rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

import UBI openssl-3.5.5-2.el10_2

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 19:16:32 -04:00
parent 4f86a4185e
commit 35d3e89ab6
75 changed files with 1599 additions and 5086 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
openssl-3.5.1.tar.gz
openssl-3.5.5.tar.gz

6
0001-RH-Aarch64-and-ppc64le-use-lib64.patch
View File

@ -1,7 +1,7 @@
From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001
From ad6ba90718f814f1db71e86a4156098eb2bbeef5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64
Subject: [PATCH 01/57] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
2.50.0
2.52.0

6
0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
View File

@ -1,7 +1,7 @@
From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001
From a10a60403c197128ea6d8076b5111c64594a5026 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
Subject: [PATCH 02/53] Add a separate config file to use for rpm installs
Subject: [PATCH 02/57] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
@ -452,5 +452,5 @@ index 0000000000..fe2346eb2b
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
2.50.0
2.52.0

10
0003-RH-Do-not-install-html-docs.patch
View File

@ -1,7 +1,7 @@
From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001
From 44f15e373a78a1fb01edf15e7530cea4c8a1b79b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 03/53] RH: Do not install html docs
Subject: [PATCH 03/57] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
@ -13,10 +13,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index a6f666957e..b1d8b00755 100644
index 78be4a3199..962d1330bb 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
@@ -669,7 +669,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
@ -26,5 +26,5 @@ index a6f666957e..b1d8b00755 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
2.50.0
2.52.0

22
0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
View File

@ -1,7 +1,7 @@
From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001
From 3e60b46747eae0aec3171f13da6be706bcac6b48 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP?
Subject: [PATCH 04/57] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
@ -13,18 +13,18 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/ca.c b/apps/ca.c
index 6d1d1c0a6e..a7553ba609 100644
index 02b00c7c03..7f77e069ab 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -216,7 +216,7 @@ const OPTIONS ca_options[] = {
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
@@ -261,7 +261,7 @@ const OPTIONS ca_options[] = {
{ "noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN" },
OPT_SECTION("Signing"),
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
- { "md", OPT_MD, 's', "Digest to use, such as sha256" },
+ { "md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list" },
{ "keyfile", OPT_KEYFILE, 's', "The CA private key" },
{ "keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)" },
--
2.50.0
2.52.0

10
0005-RH-Disable-signature-verification-with-bad-digests-R.patch
View File

@ -1,7 +1,7 @@
From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001
From 04f1fc282cd5f5e7a9fbf2d82a62a9810d2e4acc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 05/53] RH: Disable signature verification with bad digests -
Subject: [PATCH 05/57] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
@ -14,10 +14,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 5 insertions(+)
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index f6cac80962..fbc6ce6e30 100644
index 55f86ee83f..95483afc00 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
if (ret <= 1)
goto err;
@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644
const EVP_MD *type = NULL;
--
2.50.0
2.52.0

84
0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
View File

@ -1,7 +1,7 @@
From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001
From ced223dc078708514c65b1903c783062ec568bb7 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default
Subject: [PATCH 06/57] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -14,16 +14,16 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
Configure | 11 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 83 +++++++++++++++++++++++++++----
ssl/ssl_ciph.c | 85 ++++++++++++++++++++++++++-----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
7 files changed, 105 insertions(+), 14 deletions(-)
7 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index b1d8b00755..91fd703afa 100644
index 962d1330bb..1920d38655 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
@@ -355,6 +355,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -34,7 +34,7 @@ index b1d8b00755..91fd703afa 100644
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
@@ -378,6 +382,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@ -106,10 +106,10 @@ index 69195bcdcb..a6e0ede570 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 383c5bc411..d1b00e8454 100644
index bdcc68529b..82410670f4 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
@@ -211,6 +211,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
@ -120,9 +120,9 @@ index 383c5bc411..d1b00e8454 100644
+# endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
#define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 6127cb7a4b..19420d6c6a 100644
index 7dccec6260..15be7e8067 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -9,6 +9,7 @@
@ -133,7 +133,7 @@ index 6127cb7a4b..19420d6c6a 100644
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
@@ -1421,6 +1422,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1404,6 +1405,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
@ -181,9 +181,9 @@ index 6127cb7a4b..19420d6c6a 100644
+#endif
+
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1435,15 +1479,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1418,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -211,16 +211,16 @@ index 6127cb7a4b..19420d6c6a 100644
/*
* To reduce the work to do we only want to process the compiled
@@ -1465,7 +1519,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1448,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
- return NULL; /* Failure */
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1531,8 +1585,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1514,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -230,27 +230,29 @@ index 6127cb7a4b..19420d6c6a 100644
}
/*
@@ -1576,8 +1629,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1559,8 +1612,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
- return NULL; /* Failure */
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1603,8 +1655,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
OPENSSL_free(ca_list); /* Not needed anymore */
disabled_mkey, disabled_auth, disabled_enc,
@@ -1585,9 +1637,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (!ok) { /* Rule processing failure */
OPENSSL_free(ca_list); /* Not needed anymore */
- if (!ok) { /* Rule processing failure */
- OPENSSL_free(co_list);
- return NULL;
+ if (!ok) { /* Rule processing failure */
+ goto err;
}
/*
@@ -1612,10 +1663,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1595,10 +1646,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -266,7 +268,7 @@ index 6127cb7a4b..19420d6c6a 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1667,6 +1721,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1653,6 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;
return cipherstack;
@ -281,32 +283,32 @@ index 6127cb7a4b..19420d6c6a 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9696a4c55f..4bd3318407 100644
index ac77faa677..677b05ba64 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- OSSL_default_cipher_list(), ctx->cert);
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
@@ -678,7 +678,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- OSSL_default_cipher_list(), ctx->cert);
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -4102,7 +4102,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
- OSSL_default_cipher_list(), ret->cert)
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
- OSSL_default_cipher_list(), ret->cert)
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index c46e431b00..19d05e860b 100644
index 9874e6bad6..76b6befbad 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -261,7 +261,9 @@ end:
@@ -260,7 +260,9 @@ end:
int setup_tests(void)
{
@ -317,5 +319,5 @@ index c46e431b00..19d05e860b 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
2.50.0
2.52.0

14
0007-RH-Add-FIPS_mode-compatibility-macro.patch
View File

@ -1,7 +1,7 @@
From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001
From 60f55f072544cb998c42da41ee33ced2b4428b9f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro
Subject: [PATCH 07/57] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
@ -47,10 +47,10 @@ index 0000000000..4162cbf88e
+# endif
+#endif
diff --git a/test/property_test.c b/test/property_test.c
index 18f8cc8740..6864b1a3c1 100644
index d470731e50..0b044ec853 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i)
@@ -703,6 +703,19 @@ err:
return ret;
}
@ -70,14 +70,14 @@ index 18f8cc8740..6864b1a3c1 100644
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -700,6 +713,7 @@ int setup_tests(void)
@@ -716,6 +729,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
+ ADD_TEST(test_downstream_FIPS_mode);
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
ADD_TEST(test_property_list_to_string_bounds);
return 1;
}
--
2.50.0
2.52.0

26
0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
View File

@ -1,7 +1,7 @@
From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001
From 5aa108caf01f482d35aba7acae6b5a8fa1577410 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Subject: [PATCH 08/57] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
@ -10,11 +10,11 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/context.c | 35 +++++++++++++++++++++++++++++++++++
include/internal/provider.h | 3 +++
2 files changed, 38 insertions(+)
include/internal/provider.h | 5 ++++-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/crypto/context.c b/crypto/context.c
index f15bc3d755..614c8a2c88 100644
index 1ae88e42aa..62e60f3620 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -7,6 +7,7 @@
@ -64,7 +64,7 @@ index f15bc3d755..614c8a2c88 100644
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock;
OSSL_EX_DATA_GLOBAL global;
@@ -393,6 +426,8 @@ static int default_context_inited = 0;
@@ -391,6 +424,8 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
@ -74,19 +74,21 @@ index f15bc3d755..614c8a2c88 100644
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 7d94346155..c0f1d00da9 100644
index 1b4050a81f..eb7f409af0 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
@@ -114,7 +114,10 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
-#ifdef __cplusplus
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
# ifdef __cplusplus
+# ifdef __cplusplus
}
# endif
#endif
--
2.50.0
2.52.0

