Redefine sslarch for x86_64_v2 arch
This commit is contained in:
commit
13de65a2dd
76
0051-Make-openssl-speed-run-in-FIPS-mode.patch
Normal file
76
0051-Make-openssl-speed-run-in-FIPS-mode.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Fri, 9 May 2025 15:09:46 +0200
|
||||
Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode
|
||||
|
||||
---
|
||||
apps/speed.c | 44 ++++++++++++++++++++++----------------------
|
||||
1 file changed, 22 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index 1edf9b8485..d4e707074c 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
|
||||
(void *)key32, 16);
|
||||
params[1] = OSSL_PARAM_construct_end();
|
||||
|
||||
- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
|
||||
- goto end;
|
||||
- for (testnum = 0; testnum < size_num; testnum++) {
|
||||
- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
|
||||
- Time_F(START);
|
||||
- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
|
||||
- d = Time_F(STOP);
|
||||
- print_result(D_KMAC128, testnum, count, d);
|
||||
- if (count < 0)
|
||||
- break;
|
||||
+ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
|
||||
+ for (testnum = 0; testnum < size_num; testnum++) {
|
||||
+ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
|
||||
+ Time_F(START);
|
||||
+ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
|
||||
+ d = Time_F(STOP);
|
||||
+ print_result(D_KMAC128, testnum, count, d);
|
||||
+ if (count < 0)
|
||||
+ break;
|
||||
+ }
|
||||
+ mac_teardown(&mac, loopargs, loopargs_len);
|
||||
}
|
||||
- mac_teardown(&mac, loopargs, loopargs_len);
|
||||
}
|
||||
|
||||
if (doit[D_KMAC256]) {
|
||||
@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
|
||||
(void *)key32, 32);
|
||||
params[1] = OSSL_PARAM_construct_end();
|
||||
|
||||
- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
|
||||
- goto end;
|
||||
- for (testnum = 0; testnum < size_num; testnum++) {
|
||||
- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
|
||||
- Time_F(START);
|
||||
- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
|
||||
- d = Time_F(STOP);
|
||||
- print_result(D_KMAC256, testnum, count, d);
|
||||
- if (count < 0)
|
||||
- break;
|
||||
+ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
|
||||
+ for (testnum = 0; testnum < size_num; testnum++) {
|
||||
+ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
|
||||
+ Time_F(START);
|
||||
+ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
|
||||
+ d = Time_F(STOP);
|
||||
+ print_result(D_KMAC256, testnum, count, d);
|
||||
+ if (count < 0)
|
||||
+ break;
|
||||
+ }
|
||||
+ mac_teardown(&mac, loopargs, loopargs_len);
|
||||
}
|
||||
- mac_teardown(&mac, loopargs, loopargs_len);
|
||||
}
|
||||
|
||||
for (i = 0; i < loopargs_len; i++)
|
||||
--
|
||||
2.49.0
|
||||
|
58
0052-Fixup-forbid-SHA1.patch
Normal file
58
0052-Fixup-forbid-SHA1.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From a6b4af9d39e07457189147bd50fe6ee3e8e88b6d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Mon, 12 May 2025 14:28:00 +0200
|
||||
Subject: [PATCH 52/54] Fixup - forbid SHA1
|
||||
|
||||
---
|
||||
crypto/context.c | 6 ------
|
||||
providers/implementations/signature/ecdsa_sig.c | 5 ++---
|
||||
2 files changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index 6859146510..323615e300 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -133,9 +133,6 @@ static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
{
|
||||
OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
- * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
ldsigs->allowed = 0;
|
||||
return ldsigs;
|
||||
}
|
||||
@@ -770,9 +767,6 @@ int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconf
|
||||
return 1;
|
||||
#endif
|
||||
|
||||
- /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
- * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
- * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 34fb3aa56e..4d7c25728a 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -198,14 +198,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
