From b5cbb03855c15868f9b7c0a00763935a3739bb02 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:33:54 +0200 Subject: [PATCH 1/6] Fix `openssl speed` running in FIPS mode Resolves: RHEL-88908 --- ...-Make-openssl-speed-run-in-FIPS-mode.patch | 76 +++++++++++++++++++ openssl.spec | 7 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 0051-Make-openssl-speed-run-in-FIPS-mode.patch diff --git a/0051-Make-openssl-speed-run-in-FIPS-mode.patch b/0051-Make-openssl-speed-run-in-FIPS-mode.patch new file mode 100644 index 0000000..f3874cb --- /dev/null +++ b/0051-Make-openssl-speed-run-in-FIPS-mode.patch @@ -0,0 +1,76 @@ +From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 9 May 2025 15:09:46 +0200 +Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode + +--- + apps/speed.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index 1edf9b8485..d4e707074c 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 16); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC128], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC128_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC128, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC128], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC128_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC128, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + if (doit[D_KMAC256]) { +@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 32); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC256], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC256_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC256, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC256], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC256_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC256, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + for (i = 0; i < loopargs_len; i++) +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index eb83a81..4992b31 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.0 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -90,6 +90,7 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch Patch0048: 0048-Current-Rebase-status.patch Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch +Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -428,6 +429,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog +* Wed May 14 2025 Dmitry Belyavskiy - 1:3.5.0-3 +- Fix `openssl speed` running in FIPS mode + Resolves: RHEL-88908 + * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies Related: RHEL-80811 From 1934b43ef11d74f774f39413907a89aa89086438 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:36:32 +0200 Subject: [PATCH 2/6] pkeyutl ecdsa signature with sha1 shouldn't work by default Resolves: RHEL-88911 --- 0052-Fixup-forbid-SHA1.patch | 58 ++++++++++++++++++++++++++++++++++++ openssl.spec | 3 ++ 2 files changed, 61 insertions(+) create mode 100644 0052-Fixup-forbid-SHA1.patch diff --git a/0052-Fixup-forbid-SHA1.patch b/0052-Fixup-forbid-SHA1.patch new file mode 100644 index 0000000..3706183 --- /dev/null +++ b/0052-Fixup-forbid-SHA1.patch @@ -0,0 +1,58 @@ +From a6b4af9d39e07457189147bd50fe6ee3e8e88b6d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 12 May 2025 14:28:00 +0200 +Subject: [PATCH 52/54] Fixup - forbid SHA1 + +--- + crypto/context.c | 6 ------ + providers/implementations/signature/ecdsa_sig.c | 5 ++--- + 2 files changed, 2 insertions(+), 9 deletions(-) + +diff --git a/crypto/context.c b/crypto/context.c +index 6859146510..323615e300 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -133,9 +133,6 @@ static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) + static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) + { + OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); +- /* Warning: This patch differs from the same patch in CentOS and RHEL here, +- * because the default on Fedora is to allow SHA-1 and support disabling +- * it, while CentOS/RHEL disable it by default and allow enabling it. */ + ldsigs->allowed = 0; + return ldsigs; + } +@@ -770,9 +767,6 @@ int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconf + return 1; + #endif + +- /* Warning: This patch differs from the same patch in CentOS and RHEL here, +- * because the default on Fedora is to allow SHA-1 and support disabling +- * it, while CentOS/RHEL disable it by default and allow enabling it. */ + return ldsigs != NULL ? ldsigs->allowed : 0; + } + +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 34fb3aa56e..4d7c25728a 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -198,14 +198,13 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, + } + md_nid = ossl_digest_get_approved_nid(md); + +-#ifdef FIPS_MODULE + md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); +- if (md_nid <= 0) { ++ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/ ++ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; + } +-#endif + + /* XOF digests don't work */ + if (EVP_MD_xof(md)) { +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index 4992b31..63ce919 100644 --- a/openssl.spec +++ b/openssl.spec @@ -91,6 +91,7 @@ Patch0048: 0048-Current-Rebase-status.patch Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch +Patch0052: 0052-Fixup-forbid-SHA1.