829
0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
View File

File diff suppressed because it is too large Load Diff

137
0010-RH-Disable-explicit-ec-curves.patch
View File

@ -1,7 +1,7 @@
From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001
From a925f827ebbd25236c7449e179cfcd716af60379 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 10/53] RH: Disable explicit ec curves
Subject: [PATCH 10/57] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@ -10,18 +10,18 @@ Patch-status: |
# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/ec/ec_asn1.c | 11 ++++++++++
crypto/ec/ec_lib.c | 8 ++++++-
test/ectest.c | 22 ++++++++++---------
test/endecode_test.c | 20 ++++++++---------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
5 files changed, 40 insertions(+), 33 deletions(-)
crypto/ec/ec_asn1.c | 11 +++++++
crypto/ec/ec_lib.c | 8 ++++-
test/ectest.c | 22 +++++++-------
test/endecode_test.c | 30 +++++++++----------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 --------
5 files changed, 45 insertions(+), 38 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 643d2d8d7b..5895606176 100644
index bfd0242c6f..bb462121b5 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
@@ -889,6 +889,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
group->decoded_from_explicit_params = 1;
@ -34,7 +34,7 @@ index 643d2d8d7b..5895606176 100644
if (a) {
EC_GROUP_free(*a);
*a = group;
@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
@@ -948,6 +954,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
goto err;
}
@ -47,10 +47,10 @@ index 643d2d8d7b..5895606176 100644
if (priv_key->privateKey) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index b55677fb1f..1df40018ac 100644
index 13dcd29b11..de21cb2f10 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1554,7 +1554,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
@@ -1551,7 +1551,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
int is_prime_field = 1;
BN_CTX *bnctx = NULL;
const unsigned char *buf = NULL;
@ -59,7 +59,7 @@ index b55677fb1f..1df40018ac 100644
#endif
/* This is the simple named group case */
@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
@@ -1726,6 +1726,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
if (named_group == group) {
@ -71,7 +71,7 @@ index b55677fb1f..1df40018ac 100644
/*
* If we did not find a named group then the encoding should be explicit
* if it was specified
@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
@@ -1741,6 +1746,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
@ -80,16 +80,17 @@ index b55677fb1f..1df40018ac 100644
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
index b852381924..6eac5de4fa 100644
index f243f6fb3c..d8246524f3 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@@ -2791,11 +2791,12 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
EVP_PKEY_KEY_PARAMETERS, params), 0))
EVP_PKEY_KEY_PARAMETERS, params),
0))
goto err;
-
+/* As creating the key should fail, the rest of the test is pointless */
@ -97,54 +98,54 @@ index b852381924..6eac5de4fa 100644
/*- Check that all the set values are retrievable -*/
/* There should be no match to a group name since the generator changed */
@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@@ -2924,6 +2925,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
#endif
)
)
goto err;
+#endif
ret = 1;
err:
BN_free(order_out);
@@ -2826,21 +2828,21 @@ static int custom_params_test(int id)
@@ -3217,21 +3219,21 @@ static int custom_params_test(int id)
/* Compute keyexchange in both directions */
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
|| !TEST_int_gt(bsize, sslen)
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
|| !TEST_int_gt(bsize, sslen)
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
goto err;
if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
|| !TEST_int_gt(bsize, t)
|| !TEST_int_le(sslen, t)
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
|| !TEST_int_gt(bsize, t)
|| !TEST_int_le(sslen, t)
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
goto err;
-
+#if 0
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
@@ -2893,7 +2895,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
@@ -3286,7 +3288,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
-
+#endif
ret = 1;
err:
err:
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 028deb4ed1..85c84f6592 100644
index 3f8ed7f392..c3b55af3e7 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL;
@ -154,51 +155,59 @@ index 028deb4ed1..85c84f6592 100644
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
# ifndef OPENSSL_NO_EC2M
#ifndef OPENSSL_NO_EC2M
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
@@ -1013,10 +1013,10 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
-DOMAIN_KEYS(ECExplicitPrime2G);
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
-#ifndef OPENSSL_NO_EC2M
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
# ifndef OPENSSL_NO_EC2M
+# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
@@ -1445,7 +1445,7 @@ int setup_tests(void)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
@@ -1458,8 +1458,8 @@ int setup_tests(void)
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|| !create_ec_explicit_prime_params(bld_prime)
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
# ifndef OPENSSL_NO_EC2M
-#ifndef OPENSSL_NO_EC2M
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
+# ifndef OPENSSL_NO_EC2M
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
@@ -1473,7 +1473,7 @@ int setup_tests(void)
|| !create_ec_explicit_trinomial_params_namedcurve(bld_tri_nc)
@@ -1486,8 +1486,8 @@ int setup_tests(void)
TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
# ifndef OPENSSL_NO_EC2M
-#ifndef OPENSSL_NO_EC2M
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
+# ifndef OPENSSL_NO_EC2M
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
@@ -1553,8 +1553,8 @@ int setup_tests(void)
#endif
@@ -1566,9 +1566,9 @@ int setup_tests(void)
ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
- ADD_TEST_SUITE(ECExplicitPrime2G);
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
# ifndef OPENSSL_NO_EC2M
-#ifndef OPENSSL_NO_EC2M
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
+# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
@@ -1631,7 +1631,7 @@ void cleanup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
@@ -1644,7 +1644,7 @@ void cleanup_tests(void)
{
#ifndef OPENSSL_NO_EC
OSSL_PARAM_free(ec_explicit_prime_params_nc);
@ -206,18 +215,20 @@ index 028deb4ed1..85c84f6592 100644
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
OSSL_PARAM_BLD_free(bld_prime_nc);
OSSL_PARAM_BLD_free(bld_prime);
# ifndef OPENSSL_NO_EC2M
@@ -1653,7 +1653,7 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC2M
@@ -1666,8 +1666,8 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC
FREE_DOMAIN_KEYS(EC);
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
# ifndef OPENSSL_NO_EC2M
-#ifndef OPENSSL_NO_EC2M
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
+# ifndef OPENSSL_NO_EC2M
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
#endif
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index 54b143bead..06ec905be0 100644
index 07dc4b4298..4c47fa68c2 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
@ -240,5 +251,5 @@ index 54b143bead..06ec905be0 100644
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
2.50.0
2.52.0

10
0011-RH-skipped-tests-EC-curves.patch
View File

@ -1,7 +1,7 @@
From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001
From 2afc42b7faa263387234aa747d676efd140a7c8a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 11/53] RH: skipped tests EC curves
Subject: [PATCH 11/57] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
@ -16,10 +16,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
4 files changed, 3 insertions(+), 15 deletions(-)
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index c953fad9f1..906769a12e 100644
index 9bf946e81b..d6521876e5 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -94,7 +94,7 @@ SKIP: {
@@ -104,7 +104,7 @@ SKIP: {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.50.0
2.52.0

14
0012-RH-skip-quic-pairwise.patch
View File

@ -1,7 +1,7 @@
From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001
From 48b4a63db033730ef98eb9968e45ba66688598c9 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
Subject: [PATCH 12/53] RH: skip quic pairwise
Subject: [PATCH 12/57] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index b98a940553..3d946ae93c 100644
index 6b9ee8e69a..96cd735819 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -2937,7 +2937,9 @@ int setup_tests(void)
@@ -3015,7 +3015,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@ -29,10 +29,10 @@ index b98a940553..3d946ae93c 100644
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
index 222b1886ae..7e2f65cccb 100644
index 6c8de64b0b..79a5584099 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) {
@@ -187,6 +187,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
@ -82,5 +82,5 @@ index eaf0dbbb42..21864ad319 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
2.50.0
2.52.0

16
0013-RH-version-aliasing.patch
View File

@ -1,7 +1,7 @@
From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001
From 9a41889c1a026e203f936e0c3b511e6d4ddc4cf2 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 13/53] RH: version aliasing
Subject: [PATCH 13/57] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@ -17,7 +17,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 6fc201bcfe..3c80b9dfe1 100644
index 4b1c95c4ab..8a6e87c11a 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -572,7 +572,12 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@ -35,10 +35,10 @@ index 6fc201bcfe..3c80b9dfe1 100644
EVP_MD_CTX *out = EVP_MD_CTX_new();
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index eee00a0780..7c51786515 100644
index 5584e06d7e..d5ff34a4e2 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1762,7 +1762,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
@@ -1756,7 +1756,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
#endif /* FIPS_MODULE */
}
@ -53,10 +53,10 @@ index eee00a0780..7c51786515 100644
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
index 7e2f65cccb..cc947d4821 100644
index 79a5584099..a70ebef431 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
@@ -133,6 +133,7 @@ foreach (sort keys %stlibname) {
s| .*||;
# Drop OpenSSL dynamic version information if there is any
s|\@\@.+$||;
@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
2.50.0
2.52.0

22
0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
View File

@ -1,7 +1,7 @@
From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001
From 51d485de6b9e2a714610daa886bde82b45016c0a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp
Subject: [PATCH 14/57] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
@ -17,7 +17,7 @@ with upstream.
mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 3c80b9dfe1..8ee9db73dd 100644
index 8a6e87c11a..638dac8844 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@ -30,10 +30,10 @@ index 3c80b9dfe1..8ee9db73dd 100644
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 7c51786515..619cf4f385 100644
index d5ff34a4e2..b4edd825cd 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
@@ -1757,7 +1757,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
@ -43,10 +43,10 @@ index 7c51786515..619cf4f385 100644
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 93af73561f..86442a939e 100644
index 35540630be..fde43421ea 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -403,7 +403,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
@@ -406,7 +406,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
#endif
}
@ -60,7 +60,7 @@ index 93af73561f..86442a939e 100644
{
int t;
@@ -413,7 +418,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
@@ -416,7 +421,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
return t;
}
@ -77,10 +77,10 @@ index 93af73561f..86442a939e 100644
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
old mode 100644
new mode 100755
index cc947d4821..de2dcd90c2
index a70ebef431..a095239652
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -186,7 +186,7 @@ foreach (sort keys %stlibname) {
@@ -188,7 +188,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
2.50.0
2.52.0

10
0015-RH-TMP-KTLS-test-skip.patch
View File

@ -1,7 +1,7 @@
From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001
From a6d43e2d94ba1f8ff57dfb403d9d70d9f6f0f433 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
Subject: [PATCH 15/53] RH: TMP KTLS test skip
Subject: [PATCH 15/57] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
@ -9,10 +9,10 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index b83dd6c552..250a439137 100644
index 993d9e6018..a94061d974 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
@@ -1029,9 +1029,10 @@ end:
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
@ -26,5 +26,5 @@ index b83dd6c552..250a439137 100644
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
2.50.0
2.52.0