|
||||
}
|
||||
md_nid = ossl_digest_get_approved_nid(md);
|
||||
|
||||
-#ifdef FIPS_MODULE
|
||||
md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
|
||||
- if (md_nid <= 0) {
|
||||
+ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
|
||||
+ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
|
||||
"digest=%s", mdname);
|
||||
goto err;
|
||||
}
|
||||
-#endif
|
||||
|
||||
/* XOF digests don't work */
|
||||
if (EVP_MD_xof(md)) {
|
||||
--
|
||||
2.49.0
|
||||
|
146
0053-Backport-upstream-27483-for-PKCS11-needs.patch
Normal file
146
0053-Backport-upstream-27483-for-PKCS11-needs.patch
Normal file
@ -0,0 +1,146 @@
|
||||
From d3152ec5d2c4e87bb15b669b5b128fe15515e51e Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Mon, 12 May 2025 14:34:39 +0200
|
||||
Subject: [PATCH 53/54] Backport upstream #27483 for PKCS11 needs
|
||||
|
||||
---
|
||||
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
|
||||
providers/implementations/skeymgmt/generic.c | 12 ++++
|
||||
.../implementations/skeymgmt/skeymgmt_lcl.h | 1 +
|
||||
test/evp_skey_test.c | 61 +++++++++++++++++++
|
||||
4 files changed, 76 insertions(+)
|
||||
|
||||
diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
|
||||
index 6d3b5f377f..17be480131 100644
|
||||
--- a/providers/implementations/skeymgmt/aes_skmgmt.c
|
||||
+++ b/providers/implementations/skeymgmt/aes_skmgmt.c
|
||||
@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
|
||||
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
|
||||
{ OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
|
||||
{ OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
|
||||
+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
|
||||
+ (void (*)(void))generic_imp_settable_params },
|
||||
OSSL_DISPATCH_END
|
||||
};
|
||||
diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
|
||||
index b41bf8e12d..5fb3fad7e3 100644
|
||||
--- a/providers/implementations/skeymgmt/generic.c
|
||||
+++ b/providers/implementations/skeymgmt/generic.c
|
||||
@@ -65,6 +65,16 @@ end:
|
||||
return generic;
|
||||
}
|
||||
|
||||
+static const OSSL_PARAM generic_import_params[] = {
|
||||
+ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
|
||||
+ OSSL_PARAM_END
|
||||
+};
|
||||
+
|
||||
+const OSSL_PARAM *generic_imp_settable_params(void *provctx)
|
||||
+{
|
||||
+ return generic_import_params;
|
||||
+}
|
||||
+
|
||||
int generic_export(void *keydata, int selection,
|
||||
OSSL_CALLBACK *param_callback, void *cbarg)
|
||||
{
|
||||
@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
|
||||
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
|
||||
{ OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
|
||||
{ OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
|
||||
+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
|
||||
+ (void (*)(void))generic_imp_settable_params },
|
||||
OSSL_DISPATCH_END
|
||||
};
|
||||
diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
|
||||
index c180c1d303..a7e7605050 100644
|
||||
--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
|
||||
+++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
|
||||
@@ -15,5 +15,6 @@
|
||||
OSSL_FUNC_skeymgmt_import_fn generic_import;
|
||||
OSSL_FUNC_skeymgmt_export_fn generic_export;
|
||||
OSSL_FUNC_skeymgmt_free_fn generic_free;
|
||||
+OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
|
||||
|
||||
#endif
|
||||
diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
|
||||
index b81df9c8f8..e33bbbe003 100644
|
||||
--- a/test/evp_skey_test.c
|
||||
+++ b/test/evp_skey_test.c
|
||||
@@ -92,6 +92,66 @@ end:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int test_skey_skeymgmt(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_SKEYMGMT *skeymgmt = NULL;
|
||||
+ EVP_SKEY *key = NULL;
|
||||
+ const unsigned char import_key[KEY_SIZE] = {
|
||||
+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
|
||||
+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
