diff --git a/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch new file mode 100644 index 0000000..e01f7bf --- /dev/null +++ b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch @@ -0,0 +1,64 @@ +From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 15 Jul 2025 12:32:14 -0400 +Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests + +Signed-off-by: Simo Sorce +--- + providers/fips/self_test_data.inc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index f3059a8446..e924e93018 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = { + }; + #endif /* OPENSSL_NO_ML_DSA */ + ++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */ + #ifndef OPENSSL_NO_SLH_DSA + /* + * Deterministic SLH_DSA key generation supplies the private key elements and +@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = { + 0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6, + }; + #endif /* OPENSSL_NO_SLH_DSA */ ++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */ + + /* Hash DRBG inputs for signature KATs */ + static const unsigned char sig_kat_entropyin[] = { +@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + ml_dsa_sig_init + }, + #endif /* OPENSSL_NO_ML_DSA */ ++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */ + #ifndef OPENSSL_NO_SLH_DSA + /* + * FIPS 140-3 IG 10.3.A.16 Note 29 says: +@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + slh_dsa_sig_params, slh_dsa_sig_params + }, + #endif /* OPENSSL_NO_SLH_DSA */ ++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */ + }; + + #if !defined(OPENSSL_NO_ML_DSA) +@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = { + ml_dsa_key + }, + # endif ++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */ + # if !defined(OPENSSL_NO_SLH_DSA) + { + OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA, +@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = { + slh_dsa_128f_keygen_expected_params + }, + # endif ++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */ + }; + #endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */ +-- +2.50.1 + diff --git a/0055-Add-a-define-to-disable-symver-attributes.patch b/0055-Add-a-define-to-disable-symver-attributes.patch new file mode 100644 index 0000000..483c151 --- /dev/null +++ b/0055-Add-a-define-to-disable-symver-attributes.patch @@ -0,0 +1,66 @@ +From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 17 Jul 2025 09:40:34 -0400 +Subject: [PATCH] Add a define to disable symver attributes + +Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding +compatibility symver attributes. + +Signed-off-by: Simo Sorce +--- + crypto/evp/digest.c | 2 +- + crypto/evp/evp_enc.c | 2 +- + crypto/o_str.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 8ee9db73dd..7ed4933934 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size) + } + + EVP_MD_CTX +-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES) + __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"), + symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0"))) + #endif +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index 619cf4f385..9192898d39 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) + } + + EVP_CIPHER_CTX +-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES) + __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"), + symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0"))) + #endif +diff --git a/crypto/o_str.c b/crypto/o_str.c +index 86442a939e..8c33e4dd63 100644 +--- a/crypto/o_str.c ++++ b/crypto/o_str.c +@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) + } + + int +-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES) + __attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) + #endif +@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2) + } + + int +-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES) + __attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) + #endif +-- +2.50.1 + diff --git a/openssl.spec b/openssl.spec index a651225..958510f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 1%{?dist}.alma.1 +Release: 3%{?dist}.alma.1 Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -95,6 +95,8 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch %if ( %{defined rhel} && (! %{defined centos}) ) Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch %endif +Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch +Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -124,8 +126,9 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Requires: crypto-policies >= 20250404-3 -%if ( %{defined rhel} && (! %{defined centos}) ) -Requires: openssl-fips-provider +%if %{defined rhel} +Requires: fips-provider-so +Suggests: openssl-fips-provider >= 3.0.7-7 %endif %description libs @@ -153,6 +156,18 @@ OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. +%if %{defined centos} +%package fips-provider +Summary: The FIPS Provider module +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Provides: fips-provider-so + +%description fips-provider +OpenSSL is a toolkit for supporting cryptography. The openssl-fips-provider +package provides the fips.so provider, a cryptography provider that follows +FIPS requirements and provides FIPS approved algorithms. +%endif + %prep %autosetup -S git -n %{name}-%{version} @@ -409,7 +424,7 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} -%attr(0755,root,root) %{_libdir}/ossl-modules +%attr(0755,root,root) %{_libdir}/ossl-modules/legacy.so %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el @@ -433,12 +448,32 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts +%if %{defined centos} +%files fips-provider +%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so +%endif + %ldconfig_scriptlets libs %changelog -* Wed Jul 02 2025 Eduard Abdullin - 1:3.5.1-1.alma.1 +* Tue Jul 29 2025 Eduard Abdullin - 1:3.5.1-3.alma.1 - Redefine sslarch for x86_64_v2 arch +* Thu Jul 24 2025 Simo Sorce - 1:3.5.1-3 +- Add custom define to disable symbol versioning in downstream patched code + Also add stricter Suggests for openssl-fips-provider + Resolves: RHEL-101548 +- Fix Requires/Provider to fix default install of fips providers + Resolves: RHEL-105010 + +* Thu Jul 24 2025 Simo Sorce - 1:3.5.1-2 +- Move fips.so to a seprate subpackage + Reverts FIPS self test for SLH-DSA + Add Suggests to try to prefer the openssl-fips-provider package + over the fips-provider-next package by default + Revolves: RHEL-102408 + Related: RHEL-80811 + * Tue Jul 01 2025 Dmitry Belyavskiy - 1:3.5.1-1 - Rebasing to OpenSSL 3.5.1 Resolves: RHEL-90350