111
0016-RH-Allow-disabling-of-SHA1-signatures.patch
View File

@ -1,7 +1,7 @@
From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001
From 1efe3493167934ee77a52eba9a6b2a492885a955 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures
Subject: [PATCH 16/57] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@ -15,7 +15,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 ++++
include/crypto/context.h | 8 +++
include/internal/cryptlib.h | 3 +-
include/internal/cryptlib.h | 33 ++++-----
include/internal/sslconf.h | 4 ++
providers/common/include/prov/securitycheck.h | 2 +
providers/common/securitycheck.c | 14 ++++
@ -25,10 +25,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
providers/implementations/signature/rsa_sig.c | 14 +++-
ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
16 files changed, 183 insertions(+), 7 deletions(-)
16 files changed, 198 insertions(+), 22 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 614c8a2c88..323615e300 100644
index 62e60f3620..4db9d24b78 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
@ -74,7 +74,7 @@ index 614c8a2c88..323615e300 100644
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -382,6 +404,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
@@ -381,6 +403,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
@ -86,7 +86,7 @@ index 614c8a2c88..323615e300 100644
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -660,6 +687,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
@@ -658,6 +685,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
@ -96,7 +96,7 @@ index 614c8a2c88..323615e300 100644
default:
return NULL;
}
@@ -714,3 +744,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
@@ -712,3 +742,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
return;
libctx->conf_diagnostics = value;
}
@ -141,7 +141,7 @@ index 614c8a2c88..323615e300 100644
+ return 1;
+}
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644
index 184bab933c..2ae7ccea15 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
@ -170,20 +170,20 @@ index 0e7fe64cf9..b9d3b6d226 100644
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index d5df497da7..53044238a1 100644
index 0a433adbe4..6c9f71569b 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "internal/sslconf.h"
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -251,6 +252,19 @@ reinitialize:
}
desc = signature->description != NULL ? signature->description : "";
@ -204,7 +204,7 @@ index d5df497da7..53044238a1 100644
if (signature->digest_verify_init == NULL) {
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED,
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 08c0d6a7b2..b936ad4447 100644
index 2a0fc3ef0b..20e80a447d 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@ -215,7 +215,7 @@ index 08c0d6a7b2..b936ad4447 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
@@ -952,6 +953,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
@ -277,26 +277,57 @@ index 1c181933e0..35bdfdb52d 100644
+#endif
+
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index da442f8a86..44a5e8a99a 100644
index 50aec7e7f4..9678e150e0 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
# define OSSL_LIB_CTX_COMP_METHODS 21
# define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
-# define OSSL_LIB_CTX_MAX_INDEXES 22
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
+# define OSSL_LIB_CTX_MAX_INDEXES 23
@@ -102,23 +102,24 @@ typedef struct ossl_ex_data_global_st {
#define OSSL_LIB_CTX_DRBG_NONCE_INDEX 6
/* slot 7 unused, was CRNG test data and can be reused */
#ifdef FIPS_MODULE
-#define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
+#define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
#endif
-#define OSSL_LIB_CTX_FIPS_PROV_INDEX 9
-#define OSSL_LIB_CTX_ENCODER_STORE_INDEX 10
-#define OSSL_LIB_CTX_DECODER_STORE_INDEX 11
-#define OSSL_LIB_CTX_SELF_TEST_CB_INDEX 12
-#define OSSL_LIB_CTX_BIO_PROV_INDEX 13
-#define OSSL_LIB_CTX_GLOBAL_PROPERTIES 14
-#define OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX 15
-#define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
-#define OSSL_LIB_CTX_BIO_CORE_INDEX 17
-#define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
-#define OSSL_LIB_CTX_THREAD_INDEX 19
-#define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
-#define OSSL_LIB_CTX_COMP_METHODS 21
-#define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
-#define OSSL_LIB_CTX_MAX_INDEXES 22
+#define OSSL_LIB_CTX_FIPS_PROV_INDEX 9
+#define OSSL_LIB_CTX_ENCODER_STORE_INDEX 10
+#define OSSL_LIB_CTX_DECODER_STORE_INDEX 11
+#define OSSL_LIB_CTX_SELF_TEST_CB_INDEX 12
+#define OSSL_LIB_CTX_BIO_PROV_INDEX 13
+#define OSSL_LIB_CTX_GLOBAL_PROPERTIES 14
+#define OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX 15
+#define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
+#define OSSL_LIB_CTX_BIO_CORE_INDEX 17
+#define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
+#define OSSL_LIB_CTX_THREAD_INDEX 19
+#define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
+#define OSSL_LIB_CTX_COMP_METHODS 21
+#define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
+#define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
+#define OSSL_LIB_CTX_MAX_INDEXES 23
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
index fd7f7e3331..05464b0655 100644
index a7cec01bf6..076e139de4 100644
--- a/include/internal/sslconf.h
+++ b/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
char **arg);
+/* Methods to support disabling all signatures with legacy digests */
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
@ -314,7 +345,7 @@ index 29a2b7fbf8..a48cbb03d2 100644
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 8ef8dc2a81..79a9c48ce2 100644
index e883ff4865..6985be0400 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
@ -325,7 +356,7 @@ index 8ef8dc2a81..79a9c48ce2 100644
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
@@ -219,3 +220,16 @@ int ossl_dh_check_key(const DH *dh)
@@ -220,3 +221,16 @@ int ossl_dh_check_key(const DH *dh)
return (L == 2048 && (N == 224 || N == 256));
}
#endif /* OPENSSL_NO_DH */
@ -343,7 +374,7 @@ index 8ef8dc2a81..79a9c48ce2 100644
+ return mdnid;
+}
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index dd71fd91eb..9019fd2a80 100644
index 42823ffe14..4b80f14b40 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
@ -355,7 +386,7 @@ index dd71fd91eb..9019fd2a80 100644
/* Disable the security checks in the default provider */
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index c5adbf8002..52ed52482d 100644
index 51dcc3f230..31a89133a3 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@ -367,7 +398,7 @@ index c5adbf8002..52ed52482d 100644
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 4018a772ff..04d4009ab5 100644
index 0c04fc4ec6..2a4faf4a71 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -197,13 +197,15 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
@ -381,7 +412,7 @@ index 4018a772ff..04d4009ab5 100644
+ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
+ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
"digest=%s", mdname);
goto err;
}
-#endif
@ -390,7 +421,7 @@ index 4018a772ff..04d4009ab5 100644
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index e75b90840b..645304b951 100644
index fcdfebbbff..bbdd037728 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
@ -417,9 +448,9 @@ index e75b90840b..645304b951 100644
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
"digest=%s", mdname);
goto err;
@@ -1765,8 +1768,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
@@ -1760,8 +1763,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
@ -436,7 +467,7 @@ index e75b90840b..645304b951 100644
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2f71f95438..bea5cab253 100644
index cd471a636d..35d0a6f1bb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -21,6 +21,7 @@
@ -447,7 +478,7 @@ index 2f71f95438..bea5cab253 100644
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2175,6 +2176,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
@ -455,15 +486,15 @@ index 2f71f95438..bea5cab253 100644
if (ctx == NULL)
goto err;
@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2192,6 +2194,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -2212,6 +2215,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
@ -486,5 +517,5 @@ index d377d542db..c2c55129ae 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
2.50.0
2.52.0

12
0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
View File

@ -1,7 +1,7 @@
From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001
From 074607f7c460cda25654f1ee990ddba98af6d6db Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version
Subject: [PATCH 17/57] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -9,11 +9,11 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 4b9a057462..1e90f363af 100644
index 419878719e..0f006301d7 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
@@ -201,13 +201,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
@ -30,5 +30,5 @@ index 4b9a057462..1e90f363af 100644
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
2.50.0
2.52.0

56
0018-FIPS-disable-fipsinstall.patch
View File

@ -1,7 +1,7 @@
From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001
From e43a23f06a9e23f1091f88c6dfa6c1bd4e065a7a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 18/53] FIPS: disable fipsinstall
Subject: [PATCH 18/57] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
@ -10,24 +10,24 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/fipsinstall.c | 3 +
doc/man1/openssl-fipsinstall.pod.in | 485 +-------------------------
doc/man1/openssl-fipsinstall.pod.in | 481 +-------------------------
doc/man1/openssl.pod | 4 -
doc/man5/config.pod | 1 -
doc/man5/fips_config.pod | 228 +-----------
doc/man5/fips_config.pod | 222 +-----------
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
test/recipes/00-prep_fipsmodule_cnf.t | 10 +-
test/recipes/01-test_fipsmodule_cnf.t | 7 +-
test/recipes/03-test_fipsinstall.t | 2 +
9 files changed, 22 insertions(+), 719 deletions(-)
9 files changed, 22 insertions(+), 709 deletions(-)
mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 0daa55a1b8..b4e29ac301 100644
index dcc09a5ed7..e3d5f6e86d 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **argv)
@@ -636,6 +636,9 @@ int fipsinstall_main(int argc, char **argv)
EVP_MAC *mac = NULL;
CONF *conf = NULL;
@ -38,10 +38,10 @@ index 0daa55a1b8..b4e29ac301 100644
goto end;
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 9dd4f5a49f..9a063022a9 100644
index 2db5acd242..1c6b783413 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
@@ -8,484 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
=head1 SYNOPSIS
B<openssl fipsinstall>
@ -274,9 +274,7 @@ index 9dd4f5a49f..9a063022a9 100644
-
-=item B<-hkdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-HKDF.
-See NIST SP 800-56Cr2 for details.
-This option is deprecated.
-
-=item B<-tls13_kdf_digest_check>
-
@ -298,9 +296,7 @@ index 9dd4f5a49f..9a063022a9 100644
-
-=item B<-sskdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-SSKDF.
-See NIST SP 800-56Cr2 for details.
-This option is deprecated.
-
-=item B<-x963kdf_digest_check>
-
@ -410,7 +406,7 @@ index 9dd4f5a49f..9a063022a9 100644
-
-=item B<-self_test_oninstall>
-
-The converse of B<-self_test_oninstall>. The two fields related to the
-The converse of B<-self_test_onload>. The two fields related to the
-"test status indicator" and "MAC status indicator" are written to the
-output configuration file.
-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
@ -534,7 +530,7 @@ index 9dd4f5a49f..9a063022a9 100644
=head1 COPYRIGHT
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index edef2ff598..0762a00d74 100644
index 635b52aeb1..55bc6e44c6 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -139,10 +139,6 @@ Engine (loadable module) information and manipulation.
@ -561,10 +557,10 @@ index b994081924..7a6d7fab4a 100644
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index a25ced3383..15748c5756 100644
index c3f7b8f3ab..2505938c13 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration
@@ -6,224 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
@ -624,17 +620,11 @@ index a25ced3383..15748c5756 100644
-
-=item B<install-status>
-
-An indicator that the self-tests were successfully run.
-This should only be written after the module has
-successfully passed its self tests during installation.
-If this field is not present, then the self tests will run when the module
-loads.
-This field is deprecated and is no longer used.
-
-=item B<install-mac>
-
-A MAC of the value of the B<install-status> option, to prevent accidental
-changes to that value.
-It is written-to at the same time as B<install-status> is updated.
-This field is deprecated and is no longer used.
-
-=back
-
@ -674,7 +664,7 @@ index a25ced3383..15748c5756 100644
-
-=item B<hkdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
-This option is deprecated.
-
-=item B<tls13-kdf-digest-check>
-
@ -690,7 +680,7 @@ index a25ced3383..15748c5756 100644
-
-=item B<sskdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
-This option is deprecated.
-
-=item B<x963kdf-digest-check>
-
@ -800,10 +790,10 @@ index a25ced3383..15748c5756 100644
=head1 COPYRIGHT
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 571a1e99e0..1e384a4ff3 100644
index d14005a89a..c3797f5682 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -588,7 +588,6 @@ process.
@@ -574,7 +574,6 @@ process.
=head1 SEE ALSO
@ -853,7 +843,7 @@ index ce594817d5..4530a46dd0
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
old mode 100644
new mode 100755
index 1f9110ef60..7e80637bd5
index 3dcbe67c6d..1a5a475d91
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations');
@ -866,5 +856,5 @@ index 1f9110ef60..7e80637bd5
# Compatible options for pedantic FIPS compliance
--
2.50.0
2.52.0

8
0019-FIPS-Force-fips-provider-on.patch
View File

@ -1,7 +1,7 @@
From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001
From b8a5ce1fbad62e0f7b023aab827d2888413d5ced Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 19/53] FIPS: Force fips provider on
Subject: [PATCH 19/57] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index 9649517dd2..1e5053cbce 100644
index f2e76ac402..a2a8a9942c 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
@ -75,5 +75,5 @@ index 9649517dd2..1e5053cbce 100644
}
--
2.50.0
2.52.0