|
||||
+ };
|
||||
+ OSSL_PARAM params[2];
|
||||
+ const OSSL_PARAM *imp_params;
|
||||
+ const OSSL_PARAM *p;
|
||||
+ OSSL_PARAM *exp_params = NULL;
|
||||
+ const void *export_key = NULL;
|
||||
+ size_t export_len;
|
||||
+
|
||||
+ deflprov = OSSL_PROVIDER_load(libctx, "default");
|
||||
+ if (!TEST_ptr(deflprov))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Fetch our SKYMGMT for Generic Secrets */
|
||||
+ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
|
||||
+ NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Check the parameter we need is available */
|
||||
+ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
|
||||
+ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
|
||||
+ OSSL_SKEY_PARAM_RAW_BYTES)))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Import EVP_SKEY */
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
|
||||
+ (void *)import_key, KEY_SIZE);
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (!TEST_ptr(key = EVP_SKEY_import(libctx,
|
||||
+ EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
|
||||
+ OSSL_SKEYMGMT_SELECT_ALL, params)))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Export EVP_SKEY */
|
||||
+ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
|
||||
+ ossl_pkey_todata_cb, &exp_params), 0)
|
||||
+ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
|
||||
+ OSSL_SKEY_PARAM_RAW_BYTES))
|
||||
+ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
|
||||
+ &export_len), 0)
|
||||
+ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
|
||||
+ goto end;
|
||||
+
|
||||
+ ret = 1;
|
||||
+end:
|
||||
+ OSSL_PARAM_free(exp_params);
|
||||
+ EVP_SKEYMGMT_free(skeymgmt);
|
||||
+ EVP_SKEY_free(key);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
#define IV_SIZE 16
|
||||
#define DATA_SIZE 32
|
||||
static int test_aes_raw_skey(void)
|
||||
@@ -252,6 +312,7 @@ int setup_tests(void)
|
||||
return 0;
|
||||
|
||||
ADD_TEST(test_skey_cipher);
|
||||
+ ADD_TEST(test_skey_skeymgmt);
|
||||
|
||||
ADD_TEST(test_aes_raw_skey);
|
||||
#ifndef OPENSSL_NO_DES
|
||||
--
|
||||
2.49.0
|
||||
|
129
0054-Red-Hat-9-FIPS-indicator-defines.patch
Normal file
129
0054-Red-Hat-9-FIPS-indicator-defines.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From c6a6ec6d5cd9e74c78bb5167cf77c0f383bf177c Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Mon, 12 May 2025 16:21:23 +0200
|
||||
Subject: [PATCH 54/54] Red Hat 9 FIPS indicator defines
|
||||
|
||||
---
|
||||
include/openssl/evp.h | 15 +++++++++++++++
|
||||
include/openssl/kdf.h | 4 ++++
|
||||
util/perl/OpenSSL/paramnames.pm | 7 +++++++
|
||||
3 files changed, 26 insertions(+)
|
||||
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index e5da1e6415..3849c1779e 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
|
||||
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
|
||||
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
||||
int *outl);
|
||||
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
EVP_PKEY *pkey);
|
||||
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
void *arg);
|
||||
|
||||
/* MAC stuff */
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
|
||||
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
|
||||
const char *properties);
|
||||
@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
||||
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
||||
# endif
|
||||
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
||||
const char *properties);
|
||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
||||
index 0983230a48..86171635ea 100644
|
||||
--- a/include/openssl/kdf.h
|
||||
+++ b/include/openssl/kdf.h
|
||||
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
||||
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
||||
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
||||
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 059b489735..5a1864309d 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -143,6 +143,8 @@ my %params = (
