Redefine sslarch for x86_64_v2 arch
This commit is contained in:
Eduard Abdullin
root
commit
2d7e345d72
64
0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Normal file
64
0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Tue, 15 Jul 2025 12:32:14 -0400
|
||||
Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
---
|
||||
providers/fips/self_test_data.inc | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index f3059a8446..e924e93018 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
|
||||
};
|
||||
#endif /* OPENSSL_NO_ML_DSA */
|
||||
|
||||
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
#ifndef OPENSSL_NO_SLH_DSA
|
||||
/*
|
||||
* Deterministic SLH_DSA key generation supplies the private key elements and
|
||||
@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
|
||||
0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
|
||||
};
|
||||
#endif /* OPENSSL_NO_SLH_DSA */
|
||||
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
|
||||
/* Hash DRBG inputs for signature KATs */
|
||||
static const unsigned char sig_kat_entropyin[] = {
|
||||
@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
||||
ml_dsa_sig_init
|
||||
},
|
||||
#endif /* OPENSSL_NO_ML_DSA */
|
||||
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
#ifndef OPENSSL_NO_SLH_DSA
|
||||
/*
|
||||
* FIPS 140-3 IG 10.3.A.16 Note 29 says:
|
||||
@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
||||
slh_dsa_sig_params, slh_dsa_sig_params
|
||||
},
|
||||
#endif /* OPENSSL_NO_SLH_DSA */
|
||||
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
};
|
||||
|
||||
#if !defined(OPENSSL_NO_ML_DSA)
|
||||
@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
|
||||
ml_dsa_key
|
||||
},
|
||||
# endif
|
||||
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
# if !defined(OPENSSL_NO_SLH_DSA)
|
||||
{
|
||||
OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
|
||||
@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
|
||||
slh_dsa_128f_keygen_expected_params
|
||||
},
|
||||
# endif
|
||||
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
|
||||
};
|
||||
#endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
|
||||
--
|
||||
2.50.1
|
||||
|
||||
66
0055-Add-a-define-to-disable-symver-attributes.patch
Normal file
66
0055-Add-a-define-to-disable-symver-attributes.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 17 Jul 2025 09:40:34 -0400
|
||||
Subject: [PATCH] Add a define to disable symver attributes
|
||||
|
||||
Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
|
||||
compatibility symver attributes.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
---
|
||||
crypto/evp/digest.c | 2 +-
|
||||
crypto/evp/evp_enc.c | 2 +-
|
||||
crypto/o_str.c | 4 ++--
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||
index 8ee9db73dd..7ed4933934 100644
|
||||
--- a/crypto/evp/digest.c
|
||||
+++ b/crypto/evp/digest.c
|
||||
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
|
||||
}
|
||||
|
||||
EVP_MD_CTX
|
||||
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
|
||||
__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||
#endif
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index 619cf4f385..9192898d39 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||
}
|
||||
|
||||
EVP_CIPHER_CTX
|
||||
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
|
||||
__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||
#endif
|
||||
diff --git a/crypto/o_str.c b/crypto/o_str.c
|
||||
index 86442a939e..8c33e4dd63 100644
|
||||
--- a/crypto/o_str.c
|
||||
+++ b/crypto/o_str.c
|
||||
@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
|
||||
}
|
||||
|
||||
int
|
||||
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
|
||||
__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
|
||||
symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
|
||||
#endif
|
||||
@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||
}
|
||||
|
||||
int
|
||||
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
|
||||
__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
|
||||
symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
|
||||
#endif
|
||||
--
|
||||
2.50.1
|
||||
|
||||
45
openssl.spec
45
openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.5.1
|
||||
Release: 1%{?dist}.alma.1
|
||||
Release: 3%{?dist}.alma.1
|
||||
Epoch: 1
|
||||
Source0: openssl-%{version}.tar.gz
|
||||
Source1: fips-hmacify.sh
|
||||
@ -95,6 +95,8 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
|
||||
%endif
|
||||
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
|
||||
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
|
||||
|
||||
License: Apache-2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -124,8 +126,9 @@ protocols.
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Requires: ca-certificates >= 2008-5
|
||||
Requires: crypto-policies >= 20250404-3
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
Requires: openssl-fips-provider
|
||||
%if %{defined rhel}
|
||||
Requires: fips-provider-so
|
||||
Suggests: openssl-fips-provider >= 3.0.7-7
|
||||
%endif
|
||||
|
||||
%description libs
|
||||
@ -153,6 +156,18 @@ OpenSSL is a toolkit for supporting cryptography. The openssl-perl
|
||||
package provides Perl scripts for converting certificates and keys
|
||||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%if %{defined centos}
|
||||
%package fips-provider
|
||||
Summary: The FIPS Provider module
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Provides: fips-provider-so
|
||||
|
||||
%description fips-provider
|
||||
OpenSSL is a toolkit for supporting cryptography. The openssl-fips-provider
|
||||
package provides the fips.so provider, a cryptography provider that follows
|
||||
FIPS requirements and provides FIPS approved algorithms.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -S git -n %{name}-%{version}
|
||||
|
||||
@ -409,7 +424,7 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
|
||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||
%{_libdir}/libssl.so.%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/ossl-modules
|
||||
%attr(0755,root,root) %{_libdir}/ossl-modules/legacy.so
|
||||
|
||||
%files devel
|
||||
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
|
||||
@ -433,12 +448,32 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
|
||||
%dir %{_sysconfdir}/pki/CA/crl
|
||||
%dir %{_sysconfdir}/pki/CA/newcerts
|
||||
|
||||
%if %{defined centos}
|
||||
%files fips-provider
|
||||
%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
|
||||
%endif
|
||||
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Wed Jul 02 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-1.alma.1
|
||||
* Tue Jul 29 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-3.alma.1
|
||||
- Redefine sslarch for x86_64_v2 arch
|
||||
|
||||
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
|
||||
- Add custom define to disable symbol versioning in downstream patched code
|
||||
Also add stricter Suggests for openssl-fips-provider
|
||||
Resolves: RHEL-101548
|
||||
- Fix Requires/Provider to fix default install of fips providers
|
||||
Resolves: RHEL-105010
|
||||
|
||||
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
|
||||
- Move fips.so to a seprate subpackage
|
||||
Reverts FIPS self test for SLH-DSA
|
||||
Add Suggests to try to prefer the openssl-fips-provider package
|
||||
over the fips-provider-next package by default
|
||||
Revolves: RHEL-102408
|
||||
Related: RHEL-80811
|
||||
|
||||
* Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1
|
||||
- Rebasing to OpenSSL 3.5.1
|
||||
Resolves: RHEL-90350
|
||||
|
||||
Loading…
Reference in New Issue
Block a user