40
0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
View File

@ -1,7 +1,7 @@
From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001
From 310346f65db4e3b6052cf165f890f13bfd645f5c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Subject: [PATCH 20/57] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
@ -20,10 +20,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index ef7be26ca7..8b17b8ca94 100644
index 008a4fac84..c72e2605c4 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -235,13 +235,137 @@ err:
@@ -237,13 +237,137 @@ err:
return ok;
}
@ -157,12 +157,12 @@ index ef7be26ca7..8b17b8ca94 100644
+}
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
- unsigned char *expected, size_t expected_len,
+ const unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
const char *event_type)
- unsigned char *expected, size_t expected_len,
+ const unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
const char *event_type)
{
@@ -253,6 +377,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
@@ -255,6 +379,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
@ -172,7 +172,7 @@ index ef7be26ca7..8b17b8ca94 100644
if (!integrity_self_test(ev, libctx))
goto err;
@@ -316,7 +443,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -318,7 +445,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
int ok = 0;
long checksum_len;
OSSL_CORE_BIO *bio_module = NULL;
@ -182,22 +182,22 @@ index ef7be26ca7..8b17b8ca94 100644
OSSL_SELF_TEST *ev = NULL;
EVP_RAND *testrand = NULL;
EVP_RAND_CTX *rng;
@@ -352,8 +480,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -354,8 +482,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -362,8 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -364,8 +491,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
@ -210,14 +210,14 @@ index ef7be26ca7..8b17b8ca94 100644
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -371,14 +505,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -373,14 +507,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */
- if (bio_module == NULL
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
- module_checksum, checksum_len, st->libctx,
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
- module_checksum, checksum_len, st->libctx,
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ if (bio_module == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
goto end;
@ -243,7 +243,7 @@ index ef7be26ca7..8b17b8ca94 100644
if (!SELF_TEST_kats(ev, st->libctx)) {
ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
goto end;
@@ -398,7 +546,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -401,7 +549,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe
+[fips_sect]
+activate = 1
--
2.50.0
2.52.0

6
0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
View File

@ -1,7 +1,7 @@
From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001
From 7fb0257ff4158f41306b730e0b2851bcd6d22747 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
Subject: [PATCH 21/57] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
@ -28,5 +28,5 @@ index 0000000000..54ae60b07f
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
2.50.0
2.52.0

12
0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001
From a155bf631d4d923ed08f554344c44d07571d6e02 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Subject: [PATCH 22/57] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
@ -13,10 +13,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 8b17b8ca94..0f5074936f 100644
index c72e2605c4..470cf1fc28 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -491,6 +491,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
@ -32,7 +32,7 @@ index 8b17b8ca94..0f5074936f 100644
if (st->module_checksum_data == NULL) {
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -527,11 +536,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -529,11 +538,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
}
}
@ -45,5 +45,5 @@ index 8b17b8ca94..0f5074936f 100644
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
2.50.0
2.52.0

28
0023-FIPS-RSA-encrypt-limits-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001
From 97d32c648aa0ba85165f40a9b9fca194301420fa Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW
Subject: [PATCH 23/57] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@ -19,10 +19,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 79a9c48ce2..0e517542bc 100644
index 6985be0400..37000c8627 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -65,6 +65,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
@@ -66,6 +66,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
@ -44,12 +44,12 @@ index 78f9fc0655..6bd783eb0a 100644
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 6ee127caff..2a7c2f159e 100644
index 4995b00102..0b14fbc58d 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
@@ -174,6 +174,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
return 0;
}
#endif
+# ifdef FIPS_MODULE
+ if (prsactx->pad_mode == RSA_NO_PADDING) {
@ -64,9 +64,9 @@ index 6ee127caff..2a7c2f159e 100644
+# endif
+
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
*outlen = len;
return 1;
@@ -234,6 +246,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
@ -911,10 +911,10 @@ index 18e11bdaa9..17ceb59148 100644
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 5c967c5818..d13dceaac5 100644
index 279a498475..c278987186 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
@@ -267,7 +267,7 @@ my @smime_pkcs7_tests = (
if ($no_fips || $old_fips) {
push(@smime_pkcs7_tests,
@ -923,7 +923,7 @@ index 5c967c5818..d13dceaac5 100644
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1267,6 +1267,9 @@ sub check_availability {
@@ -1284,6 +1284,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4
}
next if $protocol eq "-tls1_3";
--
2.50.0
2.52.0

28
0024-FIPS-RSA-PCTs.patch
View File

@ -1,7 +1,7 @@
From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001
From 034d02d047e4a4d84d5c8ca2b54557b1679e8610 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
Subject: [PATCH 24/53] FIPS: RSA: PCTs
Subject: [PATCH 24/57] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -10,10 +10,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
2 files changed, 61 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 77d0950094..f0e71beb43 100644
index 3582936d67..383c3071a9 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
@@ -428,6 +428,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
@ -21,7 +21,7 @@ index 77d0950094..f0e71beb43 100644
#endif
};
@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
@@ -441,6 +442,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
@ -32,9 +32,9 @@ index 77d0950094..f0e71beb43 100644
+#endif
+
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
const OSSL_PARAM params[])
{
@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
@@ -468,6 +475,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
@ -45,7 +45,7 @@ index 77d0950094..f0e71beb43 100644
return gctx;
err:
@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
@@ -624,6 +635,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
@ -54,10 +54,10 @@ index 77d0950094..f0e71beb43 100644
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
+ abort();
+#endif
err:
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx)
@@ -639,6 +655,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
@ -67,7 +67,7 @@ index 77d0950094..f0e71beb43 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 645304b951..3d5af1046a 100644
index bbdd037728..4e0744eeba 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -37,7 +37,7 @@
@ -97,7 +97,7 @@ index 645304b951..3d5af1046a 100644
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
@@ -1316,7 +1316,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
@@ -1309,7 +1309,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return ok;
}
@ -106,7 +106,7 @@ index 645304b951..3d5af1046a 100644
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -1866,6 +1866,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
@@ -1861,6 +1861,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
@ -153,5 +153,5 @@ index 645304b951..3d5af1046a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.50.0
2.52.0

10
0025-FIPS-RSA-encapsulate-limits.patch
View File

@ -1,7 +1,7 @@
From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001
From ca999ba4305afdf6b8465708ecc1a472543bbad6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits
Subject: [PATCH 25/57] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
@ -14,7 +14,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
2 files changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 7494dcc010..5d6123e8cb 100644
index f7bf368a0d..a05cf7c748 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -284,6 +284,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
@ -31,7 +31,7 @@ index 7494dcc010..5d6123e8cb 100644
if (out == NULL) {
if (nlen == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
@@ -360,6 +367,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
@@ -359,6 +366,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
/* Step (1): get the byte length of n */
nlen = RSA_size(prsactx->rsa);
@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
2.50.0
2.52.0

10
0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
View File

@ -1,7 +1,7 @@
From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001
From 05d9c9154e199bb4a84e215f0b20bd06ac5081d8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
Subject: [PATCH 26/57] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@ -25,7 +25,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
2 files changed, 32 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 5a1c080fcd..11cd78618b 100644
index 453205b56c..e45d4bc278 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
@ -59,7 +59,7 @@ index 5a1c080fcd..11cd78618b 100644
/* XOF are approved as standalone; Shake256 in Ed448; MGF */
if (EVP_MD_xof(md)) {
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index a2bc198a89..2833ca50f3 100644
index 98d6e70346..7fe78b9055 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644
if (hLen <= 0)
goto err;
--
2.50.0
2.52.0

18
0027-FIPS-RSA-size-mode-restrictions.patch
View File

@ -1,7 +1,7 @@
From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001
From 4191527585ab1e8923249885cbf87d2f91b8804f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions
Subject: [PATCH 27/57] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -12,10 +12,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
4 files changed, 86 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 3d5af1046a..09c202f87c 100644
index 4e0744eeba..f38431fd60 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -939,6 +939,19 @@ static int rsa_verify_recover(void *vprsactx,
@@ -935,6 +935,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@ -35,8 +35,8 @@ index 3d5af1046a..09c202f87c 100644
if (!ossl_prov_is_running())
return 0;
@@ -1033,6 +1046,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
const unsigned char *tbs, size_t tbslen)
@@ -1027,6 +1040,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
const unsigned char *tbs, size_t tbslen)
{
size_t rslen;
+# ifdef FIPS_MODULE
@ -56,7 +56,7 @@ index 3d5af1046a..09c202f87c 100644
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 19420d6c6a..5ab1ccee93 100644
index 15be7e8067..823ad48e02 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -350,6 +350,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
@ -70,7 +70,7 @@ index 19420d6c6a..5ab1ccee93 100644
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
index f1dc5dd2a2..6ae973eaac 100644
index 42819f7c41..65a75469f9 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
@@ -268,8 +268,19 @@ TwIDAQAB
@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
2.50.0
2.52.0

6
0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
View File

@ -1,7 +1,7 @@
From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001
From d72621c7c9fd09b4d6a917b3a721f0fd114b950d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default
Subject: [PATCH 28/57] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
2.50.0
2.52.0

6
0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
View File

@ -1,7 +1,7 @@
From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001
From 3618981a35438119a4027d1bf3cb3902431adaa4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests
Subject: [PATCH 29/57] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644
"pss",
4096,
--
2.50.0
2.52.0

6
0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
View File

@ -1,7 +1,7 @@
From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001
From 83b5a2e3a74780873c8831fd8e3cc6bde0006820 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK:
Subject: [PATCH 30/57] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
@ -383,5 +383,5 @@ index 0000000000..2833a383c1
+--
+
--
2.50.0
2.52.0

55
0031-FIPS-Deny-SHA-1-signature-verification.patch
View File

@ -1,7 +1,7 @@
From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001
From 7061b3b659e0386efa58d9dfb94a4f84832884d0 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification
Subject: [PATCH 31/57] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@ -31,62 +31,65 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
Bug Id: https://bugzilla.redhat.com/show_bug.cgi?id=2087147
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/implementations/signature/dsa_sig.c | 4 +-
.../implementations/signature/ecdsa_sig.c | 4 +-
providers/implementations/signature/rsa_sig.c | 8 ++-
providers/implementations/signature/dsa_sig.c | 5 +-
.../implementations/signature/ecdsa_sig.c | 5 +-
providers/implementations/signature/rsa_sig.c | 9 +--
.../30-test_evp_data/evppkey_ecdsa.txt | 11 +++-
.../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 64 ++++++++++++++++---
.../30-test_evp_data/evppkey_rsa_common.txt | 58 +++++++++++++++--
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 4 ++
8 files changed, 130 insertions(+), 27 deletions(-)
8 files changed, 130 insertions(+), 30 deletions(-)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 52ed52482d..0d3050dbe9 100644
index 31a89133a3..0de750c247 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@@ -187,10 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 04d4009ab5..4e46eaf9bc 100644
index 2a4faf4a71..f5c101005f 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -214,9 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
@@ -214,10 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 09c202f87c..014b17fe49 100644
index f38431fd60..e90ce3c223 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
@@ -407,10 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
@@ -1795,11 +1793,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
OSSL_FIPS_IND_SETTABLE1,
@@ -1790,11 +1787,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
@ -103,7 +106,7 @@ index 09c202f87c..014b17fe49 100644
if (pmgf1mdname != NULL
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index 06ec905be0..1602f0c521 100644
index 4c47fa68c2..484668440f 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
@ -176,8 +179,8 @@ index 06ec905be0..1602f0c521 100644
-Result = KEYOP_MISMATCH
+Result = PKEY_CTRL_ERROR
Title = XOF disallowed
FIPSversion = >=3.6.0
Sign = P-256
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
index 0ff482e4e8..d407ea1ca8 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
@ -660,10 +663,10 @@ index 972e90f32f..61e2b4e3ac 100644
Availablein = fips
FIPSversion = >=3.4.0
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index d13dceaac5..ece29485f4 100644
index c278987186..91283c5e74 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
@@ -183,7 +183,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
"-signer", $smrsa1, "-out", "{output}.cms" ],
@ -672,7 +675,7 @@ index d13dceaac5..ece29485f4 100644
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
@@ -191,7 +191,7 @@ my @smime_pkcs7_tests = (
[ "signed zero-length content S/MIME format, RSA key SHA1",
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
@ -704,5 +707,5 @@ index 568a1ddba4..6332aaec4b 100755
SKIP: {
skip "No IPv4 available on this machine", 4
--
2.50.0
2.52.0