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -432,6 +433,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h * Wed May 14 2025 Dmitry Belyavskiy - 1:3.5.0-3 - Fix `openssl speed` running in FIPS mode Resolves: RHEL-88908 +- pkeyutl ecdsa signature with sha1 shouldn't work by default + Resolves: RHEL-88911 * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies From 154d1831cd79fa0f52206b3258306683eefa94f4 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:38:56 +0200 Subject: [PATCH 3/6] Expose settable params for EVP_SKEY Resolves: RHEL-88913 --- ...port-upstream-27483-for-PKCS11-needs.patch | 146 ++++++++++++++++++ openssl.spec | 3 + 2 files changed, 149 insertions(+) create mode 100644 0053-Backport-upstream-27483-for-PKCS11-needs.patch diff --git a/0053-Backport-upstream-27483-for-PKCS11-needs.patch b/0053-Backport-upstream-27483-for-PKCS11-needs.patch new file mode 100644 index 0000000..f7ea623 --- /dev/null +++ b/0053-Backport-upstream-27483-for-PKCS11-needs.patch @@ -0,0 +1,146 @@ +From d3152ec5d2c4e87bb15b669b5b128fe15515e51e Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 12 May 2025 14:34:39 +0200 +Subject: [PATCH 53/54] Backport upstream #27483 for PKCS11 needs + +--- + .../implementations/skeymgmt/aes_skmgmt.c | 2 + + providers/implementations/skeymgmt/generic.c | 12 ++++ + .../implementations/skeymgmt/skeymgmt_lcl.h | 1 + + test/evp_skey_test.c | 61 +++++++++++++++++++ + 4 files changed, 76 insertions(+) + +diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c +index 6d3b5f377f..17be480131 100644 +--- a/providers/implementations/skeymgmt/aes_skmgmt.c ++++ b/providers/implementations/skeymgmt/aes_skmgmt.c +@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = { + { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free }, + { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import }, + { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export }, ++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS, ++ (void (*)(void))generic_imp_settable_params }, + OSSL_DISPATCH_END + }; +diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c +index b41bf8e12d..5fb3fad7e3 100644 +--- a/providers/implementations/skeymgmt/generic.c ++++ b/providers/implementations/skeymgmt/generic.c +@@ -65,6 +65,16 @@ end: + return generic; + } + ++static const OSSL_PARAM generic_import_params[] = { ++ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0), ++ OSSL_PARAM_END ++}; ++ ++const OSSL_PARAM *generic_imp_settable_params(void *provctx) ++{ ++ return generic_import_params; ++} ++ + int generic_export(void *keydata, int selection, + OSSL_CALLBACK *param_callback, void *cbarg) + { +@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = { + { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free }, + { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import }, + { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export }, ++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS, ++ (void (*)(void))generic_imp_settable_params }, + OSSL_DISPATCH_END + }; +diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h +index c180c1d303..a7e7605050 100644 +--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h ++++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h +@@ -15,5 +15,6 @@ + OSSL_FUNC_skeymgmt_import_fn generic_import; + OSSL_FUNC_skeymgmt_export_fn generic_export; + OSSL_FUNC_skeymgmt_free_fn generic_free; ++OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params; + + #endif +diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c +index b81df9c8f8..e33bbbe003 100644 +--- a/test/evp_skey_test.c ++++ b/test/evp_skey_test.c +@@ -92,6 +92,66 @@ end: + return ret; + } + ++static int test_skey_skeymgmt(void) ++{ ++ int ret = 0; ++ EVP_SKEYMGMT *skeymgmt = NULL; ++ EVP_SKEY *key = NULL; ++ const unsigned char import_key[KEY_SIZE] = { ++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59, ++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59, ++ }; ++ OSSL_PARAM params[2]; ++ const