diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 4cda828..23777c1 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -29,10 +29,10 @@ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h -@@ -469,6 +469,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" +@@ -477,6 +477,7 @@ extern "C" { + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* @@ -99,16 +99,14 @@ index 568452ec56..0a9adb4056 100644 return 1; } -@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), +@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+#ifdef FIPS_MODULE + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ + #endif /* FIPS_MODULE */ OSSL_PARAM_END }; - diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c @@ -120,8 +118,7 @@ index 882cf16125..b4cc0f9237 100644 +#ifdef FIPS_MODULE + OSSL_PARAM *p; +#endif /* defined(FIPS_MODULE) */ - -- return ctx != NULL; ++ + if (ctx == NULL) + return 0; + @@ -143,7 +140,8 @@ index 882cf16125..b4cc0f9237 100644 + return 0; + } +#endif /* defined(FIPS_MODULE) */ -+ + +- return ctx != NULL; + return 1; } diff --git a/openssl.spec b/openssl.spec index a3b1f73..b335440 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -175,6 +175,8 @@ Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2175145 Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -505,6 +507,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11 +- Add missing reference to patchfile to add explicit FIPS indicator to RSA + encryption and RSASVE and fix the gettable parameter list for the RSA + asymmetric cipher implementation. + Resolves: rhbz#2179379 + * Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 - Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379