81
0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001
From 80a4d4da42db9711d06953f4dcd6e9f29c001292 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
Subject: [PATCH 32/57] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
@ -14,11 +14,11 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/drbg.c | 11 ++-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
3 files changed, 22 insertions(+), 66 deletions(-)
.../implementations/rands/seeding/rand_unix.c | 70 ++-----------------
3 files changed, 23 insertions(+), 67 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index 2985c7f2d8..3202a28226 100644
index 8466ded8ab..24feab20e5 100644
--- a/crypto/rand/prov_seed.c
+++ b/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
@ -38,10 +38,10 @@ index 2985c7f2d8..3202a28226 100644
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 4925a3b400..1cdb67b22c 100644
index f9d90d5d43..6b23d55cf5 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -559,6 +559,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
@@ -556,6 +556,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
#endif
}
@ -50,13 +50,13 @@ index 4925a3b400..1cdb67b22c 100644
+#endif
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -680,8 +683,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
drbg->min_entropylen, drbg->max_entropylen,
@@ -677,8 +680,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
@ -68,19 +68,26 @@ index 4925a3b400..1cdb67b22c 100644
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index c3a5d8b3bf..b7b34a9345 100644
index 80ae817313..1e73a1ec28 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
+++ b/providers/implementations/rands/seeding/rand_unix.c
@@ -53,6 +53,8 @@
# include <fcntl.h>
# include <unistd.h>
# include <sys/time.h>
+# include <sys/random.h>
+# include <openssl/evp.h>
@@ -47,12 +47,14 @@
#endif
#if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
- || defined(__DJGPP__)
+ || defined(__DJGPP__)
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/time.h>
+#include <sys/random.h>
+#include <openssl/evp.h>
static uint64_t get_time_stamp(void);
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
@@ -338,70 +340,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
* between size_t and ssize_t is safe even without a range check.
*/
@ -97,8 +104,8 @@ index c3a5d8b3bf..b7b34a9345 100644
- * Note: Sometimes getentropy() can be provided but not implemented
- * internally. So we need to check errno for ENOSYS
- */
-# if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
-#if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
-#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) && !defined(__hpux)
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-
- if (getentropy != NULL) {
@ -107,13 +114,13 @@ index c3a5d8b3bf..b7b34a9345 100644
- if (errno != ENOSYS)
- return -1;
- }
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
-#elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
-
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
- return (ssize_t)buflen;
- return (ssize_t)buflen;
-
- return -1;
-# else
-#else
- union {
- void *p;
- int (*f)(void *buffer, size_t length);
@ -128,31 +135,31 @@ index c3a5d8b3bf..b7b34a9345 100644
- ERR_pop_to_mark();
- if (p_getentropy.p != NULL)
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
-# endif
-# endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
-#endif
-#endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
-
- /* Linux supports this since version 3.17 */
-# if defined(__linux) && defined(__NR_getrandom)
-#if defined(__linux) && defined(__NR_getrandom)
- return syscall(__NR_getrandom, buf, buflen, 0);
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
-#elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
- return getrandom(buf, buflen, 0);
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
-#elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
- return sysctl_random(buf, buflen);
-# elif defined(__wasi__)
-#elif defined(__wasi__)
- if (getentropy(buf, buflen) == 0)
- return (ssize_t)buflen;
- return (ssize_t)buflen;
- return -1;
-# else
-#else
- errno = ENOSYS;
- return -1;
-# endif
-#endif
+ /* Red Hat uses downstream patch to always seed from getrandom() */
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
#endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
2.50.0
2.52.0

16
0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
View File

@ -1,7 +1,7 @@
From d2369dfc75e2b121650bc51f5ac3e0e7c9b75a29 Mon Sep 17 00:00:00 2001
From 2d385a2615dd7c6f33f824183ec6f65ef2c9327c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 33/53] FIPS: RAND: Forbid truncated hashes & SHA-3
Subject: [PATCH 33/57] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@ -30,12 +30,12 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
3 files changed, 187 insertions(+), 34 deletions(-)
diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c
index 8bb831ae35..cedf5c3894 100644
index 92eb443c6e..a63b21eade 100644
--- a/providers/implementations/rands/drbg_hash.c
+++ b/providers/implementations/rands/drbg_hash.c
@@ -579,6 +579,18 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (!ossl_drbg_verify_digest(ctx, libctx, md))
return 0; /* Error already raised for us */
return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
+ if (!EVP_MD_is_a(md, SN_sha1)
@ -53,12 +53,12 @@ index 8bb831ae35..cedf5c3894 100644
md_size = EVP_MD_get_size(md);
if (md_size <= 0)
diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
index 43b3f8766e..64b7610cd1 100644
index ff8a6cd6f0..d041897bb8 100644
--- a/providers/implementations/rands/drbg_hmac.c
+++ b/providers/implementations/rands/drbg_hmac.c
@@ -505,6 +505,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
@@ -522,6 +522,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md))
return 0; /* Error already raised for us */
return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
+ if (!EVP_MD_is_a(md, SN_sha1)
@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
2.50.0
2.52.0

28
0034-FIPS-PBKDF2-Set-minimum-password-length.patch
View File

@ -1,7 +1,7 @@
From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001
From 0be17f1220667a7c7758e10dead4be80d521b3fc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length
Subject: [PATCH 34/57] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -30,13 +30,13 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index b383314064..68f9355b7d 100644
index 581c8f8799..cc15db4c73 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -36,6 +36,21 @@
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
+ * shall document in the modules Security Policy the length of
@ -59,10 +59,10 @@ index b383314064..68f9355b7d 100644
}
static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
- size_t keylen, int *error,
- const char **desc)
+ size_t keylen, size_t passlen,
+ int *error, const char **desc)
- size_t keylen, int *error,
- const char **desc)
+ size_t keylen, size_t passlen,
+ int *error, const char **desc)
{
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
*error = PROV_R_KEY_SIZE_TOO_SMALL;
@ -84,9 +84,9 @@ index b383314064..68f9355b7d 100644
int error = 0;
const char *desc = NULL;
int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter,
- keylen, &error, &desc);
+ keylen, ctx->pass_len,
+ &error, &desc);
- keylen, &error, &desc);
+ keylen, ctx->pass_len,
+ &error, &desc);
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
@ -111,11 +111,11 @@ index b383314064..68f9355b7d 100644
if (lower_bound_checks) {
int error = 0;
int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
- &error, NULL);
+ passlen, &error, NULL);
- &error, NULL);
+ passlen, &error, NULL);
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
2.50.0
2.52.0

14
0035-FIPS-DH-PCT.patch
View File

@ -1,7 +1,7 @@
From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001
From a1ee967fae9cb6f4a06d4ffbcd62c6efd9ac05f0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
Subject: [PATCH 35/53] FIPS: DH: PCT
Subject: [PATCH 35/57] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -9,7 +9,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 26 insertions(+)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 7132b9b68e..189bfc3e8b 100644
index 2d9f7a8100..ae47dc2cd9 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@ -46,7 +46,7 @@ index 7132b9b68e..189bfc3e8b 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
@@ -370,8 +383,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@ -60,14 +60,14 @@ index 7132b9b68e..189bfc3e8b 100644
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ if (ossl_dh_check_pairwise(dh, 0) <= 0) {
+ abort();
+ }
+#endif
+
dh->dirty_cnt++;
ok = 1;
err:
err:
--
2.50.0
2.52.0

91
0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
View File

@ -1,7 +1,7 @@
From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001
From a7ddcb6ceef64c92b5c21389900477bc3a38f46d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters
Subject: [PATCH 36/57] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@ -29,17 +29,17 @@ NOTE: Dropped changes in test/recipes/80-test_cms.t
crypto/dh/dh_check.c | 12 ++--
crypto/dh/dh_gen.c | 12 +++-
crypto/dh/dh_key.c | 13 ++--
crypto/dh/dh_pmeth.c | 10 +++-
crypto/dh/dh_pmeth.c | 16 +++--
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
test/endecode_test.c | 4 +-
test/evp_libctx_test.c | 2 +-
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
test/helpers/predefined_dhparams.h | 1 +
test/recipes/80-test_ssl_old.t | 3 +
11 files changed, 116 insertions(+), 18 deletions(-)
11 files changed, 119 insertions(+), 21 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 1aaa88daca..aa3a491799 100644
index f68429862c..00b229a295 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
@ -56,14 +56,14 @@ index 1aaa88daca..aa3a491799 100644
+ }
+#endif
+
param_priv_len =
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
param_priv_len = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
&& (!OSSL_PARAM_get_long(param_priv_len, &priv_len)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index ae23f61839..6e30a9b735 100644
index 3002609b68..2aabdd2908 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
@@ -58,13 +58,15 @@ int DH_check_params(const DH *dh, int *ret)
nid = DH_get_nid((DH *)dh);
if (nid != NID_undef)
return 1;
@ -75,7 +75,7 @@ index ae23f61839..6e30a9b735 100644
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
*/
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
- FFC_PARAM_TYPE_DH, ret, NULL);
- FFC_PARAM_TYPE_DH, ret, NULL);
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required validation routines were"
@ -85,12 +85,12 @@ index ae23f61839..6e30a9b735 100644
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index b73bfb7f3b..275ce2c1af 100644
index 094b6e70c7..d0c1fc5367 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
BN_GENCB *cb)
{
- int ret, res;
+ int ret = 0;
@ -100,13 +100,13 @@ index b73bfb7f3b..275ce2c1af 100644
+
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
else
-#endif
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
+#else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
@ -118,10 +118,10 @@ index b73bfb7f3b..275ce2c1af 100644
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 189bfc3e8b..023d628502 100644
index ae47dc2cd9..4ddc1b83c7 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
@@ -335,8 +335,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
@ -135,8 +135,8 @@ index 189bfc3e8b..023d628502 100644
+ goto err;
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
/* secret exponent length, must satisfy 2^l < (p-1)/2 */
@@ -359,9 +363,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@ -146,9 +146,9 @@ index 189bfc3e8b..023d628502 100644
+ } else {
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
priv_key))
FFC_PARAM_TYPE_DH, NULL))
@@ -377,6 +379,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
+#endif
@ -156,32 +156,35 @@ index 189bfc3e8b..023d628502 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 3b75a537b3..6ea7a423d5 100644
index dd36dce281..21ac48c1de 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
prime_len, subprime_len, &res,
pcb);
@@ -301,13 +301,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
prime_len, subprime_len, &res,
pcb);
else
-# endif
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
FFC_PARAM_TYPE_DH,
prime_len, subprime_len, &res,
pcb);
+# else
+ rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+ FFC_PARAM_TYPE_DH,
+ prime_len, subprime_len, &res,
+ pcb);
+#else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required generation routines were"
+ " removed from FIPS 186-5");
+# endif
#endif
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
- rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
- FFC_PARAM_TYPE_DH,
- prime_len, subprime_len, &res,
- pcb);
if (rv <= 0) {
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index c2ee859355..51c21e436f 100644
index 8a1afe7907..759ab77e1b 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
@ -197,7 +200,7 @@ index c2ee859355..51c21e436f 100644
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 85c84f6592..d2ff9e6eb6 100644
index c3b55af3e7..b15bab217e 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
@ -210,11 +213,11 @@ index 85c84f6592..d2ff9e6eb6 100644
if (strcmp(type, "X9.42 DH") == 0)
- return get_dhx512(keyctx);
+ return get_dhx_ffdhe2048(keyctx);
# endif
#endif
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 039fca9bb0..2838f343bd 100644
index 3786c567a7..773210fadb 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
@ -227,11 +230,11 @@ index 039fca9bb0..2838f343bd 100644
if (expected) {
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
index 4bdadc4143..e5186e4b4a 100644
index 28070efdb6..4baeb673f3 100644
--- a/test/helpers/predefined_dhparams.c
+++ b/test/helpers/predefined_dhparams.c
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
dhx512_q, sizeof(dhx512_q));
@@ -311,6 +311,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
dhx512_q, sizeof(dhx512_q));
}
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
@ -326,5 +329,5 @@ index 6332aaec4b..4d8c900c00 100755
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.50.0
2.52.0

