rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Redefine sslarch for x86_64_v2 arch

Browse Source
This commit is contained in:
Eduard Abdullin 2025-05-15 02:53:32 +00:00 committed by root
commit 13de65a2dd
8 changed files with 601 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
0051-Make-openssl-speed-run-in-FIPS-mode.patch Normal file
View File

@ -0,0 +1,76 @@
From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 1edf9b8485..d4e707074c 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 16);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
- goto end;
- for (testnum = 0; testnum < size_num; testnum++) {
- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
- Time_F(START);
- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
- d = Time_F(STOP);
- print_result(D_KMAC128, testnum, count, d);
- if (count < 0)
- break;
+ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
+ for (testnum = 0; testnum < size_num; testnum++) {
+ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+ Time_F(START);
+ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+ d = Time_F(STOP);
+ print_result(D_KMAC128, testnum, count, d);
+ if (count < 0)
+ break;
+ }
+ mac_teardown(&mac, loopargs, loopargs_len);
}
- mac_teardown(&mac, loopargs, loopargs_len);
}
if (doit[D_KMAC256]) {
@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 32);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
- goto end;
- for (testnum = 0; testnum < size_num; testnum++) {
- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
- Time_F(START);
- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
- d = Time_F(STOP);
- print_result(D_KMAC256, testnum, count, d);
- if (count < 0)
- break;
+ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
+ for (testnum = 0; testnum < size_num; testnum++) {
+ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+ Time_F(START);
+ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+ d = Time_F(STOP);
+ print_result(D_KMAC256, testnum, count, d);
+ if (count < 0)
+ break;
+ }
+ mac_teardown(&mac, loopargs, loopargs_len);
}
- mac_teardown(&mac, loopargs, loopargs_len);
}
for (i = 0; i < loopargs_len; i++)
--
2.49.0

58
0052-Fixup-forbid-SHA1.patch Normal file
View File

@ -0,0 +1,58 @@
From a6b4af9d39e07457189147bd50fe6ee3e8e88b6d Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:28:00 +0200
Subject: [PATCH 52/54] Fixup - forbid SHA1
---
crypto/context.c | 6 ------
providers/implementations/signature/ecdsa_sig.c | 5 ++---
2 files changed, 2 insertions(+), 9 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 6859146510..323615e300 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -133,9 +133,6 @@ static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
{
OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
- * because the default on Fedora is to allow SHA-1 and support disabling
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
ldsigs->allowed = 0;
return ldsigs;
}
@@ -770,9 +767,6 @@ int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconf
return 1;
#endif
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
- * because the default on Fedora is to allow SHA-1 and support disabling
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
return ldsigs != NULL ? ldsigs->allowed : 0;
}
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 34fb3aa56e..4d7c25728a 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -198,14 +198,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
}
md_nid = ossl_digest_get_approved_nid(md);
-#ifdef FIPS_MODULE
md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
- if (md_nid <= 0) {
+ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
+ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
}
-#endif
/* XOF digests don't work */
if (EVP_MD_xof(md)) {
--
2.49.0