OSSL_PARAM *imp_params; ++ const OSSL_PARAM *p; ++ OSSL_PARAM *exp_params = NULL; ++ const void *export_key = NULL; ++ size_t export_len; ++ ++ deflprov = OSSL_PROVIDER_load(libctx, "default"); ++ if (!TEST_ptr(deflprov)) ++ return 0; ++ ++ /* Fetch our SKYMGMT for Generic Secrets */ ++ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC, ++ NULL))) ++ goto end; ++ ++ /* Check the parameter we need is available */ ++ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt)) ++ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params, ++ OSSL_SKEY_PARAM_RAW_BYTES))) ++ goto end; ++ ++ /* Import EVP_SKEY */ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, ++ (void *)import_key, KEY_SIZE); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (!TEST_ptr(key = EVP_SKEY_import(libctx, ++ EVP_SKEYMGMT_get0_name(skeymgmt), NULL, ++ OSSL_SKEYMGMT_SELECT_ALL, params))) ++ goto end; ++ ++ /* Export EVP_SKEY */ ++ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY, ++ ossl_pkey_todata_cb, &exp_params), 0) ++ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params, ++ OSSL_SKEY_PARAM_RAW_BYTES)) ++ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key, ++ &export_len), 0) ++ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len)) ++ goto end; ++ ++ ret = 1; ++end: ++ OSSL_PARAM_free(exp_params); ++ EVP_SKEYMGMT_free(skeymgmt); ++ EVP_SKEY_free(key); ++ ++ return ret; ++} ++ + #define IV_SIZE 16 + #define DATA_SIZE 32 + static int test_aes_raw_skey(void) +@@ -252,6 +312,7 @@ int setup_tests(void) + return 0; + + ADD_TEST(test_skey_cipher); ++ ADD_TEST(test_skey_skeymgmt); + + ADD_TEST(test_aes_raw_skey); + #ifndef OPENSSL_NO_DES +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index 63ce919..4ec89ac 100644 --- a/openssl.spec +++ b/openssl.spec @@ -92,6 +92,7 @@ Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch Patch0052: 0052-Fixup-forbid-SHA1.patch +Patch0053: 0053-Backport-upstream-27483-for-PKCS11-needs.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -435,6 +436,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h Resolves: RHEL-88908 - pkeyutl ecdsa signature with sha1 shouldn't work by default Resolves: RHEL-88911 +- Expose settable params for EVP_SKEY + Resolves: RHEL-88913 * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies From 4b761c8ea2806c148bd55cbc3b00335a34076b69 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:41:03 +0200 Subject: [PATCH 4/6] Restore RHEL9-style indicators defines Resolves: RHEL-88906 --- 0054-Red-Hat-9-FIPS-indicator-defines.patch | 129 ++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 132 insertions(+) create mode 100644 0054-Red-Hat-9-FIPS-indicator-defines.patch diff --git a/0054-Red-Hat-9-FIPS-indicator-defines.patch b/0054-Red-Hat-9-FIPS-indicator-defines.patch new file mode 100644 index 0000000..f54ab1a --- /dev/null +++ b/0054-Red-Hat-9-FIPS-indicator-defines.patch @@ -0,0 +1,129 @@ +From c6a6ec6d5cd9e74c78bb5167cf77c0f383bf177c Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 12 May 2025 16:21:23 +0200 +Subject: [PATCH 54/54] Red Hat 9 FIPS indicator defines + +--- + include/openssl/evp.h | 15 +++++++++++++++ + include/openssl/kdf.h | 4 ++++ + util/perl/OpenSSL/paramnames.pm | 7 +++++++ + 3 files changed, 26 insertions(+) + +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index e5da1e6415..3849c1779e 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx, + __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, + int *outl); + ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, + EVP_PKEY *pkey); + __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, +@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, + void *arg); + + /* MAC stuff */ ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 + + EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, + const char *properties); +@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 059b489735..5a1864309d 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -143,6 +143,8 @@ my %params = ( + 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int + 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', + 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID', ++ #Old RedHat FIPS provider compatibility ++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int + # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the + # time being, the old libcrypto functions will use both, so old providers + # continue to work. +@@ -190,6 +192,7 @@ my %params = ( + 'MAC_PARAM_SIZE' => "size", # size_t + 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t + 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t + 'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC', + 'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', + 'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', +@@ -234,6 +237,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t +@@ -474,6 +478,7 @@ my %params = ( + 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', + 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', + 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', ++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", + 'SIGNATURE_PARAM_INSTANCE' => "instance", + 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", +@@ -508,6 +513,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED', + 'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', + 'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', ++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + + # Encoder / decoder parameters + +@@ -541,6 +547,7 @@ my %params = ( + + # KEM parameters + 'KEM_PARAM_OPERATION' => "operation", ++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'KEM_PARAM_IKME' => "ikme", + 'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', + 'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index 4ec89ac..54b1436 100644 --- a/openssl.spec +++ b/openssl.spec @@ -93,6 +93,7 @@ Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch Patch0052: 0052-Fixup-forbid-SHA1.patch Patch0053: 0053-Backport-upstream-27483-for-PKCS11-needs.patch +Patch0054: 0054-Red-Hat-9-FIPS-indicator-defines.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -438,6 +439,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h Resolves: RHEL-88911 - Expose settable params for EVP_SKEY Resolves: RHEL-88913 +- Restore RHEL9-style indicators defines + Resolves: RHEL-88906 * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies From f911c212963a247dd380d1ebc1b0f80e1d89ab0d Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 11:48:09 +0200 Subject: [PATCH 5/6] Enable sslkeylog support Resolves: RHEL-90853 --- openssl.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index 54b1436..6f4a52f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -238,7 +238,7 @@ export HASHBANGPERL=/usr/bin/perl --libdir=%{_lib} \ %endif --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \ - zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ + zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-sslkeylog \ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\ @@ -441,6 +441,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h Resolves: RHEL-88913 - Restore RHEL9-style indicators defines Resolves: RHEL-88906 +- Enable sslkeylog support + Resolves: RHEL-90853 * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies From dc0e1f27f51c425966dadb3a7c5d45f7658b34b6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 14 May 2025 12:54:07 +0200 Subject: [PATCH 6/6] Fix UEFI builds Resolves: RHEL-89137 --- ...ypto-disable-OSSL_PARAM_REAL-on-UEFI.patch | 58 +++++++++++++++ 0056-hashfunc-add-stddef.h-include.patch | 36 +++++++++ 0057-rio-add-RIO_POLL_METHOD_NONE.patch | 73 +++++++++++++++++++ openssl.spec | 6 ++ 4 files changed, 173 insertions(+) create mode 100644 0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch create mode 100644 0056-hashfunc-add-stddef.h-include.patch create mode 100644 0057-rio-add-RIO_POLL_METHOD_NONE.patch diff --git a/0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch b/0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch new file mode 100644 index 0000000..4a91c03 --- /dev/null +++ b/0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch @@ -0,0 +1,58 @@ +From 54eabd5b18433a4d624904193c7148e92cb3c9b0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 7 Apr 2025 12:58:54 +0200 +Subject: [PATCH 55/57] crypto: disable OSSL_PARAM_REAL on UEFI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Floating point types like double can't be used on UEFI. +Fix build on UEFI by disabling the OSSL_PARAM_REAL branch. + +Signed-off-by: Gerd Hoffmann + +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/27284) +--- + crypto/params_from_text.