66
0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
View File

@ -1,7 +1,7 @@
From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001
From 0f4b67897d87b6cb1bd1f65ca2aafbce1c3c6872 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
Subject: [PATCH 37/57] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
@ -19,16 +19,16 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
providers/fips/include/fips_indicator_params.inc | 2 +-
ssl/ssl_conf.c | 1 +
ssl/statem/extensions_srvr.c | 8 +++++++-
ssl/t1_enc.c | 11 +++++++++--
ssl/t1_enc.c | 13 ++++++++++---
test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++
test/sslapitest.c | 2 +-
9 files changed, 46 insertions(+), 5 deletions(-)
9 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 9338ffc01d..911ea21a68 100644
index 3e2de6e66b..ad9a2dc8bf 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
@@ -626,6 +626,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
@ -39,7 +39,7 @@ index 9338ffc01d..911ea21a68 100644
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 15748c5756..34cbfbb2ad 100644
index 2505938c13..3887c54f0e 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
@ -61,19 +61,19 @@ index 15748c5756..34cbfbb2ad 100644
+
=head1 COPYRIGHT
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index d1b00e8454..b815f25dae 100644
index 82410670f4..1026a9b7b0 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
* interoperability with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
@@ -432,6 +432,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
#define SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE SSL_OP_BIT(34)
#define SSL_OP_PREFER_NO_DHE_KEX SSL_OP_BIT(35)
+#define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
/*
* Disable RFC8879 certificate compression
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
* Option "collections."
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index c1b029de86..47d1cf2d01 100644
--- a/providers/fips/include/fips_indicator_params.inc
@ -86,19 +86,19 @@ index c1b029de86..47d1cf2d01 100644
OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 946d20be52..b52c1675fd 100644
index 0d93593880..4361edfa49 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
@@ -392,6 +392,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 1a09913ad6..936be81819 100644
index cdb914daed..1bcc0fd902 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -12,6 +12,7 @@
@ -107,11 +107,11 @@ index 1a09913ad6..936be81819 100644
#include "internal/ssl_unwrap.h"
+#include <openssl/fips.h>
#define COOKIE_STATE_FORMAT_VERSION 1
#define COOKIE_STATE_FORMAT_VERSION 1
@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
unsigned int context,
X509 *x, size_t chainidx)
@@ -1889,8 +1890,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
unsigned int context,
X509 *x, size_t chainidx)
{
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
@ -123,9 +123,9 @@ index 1a09913ad6..936be81819 100644
+ }
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|| !WPACKET_put_bytes_u16(pkt, 0)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 474ea7bf5b..e0e595e989 100644
index 8978e0c630..85d9df0da6 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -21,6 +21,7 @@
@ -136,12 +136,14 @@ index 474ea7bf5b..e0e595e989 100644
/* seed1 through seed5 are concatenated */
static int tls1_PRF(SSL_CONNECTION *s,
@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s,
@@ -77,9 +78,15 @@ static int tls1_PRF(SSL_CONNECTION *s,
return 1;
}
err:
-err:
- if (fatal)
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ err:
+ if (fatal) {
+ /* The calls to this function are local so it's safe to implement the check */
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
@ -175,10 +177,10 @@ index 50944328cb..edb2e81273 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 250a439137..acc4751095 100644
index a94061d974..92a33f05db 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
@@ -582,7 +582,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@ -186,7 +188,7 @@ index 250a439137..acc4751095 100644
+ int testresult = 0, status;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
TLS_client_method(), TLS1_VERSION, 0,
--
2.50.0
2.52.0

14
0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
View File

@ -1,7 +1,7 @@
From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001
From c91c7412ab54f8db8cac437e7308a9042c7a4732 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP
Subject: [PATCH 38/57] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
@ -10,7 +10,7 @@ From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
2 files changed, 11 insertions(+)
diff --git a/apps/cms.c b/apps/cms.c
index 919d306ff6..b4950df759 100644
index 214eea5bcb..c1fc70ef12 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -20,6 +20,7 @@
@ -22,7 +22,7 @@ index 919d306ff6..b4950df759 100644
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 375239c78d..e09ad03ece 100644
index 0828d157fa..e1200a37d4 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -14,6 +14,7 @@
@ -33,7 +33,7 @@ index 375239c78d..e09ad03ece 100644
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
@@ -375,6 +376,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
@@ -372,6 +373,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
return 0;
@ -44,7 +44,7 @@ index 375239c78d..e09ad03ece 100644
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
return 0;
return 1;
@@ -540,6 +545,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
@@ -535,6 +540,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
if (EVP_PKEY_encrypt_init(pctx) <= 0)
goto err;
@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
2.50.0
2.52.0

12
0039-FIPS-PKCS12-PBMAC1-defaults.patch
View File

@ -1,7 +1,7 @@
From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001
From 51fc5ce32bfe0fbe018934fa88252efe9073c649 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults
Subject: [PATCH 39/57] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
@ -9,7 +9,7 @@ From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
1 file changed, 4 insertions(+)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 9964faf21a..59439a8cc0 100644
index 2c83e43845..20aad27c59 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -17,6 +17,7 @@
@ -20,7 +20,7 @@ index 9964faf21a..59439a8cc0 100644
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
@@ -709,6 +710,9 @@ int pkcs12_main(int argc, char **argv)
@@ -746,6 +747,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
@ -29,7 +29,7 @@ index 9964faf21a..59439a8cc0 100644
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
macsaltlen, maciter,
--
2.50.0
2.52.0

6
0040-FIPS-Fix-encoder-decoder-negative-test.patch
View File

@ -1,7 +1,7 @@
From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001
From 7b7ade7e1ee2f6b10b34bf7f9e7a0165474f5860 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test
Subject: [PATCH 40/57] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
2.50.0
2.52.0

30
0041-FIPS-EC-DH-DSA-PCTs.patch
View File

@ -1,7 +1,7 @@
From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001
From 17caabce423bbcfe0501ebaa11c2d4a8379aca92 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs
Subject: [PATCH 41/57] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -11,10 +11,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
3 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 58fbc7bc09..98d4354f3e 100644
index 43f3515878..0d35fc1590 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
@@ -546,6 +546,25 @@ static ossl_inline int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
#endif
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
@ -41,10 +41,10 @@ index 58fbc7bc09..98d4354f3e 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 9421aabb14..77531c4b59 100644
index 305dc3a6b8..04e604c453 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -993,9 +993,18 @@ struct ec_gen_ctx {
@@ -963,9 +963,18 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
@ -61,9 +61,9 @@ index 9421aabb14..77531c4b59 100644
+#endif
+
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
const OSSL_PARAM params[])
{
@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx, int selection,
@@ -985,6 +994,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
@ -74,7 +74,7 @@ index 9421aabb14..77531c4b59 100644
return gctx;
}
@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
@@ -1295,6 +1308,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@ -86,8 +86,8 @@ index 9421aabb14..77531c4b59 100644
+#endif
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
@@ -1379,7 +1398,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@ -100,7 +100,7 @@ index 9421aabb14..77531c4b59 100644
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 4e46eaf9bc..4d7c25728a 100644
index f5c101005f..b1576977f7 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
@ -130,7 +130,7 @@ index 4e46eaf9bc..4d7c25728a 100644
{
PROV_ECDSA_CTX *ctx;
@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
@@ -610,7 +610,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ok;
}
@ -139,7 +139,7 @@ index 4e46eaf9bc..4d7c25728a 100644
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
@@ -854,6 +854,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
@ -176,5 +176,5 @@ index 4e46eaf9bc..4d7c25728a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
2.50.0
2.52.0

10
0042-FIPS-EC-disable-weak-curves.patch
View File

@ -1,7 +1,7 @@
From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001
From 2cda3e9adf5534d6be689cff5eeb81459061f52b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
Subject: [PATCH 42/53] FIPS: EC: disable weak curves
Subject: [PATCH 42/57] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 7 insertions(+)
diff --git a/apps/ecparam.c b/apps/ecparam.c
index f0879dfb11..a6042e7d2a 100644
index 017dc7568d..596c31a925 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out)
@@ -90,6 +90,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
2.50.0
2.52.0