|
||||
'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
|
||||
'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
|
||||
+ #Old RedHat FIPS provider compatibility
|
||||
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
|
||||
# Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
|
||||
# time being, the old libcrypto functions will use both, so old providers
|
||||
# continue to work.
|
||||
@@ -190,6 +192,7 @@ my %params = (
|
||||
'MAC_PARAM_SIZE' => "size", # size_t
|
||||
'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
||||
'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
||||
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
|
||||
'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
|
||||
'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
|
||||
'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
@@ -234,6 +237,7 @@ my %params = (
|
||||
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
||||
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
||||
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
|
||||
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
||||
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
||||
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
||||
@@ -474,6 +478,7 @@ my %params = (
|
||||
'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
@@ -508,6 +513,7 @@ my %params = (
|
||||
'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
|
||||
'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
|
||||
'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
|
||||
# Encoder / decoder parameters
|
||||
|
||||
@@ -541,6 +547,7 @@ my %params = (
|
||||
|
||||
# KEM parameters
|
||||
'KEM_PARAM_OPERATION' => "operation",
|
||||
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
'KEM_PARAM_IKME' => "ikme",
|
||||
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
|
||||
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
|
||||
--
|
||||
2.49.0
|
||||
|
58
0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
Normal file
58
0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 54eabd5b18433a4d624904193c7148e92cb3c9b0 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 7 Apr 2025 12:58:54 +0200
|
||||
Subject: [PATCH 55/57] crypto: disable OSSL_PARAM_REAL on UEFI
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Floating point types like double can't be used on UEFI.
|
||||
Fix build on UEFI by disabling the OSSL_PARAM_REAL branch.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
|
||||
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/27284)
|
||||
---
|
||||
crypto/params_from_text.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
|
||||
index 7532d4d439..fb25400dc1 100644
|
||||
--- a/crypto/params_from_text.c
|
||||
+++ b/crypto/params_from_text.c
|
||||
@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
|
||||
BIGNUM *bn;
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
double d;
|
||||
+ int dok;
|
||||
#endif
|
||||
int ok = -1;
|
||||
- int dok;
|
||||
|
||||
/*
|
||||
* Iterate through each key in the array printing its key and value
|
||||
@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
ok = BIO_dump(bio, (char *)p->data, p->data_size);
|
||||
break;
|
||||
+#ifndef OPENSSL_SYS_UEFI
|
||||
case OSSL_PARAM_REAL:
|
||||
dok = 0;
|
||||
-#ifndef OPENSSL_SYS_UEFI
|
||||
dok = OSSL_PARAM_get_double(p, &d);
|
||||
-#endif
|
||||
if (dok == 1)
|
||||
ok = BIO_printf(bio, "%f\n", d);
|
||||
else
|
||||
ok = BIO_printf(bio, "error getting value\n");
|
||||
break;
|
||||
+#endif
|
||||
default:
|
||||
ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n",
|
||||
p->data_type, p->data_size);
|
||||
--
|
||||
2.49.0
|
||||
|
36
0056-hashfunc-add-stddef.h-include.patch
Normal file
36
0056-hashfunc-add-stddef.h-include.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From b2770d12f3225982813bdc3fece7b541d0974793 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 7 Apr 2025 13:29:36 +0200
|
||||
Subject: [PATCH 56/57] hashfunc: add stddef.h include
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
size_t is declared in stddef.h, so include the header file to
|
||||
make sure it is available. Fixes build on UEFI.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
|
||||
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/27284)
|
||||
---
|
||||
include/internal/hashfunc.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h
|
||||
index cabc7beed4..fae8a275fa 100644
|
||||
--- a/include/internal/hashfunc.h
|
||||
+++ b/include/internal/hashfunc.h
|
||||
@@ -11,6 +11,7 @@
|
||||
# define OPENSSL_HASHFUNC_H
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
+# include <stddef.h>
|
||||
/**
|
||||
* Generalized fnv1a 64 bit hash function
|
||||
*/
|
||||
--
|
||||
2.49.0
|
||||
|
73
0057-rio-add-RIO_POLL_METHOD_NONE.patch
Normal file
73
0057-rio-add-RIO_POLL_METHOD_NONE.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 48a4ffa48905d76b5bca24252de9697bb1a3ea86 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 7 Apr 2025 14:06:28 +0200
|
||||
Subject: [PATCH 57/57] rio: add RIO_POLL_METHOD_NONE
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes build on UEFI.
