rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Redefine sslarch for x86_64_v2 arch

Browse Source
This commit is contained in:
Eduard Abdullin 2025-07-29 18:20:40 +00:00 committed by root
commit 2d7e345d72
3 changed files with 170 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Normal file
View File

@ -0,0 +1,64 @@
From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Jul 2025 12:32:14 -0400
Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/self_test_data.inc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index f3059a8446..e924e93018 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
};
#endif /* OPENSSL_NO_ML_DSA */
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
#ifndef OPENSSL_NO_SLH_DSA
/*
* Deterministic SLH_DSA key generation supplies the private key elements and
@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
};
#endif /* OPENSSL_NO_SLH_DSA */
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ml_dsa_sig_init
},
#endif /* OPENSSL_NO_ML_DSA */
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
#ifndef OPENSSL_NO_SLH_DSA
/*
* FIPS 140-3 IG 10.3.A.16 Note 29 says:
@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
slh_dsa_sig_params, slh_dsa_sig_params
},
#endif /* OPENSSL_NO_SLH_DSA */
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
};
#if !defined(OPENSSL_NO_ML_DSA)
@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
ml_dsa_key
},
# endif
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
# if !defined(OPENSSL_NO_SLH_DSA)
{
OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
slh_dsa_128f_keygen_expected_params
},
# endif
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
};
#endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
--
2.50.1

66
0055-Add-a-define-to-disable-symver-attributes.patch Normal file
View File

@ -0,0 +1,66 @@
From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 17 Jul 2025 09:40:34 -0400
Subject: [PATCH] Add a define to disable symver attributes
Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
compatibility symver attributes.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
crypto/evp/digest.c | 2 +-
crypto/evp/evp_enc.c | 2 +-
crypto/o_str.c | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 8ee9db73dd..7ed4933934 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
}
EVP_MD_CTX
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 619cf4f385..9192898d39 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 86442a939e..8c33e4dd63 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
}
int
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
#endif
@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
}
int
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
#endif
--
2.50.1

45
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.5.1 Version: 3.5.1
Release: 1%{?dist}.alma.1 Release: 3%{?dist}.alma.1
Epoch: 1 Epoch: 1
Source0: openssl-%{version}.tar.gz Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh Source1: fips-hmacify.sh
@ -95,6 +95,8 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
%if ( %{defined rhel} && (! %{defined centos}) ) %if ( %{defined rhel} && (! %{defined centos}) )
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif %endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
License: Apache-2.0 License: Apache-2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -124,8 +126,9 @@ protocols.
Summary: A general purpose cryptography library with TLS implementation Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5 Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20250404-3 Requires: crypto-policies >= 20250404-3
%if ( %{defined rhel} && (! %{defined centos}) ) %if %{defined rhel}
Requires: openssl-fips-provider Requires: fips-provider-so
Suggests: openssl-fips-provider >= 3.0.7-7
%endif %endif
%description libs %description libs
@ -153,6 +156,18 @@ OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit. from other formats to the formats used by the OpenSSL toolkit.
%if %{defined centos}
%package fips-provider
Summary: The FIPS Provider module
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Provides: fips-provider-so
%description fips-provider
OpenSSL is a toolkit for supporting cryptography. The openssl-fips-provider
package provides the fips.so provider, a cryptography provider that follows
FIPS requirements and provides FIPS approved algorithms.
%endif
%prep %prep
%autosetup -S git -n %{name}-%{version} %autosetup -S git -n %{name}-%{version}
@ -409,7 +424,7 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%attr(0755,root,root) %{_libdir}/libssl.so.%{version} %attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion} %{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion}
%attr(0755,root,root) %{_libdir}/ossl-modules %attr(0755,root,root) %{_libdir}/ossl-modules/legacy.so
%files devel %files devel
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
@ -433,12 +448,32 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts %dir %{_sysconfdir}/pki/CA/newcerts
%if %{defined centos}
%files fips-provider
%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
%endif
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jul 02 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-1.alma.1 * Tue Jul 29 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-3.alma.1
- Redefine sslarch for x86_64_v2 arch - Redefine sslarch for x86_64_v2 arch
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
- Add custom define to disable symbol versioning in downstream patched code
Also add stricter Suggests for openssl-fips-provider
Resolves: RHEL-101548
- Fix Requires/Provider to fix default install of fips providers
Resolves: RHEL-105010
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
- Move fips.so to a seprate subpackage
Reverts FIPS self test for SLH-DSA
Add Suggests to try to prefer the openssl-fips-provider package
over the fips-provider-next package by default
Revolves: RHEL-102408
Related: RHEL-80811
* Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1 * Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1
- Rebasing to OpenSSL 3.5.1 - Rebasing to OpenSSL 3.5.1
Resolves: RHEL-90350 Resolves: RHEL-90350