66
0043-FIPS-NO-DSA-Support.patch
View File

@ -1,7 +1,7 @@
From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001
From 9fca36a6c0712f3c11e6ba942e99039b17fc75b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
Subject: [PATCH 43/53] FIPS: NO DSA Support
Subject: [PATCH 43/57] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -18,7 +18,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 1e90f363af..84d8e897cc 100644
index 0f006301d7..f8f2822300 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
@ -31,23 +31,23 @@ index 1e90f363af..84d8e897cc 100644
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
@@ -559,8 +560,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
- PROV_DESCS_DSA },
- PROV_DESCS_DSA },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+ PROV_DESCS_DSA }, */
+ PROV_DESCS_DSA }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
PROV_DESCS_RSA },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 5cbb5352a5..10ca473764 100644
index 6abab0a7a1..a7d7684d96 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expected_sig[] = {
@@ -1547,8 +1547,9 @@ static const unsigned char ed448_expected_sig[] = {
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
@ -58,7 +58,7 @@ index 5cbb5352a5..10ca473764 100644
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = {
@@ -1676,6 +1677,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
#endif /* OPENSSL_NO_DSA */
@ -66,7 +66,7 @@ index 5cbb5352a5..10ca473764 100644
#ifndef OPENSSL_NO_ML_DSA
static const unsigned char ml_dsa_65_pub_key[] = {
@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
@@ -3038,6 +3040,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
@ -74,7 +74,7 @@ index 5cbb5352a5..10ca473764 100644
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
@@ -3050,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
@ -83,18 +83,18 @@ index 5cbb5352a5..10ca473764 100644
#ifndef OPENSSL_NO_ML_DSA
{
diff --git a/test/acvp_test.c b/test/acvp_test.c
index 2bcc886fd2..db0282d043 100644
index 15c87c57a7..e3321874c2 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1735,6 +1735,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
@@ -1749,6 +1749,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
#ifndef OPENSSL_NO_DSA
dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0);
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
@@ -1743,6 +1744,7 @@ int setup_tests(void)
@@ -1757,6 +1758,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
@ -103,10 +103,10 @@ index 2bcc886fd2..db0282d043 100644
#ifndef OPENSSL_NO_EC
ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0);
diff --git a/test/endecode_test.c b/test/endecode_test.c
index d2ff9e6eb6..dfd5e92f7e 100644
index b15bab217e..acfb5ef36d 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1536,6 +1536,7 @@ int setup_tests(void)
@@ -1549,6 +1549,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
@ -114,9 +114,9 @@ index d2ff9e6eb6..dfd5e92f7e 100644
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1546,6 +1547,7 @@ int setup_tests(void)
@@ -1559,6 +1560,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
#endif
+ }
#ifndef OPENSSL_NO_EC
@ -302,10 +302,10 @@ index 5e5315a5b9..660d1db149 100644
Key = DSA-2048-160
Input = "Hello"
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index ece29485f4..756f90c1bd 100644
index 91283c5e74..beadb43cf4 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = (
@@ -116,7 +116,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -314,7 +314,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = (
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -323,7 +323,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -332,7 +332,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = (
@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -341,7 +341,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
@@ -153,7 +153,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -350,7 +350,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", $smrsa1,
@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = (
@@ -166,7 +166,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -359,7 +359,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
@@ -196,7 +196,7 @@ my @smime_pkcs7_tests = (
\&zero_compare
],
@ -368,7 +368,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = (
@@ -208,7 +208,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -377,7 +377,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) {
@@ -282,7 +282,7 @@ if ($no_fips || $old_fips) {
my @smime_cms_tests = (
@ -386,7 +386,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -278,7 +278,7 @@ my @smime_cms_tests = (
@@ -295,7 +295,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -396,5 +396,5 @@ index ece29485f4..756f90c1bd 100644
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
2.50.0
2.52.0

62
0044-FIPS-NO-DES-support.patch
View File

@ -1,54 +1,38 @@
From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001
From 62748c233ae3afb8b0797a7d1ce2f391721d2971 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
Subject: [PATCH 44/53] FIPS: NO DES support
Subject: [PATCH 44/57] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 3 ++-
providers/fips/self_test_data.inc | 5 ++++-
providers/fips/fipsprov.c | 4 ----
providers/fips/self_test_data.inc | 2 ++
test/evp_libctx_test.c | 4 +++-
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ----------
test/recipes/80-test_cms.t | 2 +-
6 files changed, 14 insertions(+), 23 deletions(-)
6 files changed, 10 insertions(+), 25 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 84d8e897cc..4b394c3e39 100644
index f8f2822300..33e1a179cf 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
@@ -355,10 +355,6 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
ossl_cipher_capable_aes_cbc_hmac_sha256),
-#ifndef OPENSSL_NO_DES
+/* We don't certify 3DES in our FIPS provider */
+#if 0 /* ifndef OPENSSL_NO_DES */
ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
#endif /* OPENSSL_NO_DES */
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
-#endif /* OPENSSL_NO_DES */
{ { NULL, NULL, NULL }, NULL }
};
static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 10ca473764..6a69e1687b 100644
index a7d7684d96..d8d23e6f90 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
+#if 0
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
-
+#endif
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
@@ -305,6 +305,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
CIPHER_MODE_DECRYPT,
ITM(aes_128_ecb_key)
},
@ -56,7 +40,7 @@ index 10ca473764..6a69e1687b 100644
#ifndef OPENSSL_NO_DES
{
{
@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
@@ -317,6 +318,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
ITM(tdes_key)
}
#endif
@ -65,10 +49,10 @@ index 10ca473764..6a69e1687b 100644
static const char hkdf_digest[] = "SHA256";
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2838f343bd..19dd2c6c63 100644
index 773210fadb..e0b4efe3f4 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -831,7 +831,9 @@ int setup_tests(void)
@@ -984,7 +984,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
#ifndef OPENSSL_NO_DES
@ -157,10 +141,10 @@ index a11e5ffe54..e4a7cbe75e 100644
-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
-Output = 8F49A1B7D6AA2258
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 756f90c1bd..ac833d2a2f 100644
index beadb43cf4..71ab4a3910 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
@@ -415,7 +415,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -170,5 +154,5 @@ index 756f90c1bd..ac833d2a2f 100644
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
2.50.0
2.52.0

31
0045-FIPS-NO-Kmac.patch
View File

@ -1,38 +1,37 @@
From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001
From 7afd41a086ff9d3c39ff592e26d006c769e2a6d7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
Subject: [PATCH 45/53] FIPS: NO Kmac
Subject: [PATCH 45/57] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 10 +-
providers/fips/fipsprov.c | 9 +-
providers/fips/self_test_data.inc | 4 +
test/recipes/30-test_evp.t | 2 +-
test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 +-
.../30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 +-
test/recipes/30-test_evp_data/evpkdf_ss.txt | 6 +-
.../30-test_evp_data/evpmac_common.txt | 100 ++++--------------
7 files changed, 40 insertions(+), 86 deletions(-)
7 files changed, 39 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 4b394c3e39..8f00dfa0ef 100644
index 33e1a179cf..7930cf3241 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
@@ -294,10 +294,10 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+ /* We don't certify KECCAK in our FIPS provider */
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
ossl_keccak_kmac_128_functions },
ossl_keccak_kmac_128_functions },
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
- ossl_keccak_kmac_256_functions },
+ ossl_keccak_kmac_256_functions }, */
- ossl_keccak_kmac_256_functions },
+ ossl_keccak_kmac_256_functions }, */
{ NULL, NULL, NULL }
};
@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
@@ -365,8 +365,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@ -45,10 +44,10 @@ index 4b394c3e39..8f00dfa0ef 100644
};
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 6a69e1687b..f3059a8446 100644
index d8d23e6f90..43f7c89fd6 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
@@ -533,6 +533,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
ST_KAT_PARAM_END()
};
@ -56,7 +55,7 @@ index 6a69e1687b..f3059a8446 100644
static const char kbkdf_kmac_mac[] = "KMAC128";
static unsigned char kbkdf_kmac_label[] = {
0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
@@ -559,6 +560,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
ST_KAT_PARAM_END()
};
@ -64,7 +63,7 @@ index 6a69e1687b..f3059a8446 100644
static const char tls13_kdf_digest[] = "SHA256";
static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
@@ -649,12 +651,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
kbkdf_params,
ITM(kbkdf_expected)
},
@ -422,5 +421,5 @@ index 831eecbac9..af92ceea98 100644
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
2.50.0
2.52.0

6
0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
View File

@ -1,7 +1,7 @@
From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001
From d6a6afdc614ce0e6273554f50c18cd70000cff01 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change
Subject: [PATCH 46/57] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -102,5 +102,5 @@ index af47842fd8..21c75033e8 100644
my @tests_mldsa_tls_1_3 = (
--
2.50.0
2.52.0

6
0047-Current-Rebase-status.patch
View File

@ -1,7 +1,7 @@
From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001
From 607a195b374a6072c87a500713cea78347b7d252 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
Subject: [PATCH 47/53] Current Rebase status
Subject: [PATCH 47/57] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -102,5 +102,5 @@ index 2833a383c1..c8f6c992a8 100644
+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
+
--
2.50.0
2.52.0

6
0048-FIPS-KDF-key-lenght-errors.patch
View File

@ -1,7 +1,7 @@
From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001
From be07c8ed65b9657227d03b905b9a490bd14bd173 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
Subject: [PATCH 48/53] FIPS: KDF key lenght errors
Subject: [PATCH 48/57] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -171,5 +171,5 @@ index 1fb2472001..93c07ede7c 100644
# Test that the key whose length is shorter than 112 bits is reported as
--
2.50.0
2.52.0

6
0049-FIPS-fix-disallowed-digests-tests.patch
View File

@ -1,7 +1,7 @@
From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001
From 53462749e29bd8f96e52f3f31cf1de2114e896c3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
Subject: [PATCH 49/53] FIPS: fix disallowed digests tests
Subject: [PATCH 49/57] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -47,5 +47,5 @@ index 6688c217aa..8347f773e6 100644
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
--
2.50.0
2.52.0

16
0050-Make-openssl-speed-run-in-FIPS-mode.patch
View File

@ -1,18 +1,18 @@
From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001
From ed9fd546659e691f51df032d6e364cee45c3bf0b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode
Subject: [PATCH 50/57] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 3307a9cb46..ae2f166d24 100644
index 13c8505ed9..c31e30f235 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 16);
@@ -3231,18 +3231,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 16);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
@ -41,8 +41,8 @@ index 3307a9cb46..ae2f166d24 100644
}
if (doit[D_KMAC256]) {
@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 32);
@@ -3252,18 +3252,18 @@ int speed_main(int argc, char **argv)
(void *)key32, 32);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
@ -72,5 +72,5 @@ index 3307a9cb46..ae2f166d24 100644
for (i = 0; i < loopargs_len; i++)
--
2.50.0
2.52.0