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c +index 7532d4d439..fb25400dc1 100644 +--- a/crypto/params_from_text.c ++++ b/crypto/params_from_text.c +@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values) + BIGNUM *bn; + #ifndef OPENSSL_SYS_UEFI + double d; ++ int dok; + #endif + int ok = -1; +- int dok; + + /* + * Iterate through each key in the array printing its key and value +@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values) + case OSSL_PARAM_OCTET_STRING: + ok = BIO_dump(bio, (char *)p->data, p->data_size); + break; ++#ifndef OPENSSL_SYS_UEFI + case OSSL_PARAM_REAL: + dok = 0; +-#ifndef OPENSSL_SYS_UEFI + dok = OSSL_PARAM_get_double(p, &d); +-#endif + if (dok == 1) + ok = BIO_printf(bio, "%f\n", d); + else + ok = BIO_printf(bio, "error getting value\n"); + break; ++#endif + default: + ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n", + p->data_type, p->data_size); +-- +2.49.0 + diff --git a/0056-hashfunc-add-stddef.h-include.patch b/0056-hashfunc-add-stddef.h-include.patch new file mode 100644 index 0000000..6873b27 --- /dev/null +++ b/0056-hashfunc-add-stddef.h-include.patch @@ -0,0 +1,36 @@ +From b2770d12f3225982813bdc3fece7b541d0974793 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 7 Apr 2025 13:29:36 +0200 +Subject: [PATCH 56/57] hashfunc: add stddef.h include +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +size_t is declared in stddef.h, so include the header file to +make sure it is available. Fixes build on UEFI. + +Signed-off-by: Gerd Hoffmann + +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/27284) +--- + include/internal/hashfunc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h +index cabc7beed4..fae8a275fa 100644 +--- a/include/internal/hashfunc.h ++++ b/include/internal/hashfunc.h +@@ -11,6 +11,7 @@ + # define OPENSSL_HASHFUNC_H + + # include ++# include + /** + * Generalized fnv1a 64 bit hash function + */ +-- +2.49.0 + diff --git a/0057-rio-add-RIO_POLL_METHOD_NONE.patch b/0057-rio-add-RIO_POLL_METHOD_NONE.patch new file mode 100644 index 0000000..dca288b --- /dev/null +++ b/0057-rio-add-RIO_POLL_METHOD_NONE.patch @@ -0,0 +1,73 @@ +From 48a4ffa48905d76b5bca24252de9697bb1a3ea86 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 7 Apr 2025 14:06:28 +0200 +Subject: [PATCH 57/57] rio: add RIO_POLL_METHOD_NONE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes build on UEFI. + +Signed-off-by: Gerd Hoffmann + +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/27284) +--- + ssl/rio/poll_builder.c | 4 +++- + ssl/rio/poll_builder.h | 4 +++- + ssl/rio/poll_method.h | 5 ++++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c +index 007e360d87..3cfbe3b0ac 100644 +--- a/ssl/rio/poll_builder.c ++++ b/ssl/rio/poll_builder.c +@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t) + + int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb) + { +-#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT ++#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE ++ return 0; ++#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT + FD_ZERO(&rpb->rfd); + FD_ZERO(&rpb->wfd); + FD_ZERO(&rpb->efd); +diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h +index ffc9bbf9fc..985e4713b2 100644 +--- a/ssl/rio/poll_builder.h ++++ b/ssl/rio/poll_builder.h +@@ -23,7 +23,9 @@ + * FDs. + */ + typedef struct rio_poll_builder_st { +-# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT ++# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE ++ /* nothing */; ++# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT + fd_set rfd, wfd, efd; + int hwm_fd; + # elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL +diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h +index 9a6de89270..d5af8663c2 100644 +--- a/ssl/rio/poll_method.h ++++ b/ssl/rio/poll_method.h +@@ -14,9 +14,12 @@ + + # define RIO_POLL_METHOD_SELECT 1 + # define RIO_POLL_METHOD_POLL 2 ++# define RIO_POLL_METHOD_NONE 3 + + # ifndef RIO_POLL_METHOD +-# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN) ++# if defined(OPENSSL_SYS_UEFI) ++# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE ++# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN) + # define RIO_POLL_METHOD RIO_POLL_METHOD_POLL + # else + # define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT +-- +2.49.0 + diff --git a/openssl.spec b/openssl.spec index 6f4a52f..8ec8058 100644 --- a/openssl.spec +++ b/openssl.spec @@ -94,6 +94,10 @@ Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch Patch0052: 0052-Fixup-forbid-SHA1.patch Patch0053: 0053-Backport-upstream-27483-for-PKCS11-needs.patch Patch0054: 0054-Red-Hat-9-FIPS-indicator-defines.patch +Patch0055: 0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch +Patch0056: 0056-hashfunc-add-stddef.h-include.patch +Patch0057: 0057-rio-add-RIO_POLL_METHOD_NONE.patch + License: Apache-2.0 URL: http://www.openssl.org/ @@ -443,6 +447,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h Resolves: RHEL-88906 - Enable sslkeylog support Resolves: RHEL-90853 +- Fix UEFI builds + Resolves: RHEL-89137 * Thu Apr 17 2025 Dmitry Belyavskiy - 1:3.5.0-2 - Update depencency on crypto-policies