146
0053-Backport-upstream-27483-for-PKCS11-needs.patch Normal file
View File

@ -0,0 +1,146 @@
From d3152ec5d2c4e87bb15b669b5b128fe15515e51e Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:34:39 +0200
Subject: [PATCH 53/54] Backport upstream #27483 for PKCS11 needs
---
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
providers/implementations/skeymgmt/generic.c | 12 ++++
.../implementations/skeymgmt/skeymgmt_lcl.h | 1 +
test/evp_skey_test.c | 61 +++++++++++++++++++
4 files changed, 76 insertions(+)
diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
index 6d3b5f377f..17be480131 100644
--- a/providers/implementations/skeymgmt/aes_skmgmt.c
+++ b/providers/implementations/skeymgmt/aes_skmgmt.c
@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
{ OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
{ OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
+ (void (*)(void))generic_imp_settable_params },
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
index b41bf8e12d..5fb3fad7e3 100644
--- a/providers/implementations/skeymgmt/generic.c
+++ b/providers/implementations/skeymgmt/generic.c
@@ -65,6 +65,16 @@ end:
return generic;
}
+static const OSSL_PARAM generic_import_params[] = {
+ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
+ OSSL_PARAM_END
+};
+
+const OSSL_PARAM *generic_imp_settable_params(void *provctx)
+{
+ return generic_import_params;
+}
+
int generic_export(void *keydata, int selection,
OSSL_CALLBACK *param_callback, void *cbarg)
{
@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
{ OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
{ OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
+ (void (*)(void))generic_imp_settable_params },
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
index c180c1d303..a7e7605050 100644
--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
+++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
@@ -15,5 +15,6 @@
OSSL_FUNC_skeymgmt_import_fn generic_import;
OSSL_FUNC_skeymgmt_export_fn generic_export;
OSSL_FUNC_skeymgmt_free_fn generic_free;
+OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
#endif
diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
index b81df9c8f8..e33bbbe003 100644
--- a/test/evp_skey_test.c
+++ b/test/evp_skey_test.c
@@ -92,6 +92,66 @@ end:
return ret;
}
+static int test_skey_skeymgmt(void)
+{
+ int ret = 0;
+ EVP_SKEYMGMT *skeymgmt = NULL;
+ EVP_SKEY *key = NULL;
+ const unsigned char import_key[KEY_SIZE] = {
+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
+ };
+ OSSL_PARAM params[2];
+ const OSSL_PARAM *imp_params;
+ const OSSL_PARAM *p;
+ OSSL_PARAM *exp_params = NULL;
+ const void *export_key = NULL;
+ size_t export_len;
+
+ deflprov = OSSL_PROVIDER_load(libctx, "default");
+ if (!TEST_ptr(deflprov))
+ return 0;
+
+ /* Fetch our SKYMGMT for Generic Secrets */
+ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
+ NULL)))
+ goto end;
+
+ /* Check the parameter we need is available */
+ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
+ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
+ OSSL_SKEY_PARAM_RAW_BYTES)))
+ goto end;
+
+ /* Import EVP_SKEY */
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
+ (void *)import_key, KEY_SIZE);
+ params[1] = OSSL_PARAM_construct_end();
+
+ if (!TEST_ptr(key = EVP_SKEY_import(libctx,
+ EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
+ OSSL_SKEYMGMT_SELECT_ALL, params)))
+ goto end;
+
+ /* Export EVP_SKEY */
+ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
+ ossl_pkey_todata_cb, &exp_params), 0)
+ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
+ OSSL_SKEY_PARAM_RAW_BYTES))
+ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
+ &export_len), 0)
+ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
+ goto end;
+
+ ret = 1;
+end:
+ OSSL_PARAM_free(exp_params);
+ EVP_SKEYMGMT_free(skeymgmt);
+ EVP_SKEY_free(key);
+
+ return ret;
+}
+
#define IV_SIZE 16
#define DATA_SIZE 32
static int test_aes_raw_skey(void)
@@ -252,6 +312,7 @@ int setup_tests(void)
return 0;
ADD_TEST(test_skey_cipher);
+ ADD_TEST(test_skey_skeymgmt);
ADD_TEST(test_aes_raw_skey);
#ifndef OPENSSL_NO_DES
--
2.49.0

129
0054-Red-Hat-9-FIPS-indicator-defines.patch Normal file
View File

@ -0,0 +1,129 @@
From c6a6ec6d5cd9e74c78bb5167cf77c0f383bf177c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 16:21:23 +0200
Subject: [PATCH 54/54] Red Hat 9 FIPS indicator defines
---
include/openssl/evp.h | 15 +++++++++++++++
include/openssl/kdf.h | 4 ++++
util/perl/OpenSSL/paramnames.pm | 7 +++++++
3 files changed, 26 insertions(+)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index e5da1e6415..3849c1779e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
void *arg);
/* MAC stuff */
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
const char *properties);
@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
# endif
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
index 0983230a48..86171635ea 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 059b489735..5a1864309d 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -143,6 +143,8 @@ my %params = (
'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
+ #Old RedHat FIPS provider compatibility
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
# Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
# time being, the old libcrypto functions will use both, so old providers
# continue to work.
@@ -190,6 +192,7 @@ my %params = (
'MAC_PARAM_SIZE' => "size", # size_t
'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
@@ -234,6 +237,7 @@ my %params = (
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
'KDF_PARAM_THREADS' => "threads", # uint32_t
@@ -474,6 +478,7 @@ my %params = (
'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
'SIGNATURE_PARAM_INSTANCE' => "instance",
'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
@@ -508,6 +513,7 @@ my %params = (
'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
# Encoder / decoder parameters
@@ -541,6 +547,7 @@ my %params = (
# KEM parameters
'KEM_PARAM_OPERATION' => "operation",
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
'KEM_PARAM_IKME' => "ikme",
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
--
2.49.0

58
0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch Normal file
View File

@ -0,0 +1,58 @@
From 54eabd5b18433a4d624904193c7148e92cb3c9b0 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 12:58:54 +0200
Subject: [PATCH 55/57] crypto: disable OSSL_PARAM_REAL on UEFI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Floating point types like double can't be used on UEFI.
Fix build on UEFI by disabling the OSSL_PARAM_REAL branch.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
crypto/params_from_text.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
index 7532d4d439..fb25400dc1 100644
--- a/crypto/params_from_text.c
+++ b/crypto/params_from_text.c
@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
BIGNUM *bn;
#ifndef OPENSSL_SYS_UEFI
double d;
+ int dok;
#endif
int ok = -1;
- int dok;
/*
* Iterate through each key in the array printing its key and value
@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
case OSSL_PARAM_OCTET_STRING:
ok = BIO_dump(bio, (char *)p->data, p->data_size);
break;
+#ifndef OPENSSL_SYS_UEFI
case OSSL_PARAM_REAL:
dok = 0;
-#ifndef OPENSSL_SYS_UEFI
dok = OSSL_PARAM_get_double(p, &d);
-#endif
if (dok == 1)
ok = BIO_printf(bio, "%f\n", d);
else
ok = BIO_printf(bio, "error getting value\n");
break;
+#endif
default:
ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n",
p->data_type, p->data_size);
--
2.49.0

