-02-22 14:16:19.848369641 +0100
+@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
+     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+         int flags = EC_KEY_get_flags(eck);
+ 
+-        if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
+-            ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+-                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+-        else
+-            ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+        ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+                      (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+     }
+ 
+     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
+         ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
+         return 0;
+     }
+    if (EC_GROUP_get_curve_name(group) == NID_undef) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
+        return 0;
+    }
+     return EC_KEY_set_group(ec, group) > 0;
+ }
+ 
+diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
+--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec	2022-02-25 11:44:19.554673396 +0100
+++ openssl-3.0.1/providers/common/securitycheck.c	2022-02-25 12:16:38.168610089 +0100
+@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
+ int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
+ {
+ # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
+-    if (ossl_securitycheck_enabled(ctx)) {
+-        int nid, strength;
+-        const char *curve_name;
+-        const EC_GROUP *group = EC_KEY_get0_group(ec);
+    int nid, strength;
+    const char *curve_name;
+    const EC_GROUP *group = EC_KEY_get0_group(ec);
+ 
+-        if (group == NULL) {
+-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+-            return 0;
+-        }
+-        nid = EC_GROUP_get_curve_name(group);
+-        if (nid == NID_undef) {
+-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+-                           "Explicit curves are not allowed in fips mode");
+-            return 0;
+-        }
+    if (group == NULL) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+        return 0;
+    }
+    nid = EC_GROUP_get_curve_name(group);
+    if (nid == NID_undef) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+                       "Explicit curves are not allowed in this build");
+        return 0;
+    }
+ 
+    if (ossl_securitycheck_enabled(ctx)) {
+         curve_name = EC_curve_nid2nist(nid);
+         if (curve_name == NULL) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
--- a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch
+++ b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch
--- a/ectest.c
+++ b/ectest.c
@ -2300,8 +2300,8 @@ int setup_tests(void)
    ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
    ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
    ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
-    ADD_ALL_TESTS(custom_generator_test, crv_len);
-    ADD_ALL_TESTS(custom_params_test, crv_len);
+    /* ADD_ALL_TESTS(custom_generator_test, crv_len);
+    ADD_ALL_TESTS(custom_params_test, crv_len); */
    return 1;
 }

--- a/mingw-openssl.spec
+++ b/mingw-openssl.spec
@ -14,8 +14,8 @@
 %global run_tests 0

 Name:           mingw-openssl
-Version:        3.0.0
-Release:        2%{?dist}
+Version:        3.0.2
+Release:        1%{?dist}
 Summary:        MinGW port of the OpenSSL toolkit

 License:        OpenSSL
@ -24,7 +24,7 @@ URL:            http://www.openssl.org/
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.gz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source3: genpatches
@ -54,8 +54,12 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
 #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
 # remove unsupported EC curves
 Patch11: 0011-Remove-EC-curves.patch
+# Disable explicit EC curves
+Patch12: 0012-Disable-explicit-ec.patch
 # Instructions to load legacy provider in openssl.cnf
 Patch24: 0024-load-legacy-prov.patch
+# Backport of patch for RHEL for Edge rhbz #2027261
+Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch

 # MinGW patches
 # Attempt to compute openssl modules dir dynamically from executable path if not set by OPENSSL_MODULES
@ -372,6 +376,9 @@ mkdir -m700 %{buildroot}%{mingw64_sysconfdir}/pki/CA/private


 %changelog
+* Fri Mar 18 2022 Sandro Mani <manisandro@gmail.com> - 3.0.2-1
+- Update to 3.0.2
+
 * Mon Feb 21 2022 Sandro Mani <manisandro@gmail.com> - 3.0.0-2
 - Attempt to compute openssl modules dir dynamically from executable path if not set by OPENSSL_MODULES

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27
+SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5