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
|
||||
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/27284)
|
||||
---
|
||||
ssl/rio/poll_builder.c | 4 +++-
|
||||
ssl/rio/poll_builder.h | 4 +++-
|
||||
ssl/rio/poll_method.h | 5 ++++-
|
||||
3 files changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
|
||||
index 007e360d87..3cfbe3b0ac 100644
|
||||
--- a/ssl/rio/poll_builder.c
|
||||
+++ b/ssl/rio/poll_builder.c
|
||||
@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
|
||||
|
||||
int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb)
|
||||
{
|
||||
-#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
|
||||
+#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
|
||||
+ return 0;
|
||||
+#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
|
||||
FD_ZERO(&rpb->rfd);
|
||||
FD_ZERO(&rpb->wfd);
|
||||
FD_ZERO(&rpb->efd);
|
||||
diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h
|
||||
index ffc9bbf9fc..985e4713b2 100644
|
||||
--- a/ssl/rio/poll_builder.h
|
||||
+++ b/ssl/rio/poll_builder.h
|
||||
@@ -23,7 +23,9 @@
|
||||
* FDs.
|
||||
*/
|
||||
typedef struct rio_poll_builder_st {
|
||||
-# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
|
||||
+# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
|
||||
+ /* nothing */;
|
||||
+# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
|
||||
fd_set rfd, wfd, efd;
|
||||
int hwm_fd;
|
||||
# elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL
|
||||
diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h
|
||||
index 9a6de89270..d5af8663c2 100644
|
||||
--- a/ssl/rio/poll_method.h
|
||||
+++ b/ssl/rio/poll_method.h
|
||||
@@ -14,9 +14,12 @@
|
||||
|
||||
# define RIO_POLL_METHOD_SELECT 1
|
||||
# define RIO_POLL_METHOD_POLL 2
|
||||
+# define RIO_POLL_METHOD_NONE 3
|
||||
|
||||
# ifndef RIO_POLL_METHOD
|
||||
-# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
|
||||
+# if defined(OPENSSL_SYS_UEFI)
|
||||
+# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE
|
||||
+# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
|
||||
# define RIO_POLL_METHOD RIO_POLL_METHOD_POLL
|
||||
# else
|
||||
# define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT
|
||||
--
|
||||
2.49.0
|
||||
|
28
openssl.spec
28
openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.5.0
|
||||
Release: 2%{?dist}.alma.1
|
||||
Release: 3%{?dist}.alma.1
|
||||
Epoch: 1
|
||||
Source0: openssl-%{version}.tar.gz
|
||||
Source1: fips-hmacify.sh
|
||||
@ -90,6 +90,14 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
|
||||
Patch0048: 0048-Current-Rebase-status.patch
|
||||
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
|
||||
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
|
||||
Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
|
||||
Patch0052: 0052-Fixup-forbid-SHA1.patch
|
||||
Patch0053: 0053-Backport-upstream-27483-for-PKCS11-needs.patch
|
||||
Patch0054: 0054-Red-Hat-9-FIPS-indicator-defines.patch
|
||||
Patch0055: 0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
|
||||
Patch0056: 0056-hashfunc-add-stddef.h-include.patch
|
||||
Patch0057: 0057-rio-add-RIO_POLL_METHOD_NONE.patch
|
||||
|
||||
|
||||
License: Apache-2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -237,7 +245,7 @@ export HASHBANGPERL=/usr/bin/perl
|
||||
--libdir=%{_lib} \
|
||||
%endif
|
||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-sslkeylog \
|
||||
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
|
||||
no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
|
||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\
|
||||
@ -431,9 +439,23 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri Apr 18 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-2.alma.1
|
||||
* Thu May 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-3.alma.1
|
||||
- Redefine sslarch for x86_64_v2 arch
|
||||
|
||||
* Wed May 14 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-3
|
||||
- Fix `openssl speed` running in FIPS mode
|
||||
Resolves: RHEL-88908
|
||||
- pkeyutl ecdsa signature with sha1 shouldn't work by default
|
||||
Resolves: RHEL-88911
|
||||
- Expose settable params for EVP_SKEY
|
||||
Resolves: RHEL-88913
|
||||
- Restore RHEL9-style indicators defines
|
||||
Resolves: RHEL-88906
|
||||
- Enable sslkeylog support
|
||||
Resolves: RHEL-90853
|
||||
- Fix UEFI builds
|
||||
Resolves: RHEL-89137
|
||||
|
||||
* Thu Apr 17 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
|
||||
- Update depencency on crypto-policies
|
||||
Related: RHEL-80811
|
||||
|
Loading…
Reference in New Issue
Block a user