36
0056-hashfunc-add-stddef.h-include.patch Normal file
View File

@ -0,0 +1,36 @@
From b2770d12f3225982813bdc3fece7b541d0974793 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 13:29:36 +0200
Subject: [PATCH 56/57] hashfunc: add stddef.h include
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
size_t is declared in stddef.h, so include the header file to
make sure it is available. Fixes build on UEFI.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
include/internal/hashfunc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h
index cabc7beed4..fae8a275fa 100644
--- a/include/internal/hashfunc.h
+++ b/include/internal/hashfunc.h
@@ -11,6 +11,7 @@
# define OPENSSL_HASHFUNC_H
# include <openssl/e_os2.h>
+# include <stddef.h>
/**
* Generalized fnv1a 64 bit hash function
*/
--
2.49.0

73
0057-rio-add-RIO_POLL_METHOD_NONE.patch Normal file
View File

@ -0,0 +1,73 @@
From 48a4ffa48905d76b5bca24252de9697bb1a3ea86 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 14:06:28 +0200
Subject: [PATCH 57/57] rio: add RIO_POLL_METHOD_NONE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes build on UEFI.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
ssl/rio/poll_builder.c | 4 +++-
ssl/rio/poll_builder.h | 4 +++-
ssl/rio/poll_method.h | 5 ++++-
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
index 007e360d87..3cfbe3b0ac 100644
--- a/ssl/rio/poll_builder.c
+++ b/ssl/rio/poll_builder.c
@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb)
{
-#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
+ return 0;
+#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
FD_ZERO(&rpb->rfd);
FD_ZERO(&rpb->wfd);
FD_ZERO(&rpb->efd);
diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h
index ffc9bbf9fc..985e4713b2 100644
--- a/ssl/rio/poll_builder.h
+++ b/ssl/rio/poll_builder.h
@@ -23,7 +23,9 @@
* FDs.
*/
typedef struct rio_poll_builder_st {
-# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
+ /* nothing */;
+# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
fd_set rfd, wfd, efd;
int hwm_fd;
# elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL
diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h
index 9a6de89270..d5af8663c2 100644
--- a/ssl/rio/poll_method.h
+++ b/ssl/rio/poll_method.h
@@ -14,9 +14,12 @@
# define RIO_POLL_METHOD_SELECT 1
# define RIO_POLL_METHOD_POLL 2
+# define RIO_POLL_METHOD_NONE 3
# ifndef RIO_POLL_METHOD
-# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
+# if defined(OPENSSL_SYS_UEFI)
+# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE
+# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
# define RIO_POLL_METHOD RIO_POLL_METHOD_POLL
# else
# define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT
--
2.49.0

28
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.0
Release: 2%{?dist}.alma.1
Release: 3%{?dist}.alma.1
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@ -90,6 +90,14 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0048: 0048-Current-Rebase-status.patch
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
Patch0052: 0052-Fixup-forbid-SHA1.patch
Patch0053: 0053-Backport-upstream-27483-for-PKCS11-needs.patch
Patch0054: 0054-Red-Hat-9-FIPS-indicator-defines.patch
Patch0055: 0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
Patch0056: 0056-hashfunc-add-stddef.h-include.patch
Patch0057: 0057-rio-add-RIO_POLL_METHOD_NONE.patch
License: Apache-2.0
URL: http://www.openssl.org/
@ -237,7 +245,7 @@ export HASHBANGPERL=/usr/bin/perl
--libdir=%{_lib} \
%endif
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-sslkeylog \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\
@ -431,9 +439,23 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%ldconfig_scriptlets libs
%changelog
* Fri Apr 18 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-2.alma.1
* Thu May 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-3.alma.1
- Redefine sslarch for x86_64_v2 arch
* Wed May 14 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-3
- Fix `openssl speed` running in FIPS mode
Resolves: RHEL-88908
- pkeyutl ecdsa signature with sha1 shouldn't work by default
Resolves: RHEL-88911
- Expose settable params for EVP_SKEY
Resolves: RHEL-88913
- Restore RHEL9-style indicators defines
Resolves: RHEL-88906
- Enable sslkeylog support
Resolves: RHEL-90853
- Fix UEFI builds
Resolves: RHEL-89137
* Thu Apr 17 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
- Update depencency on crypto-policies
Related: RHEL-80811