20
0051-Backport-upstream-27483-for-PKCS11-needs.patch
View File

@ -1,7 +1,7 @@
From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001
From b03deba991f7f0677127f6030fde0011ab30430b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:34:39 +0200
Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
Subject: [PATCH 51/57] Backport upstream #27483 for PKCS11 needs
---
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
@ -11,7 +11,7 @@ Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
4 files changed, 76 insertions(+)
diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
index 6d3b5f377f..17be480131 100644
index 02370b7fb7..48e3b64580 100644
--- a/providers/implementations/skeymgmt/aes_skmgmt.c
+++ b/providers/implementations/skeymgmt/aes_skmgmt.c
@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
@ -23,7 +23,7 @@ index 6d3b5f377f..17be480131 100644
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
index b41bf8e12d..5fb3fad7e3 100644
index 5b8c557f83..faec12374a 100644
--- a/providers/implementations/skeymgmt/generic.c
+++ b/providers/implementations/skeymgmt/generic.c
@@ -65,6 +65,16 @@ end:
@ -41,7 +41,7 @@ index b41bf8e12d..5fb3fad7e3 100644
+}
+
int generic_export(void *keydata, int selection,
OSSL_CALLBACK *param_callback, void *cbarg)
OSSL_CALLBACK *param_callback, void *cbarg)
{
@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
@ -52,7 +52,7 @@ index b41bf8e12d..5fb3fad7e3 100644
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
index c180c1d303..a7e7605050 100644
index c75776cce4..7e35b2cc9e 100644
--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
+++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
@@ -15,5 +15,6 @@
@ -63,10 +63,10 @@ index c180c1d303..a7e7605050 100644
#endif
diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
index b81df9c8f8..e33bbbe003 100644
index 7fd70ca732..dddf92f9da 100644
--- a/test/evp_skey_test.c
+++ b/test/evp_skey_test.c
@@ -92,6 +92,66 @@ end:
@@ -107,6 +107,66 @@ end:
return ret;
}
@ -133,7 +133,7 @@ index b81df9c8f8..e33bbbe003 100644
#define IV_SIZE 16
#define DATA_SIZE 32
static int test_aes_raw_skey(void)
@@ -252,6 +312,7 @@ int setup_tests(void)
@@ -267,6 +327,7 @@ int setup_tests(void)
return 0;
ADD_TEST(test_skey_cipher);
@ -142,5 +142,5 @@ index b81df9c8f8..e33bbbe003 100644
ADD_TEST(test_aes_raw_skey);
#ifndef OPENSSL_NO_DES
--
2.50.0
2.52.0

42
0052-Red-Hat-9-FIPS-indicator-defines.patch
View File

@ -1,7 +1,7 @@
From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001
From 4a6768577382850dd3f3580f232a2a2ac7ed09c2 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 16:21:23 +0200
Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
Subject: [PATCH 52/57] Red Hat 9 FIPS indicator defines
---
include/openssl/evp.h | 15 +++++++++++++++
@ -10,10 +10,10 @@ Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
3 files changed, 26 insertions(+)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index e5da1e6415..3849c1779e 100644
index e83ad13183..afa8f7a542 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
@@ -767,6 +767,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
@ -22,21 +22,21 @@ index e5da1e6415..3849c1779e 100644
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
const unsigned char *key, const unsigned char *iv);
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
@@ -838,6 +842,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
int *outl);
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
void *arg);
@@ -1240,6 +1248,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
void *arg);
/* MAC stuff */
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
@ -44,35 +44,35 @@ index e5da1e6415..3849c1779e 100644
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
const char *properties);
@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
const char *properties);
@@ -1816,6 +1827,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
# endif
#endif
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
const char *properties);
const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
index 0983230a48..86171635ea 100644
index d06ca6c69d..e061f0164f 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
#define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
#define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 059b489735..5a1864309d 100644
index 262c184ca2..6009253440 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -143,6 +143,8 @@ my %params = (
@ -125,5 +125,5 @@ index 059b489735..5a1864309d 100644
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
--
2.50.0
2.52.0

114
0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
View File

@ -1,21 +1,21 @@
From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001
From 1b1a5447386cf8a149c4cd603c893a691eb210b5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 30 May 2025 16:17:37 +0200
Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
Subject: [PATCH 53/57] Allow hybrid MLKEM in FIPS mode
---
crypto/ml_kem/ml_kem.c | 11 ++--
include/crypto/ml_kem.h | 2 +
providers/defltprov.c | 8 +--
include/crypto/ml_kem.h | 1 +
providers/defltprov.c | 14 ++---
providers/implementations/kem/mlx_kem.c | 33 +++++++++-
providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
5 files changed, 103 insertions(+), 12 deletions(-)
5 files changed, 105 insertions(+), 15 deletions(-)
diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index 4474af0f87..6eca7dc29d 100644
index dd8a39197a..833abf9f1d 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
@@ -1924,6 +1924,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
{
const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
ML_KEM_KEY *key;
@ -23,7 +23,7 @@ index 4474af0f87..6eca7dc29d 100644
if (vinfo == NULL) {
ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT,
@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
@@ -1934,15 +1935,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
return NULL;
@ -46,45 +46,51 @@ index 4474af0f87..6eca7dc29d 100644
if (key->shake128_md != NULL
&& key->shake256_md != NULL
diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
index 67d55697e9..ab1aaae8ac 100644
index dbe9192364..35dcbbf32c 100644
--- a/include/crypto/ml_kem.h
+++ b/include/crypto/ml_kem.h
@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
__owur
int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
@@ -268,4 +268,5 @@ __owur int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
/* Compare the public key hashes of two keys */
__owur int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+char *get_adjusted_propq(const char *propq);
+
#endif /* OPENSSL_HEADER_ML_KEM_H */
#endif /* OPENSSL_HEADER_ML_KEM_H */
diff --git a/providers/defltprov.c b/providers/defltprov.c
index eee2178b41..0dba017f3f 100644
index 90655395c1..f74b160d6f 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
{ "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
# endif
# if !defined(OPENSSL_NO_EC)
#endif
#if !defined(OPENSSL_NO_EC)
- { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
- { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
+ { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
+ { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
# endif
#endif
#endif
{ NULL, NULL, NULL }
@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
PROV_DESCS_X448MLKEM1024 },
# endif
# if !defined(OPENSSL_NO_EC)
- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
+ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
PROV_DESCS_SecP256r1MLKEM768 },
- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
+ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
PROV_DESCS_SecP384r1MLKEM1024 },
# endif
@@ -594,13 +594,13 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
{ PROV_NAMES_X25519MLKEM768, "provider=default", ossl_mlx_x25519_kem_kmgmt_functions,
PROV_DESCS_X25519MLKEM768 },
{ PROV_NAMES_X448MLKEM1024, "provider=default", ossl_mlx_x448_kem_kmgmt_functions,
- PROV_DESCS_X448MLKEM1024 },
+ PROV_DESCS_X448MLKEM1024 },
#endif
#if !defined(OPENSSL_NO_EC)
- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
- PROV_DESCS_SecP256r1MLKEM768 },
- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
- PROV_DESCS_SecP384r1MLKEM1024 },
+ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
+ PROV_DESCS_SecP256r1MLKEM768 },
+ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
+ PROV_DESCS_SecP384r1MLKEM1024 },
#endif
#endif
#ifndef OPENSSL_NO_SLH_DSA
diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
index 197c345d85..08fbf99a76 100644
index 376b3342dd..09fa003612 100644
--- a/providers/implementations/kem/mlx_kem.c
+++ b/providers/implementations/kem/mlx_kem.c
@@ -19,6 +19,7 @@
@ -122,7 +128,7 @@ index 197c345d85..08fbf99a76 100644
+}
+
static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
unsigned char *shsec, size_t *slen)
unsigned char *shsec, size_t *slen)
{
@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
uint8_t *sbuf;
@ -142,15 +148,15 @@ index 197c345d85..08fbf99a76 100644
if (ctx == NULL
|| EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
|| EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
end:
@@ -238,6 +263,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
end:
EVP_PKEY_free(xkey);
EVP_PKEY_CTX_free(ctx);
+ OPENSSL_free(adjusted_propq);
return ret;
}
@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
@@ -253,6 +279,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
int ml_kem_slot = key->xinfo->ml_kem_slot;
int ret = 0;
@ -158,7 +164,7 @@ index 197c345d85..08fbf99a76 100644
if (!mlx_kem_have_prvkey(key)) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
@@ -288,7 +315,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
decap_slen = ML_KEM_SHARED_SECRET_BYTES;
cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
@ -168,8 +174,8 @@ index 197c345d85..08fbf99a76 100644
if (ctx == NULL
|| EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
|| EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
end:
@@ -326,6 +354,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(xkey);
+ OPENSSL_free(adjusted_propq);
@ -177,11 +183,11 @@ index 197c345d85..08fbf99a76 100644
}
diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
index bea8783276..aeef0c8f84 100644
index 46ed63039e..6ce9aa3c9a 100644
--- a/providers/implementations/keymgmt/mlx_kmgmt.c
+++ b/providers/implementations/keymgmt/mlx_kmgmt.c
@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
size_t prvlen;
@@ -155,6 +155,52 @@ typedef struct export_cb_arg_st {
size_t prvlen;
} EXPORT_CB_ARG;
+#ifndef FIPS_MODULE
@ -233,7 +239,7 @@ index bea8783276..aeef0c8f84 100644
/* Copy any exported key material into its storage slot */
static int export_sub_cb(const OSSL_PARAM *params, void *varg)
{
@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
@@ -175,6 +221,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
return 0;
@ -243,8 +249,8 @@ index bea8783276..aeef0c8f84 100644
+#endif
if (len != sub_arg->publen) {
ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
"Unexpected %s public key length %lu != %lu",
@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
"Unexpected %s public key length %lu != %lu",
@@ -343,12 +393,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
void *val;
int ml_kem_slot = key->xinfo->ml_kem_slot;
int ret = 0;
@ -258,8 +264,8 @@ index bea8783276..aeef0c8f84 100644
+ adjusted_propq = get_adjusted_propq(propq);
} else {
alg = key->xinfo->algorithm_name;
group = (char *) key->xinfo->group_name;
@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
group = (char *)key->xinfo->group_name;
@@ -358,7 +410,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
}
val = (void *)(in + off);
@ -269,34 +275,34 @@ index bea8783276..aeef0c8f84 100644
|| EVP_PKEY_fromdata_init(ctx) <= 0)
goto err;
parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
@@ -369,6 +422,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
ret = 1;
err:
err:
+ OPENSSL_free(adjusted_propq);
EVP_PKEY_CTX_free(ctx);
return ret;
}
@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
@@ -685,6 +739,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
PROV_ML_KEM_GEN_CTX *gctx = vgctx;
MLX_KEY *key;
char *propq;
+ char *adjusted_propq = NULL;
if (gctx == NULL
|| (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
|| (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
@@ -700,8 +755,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
return key;
/* For now, using the same "propq" for all components */
- key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
+ adjusted_propq = get_adjusted_propq(propq);
+ key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
key->minfo->algorithm_name);
key->minfo->algorithm_name);
+ OPENSSL_free(adjusted_propq);
key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
key->xinfo->algorithm_name,
key->xinfo->group_name);
key->xinfo->algorithm_name,
key->xinfo->group_name);
--
2.50.0
2.52.0

21
0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
View File

@ -1,7 +1,7 @@
From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001
From 3f73722b8e546a3f8f4e8bc7d74527f4fe7c4413 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Jul 2025 12:32:14 -0400
Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests
Subject: [PATCH 54/57] Temporarily disable SLH-DSA FIPS self-tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index f3059a8446..e924e93018 100644
index 43f7c89fd6..7b03aad775 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
@@ -2886,6 +2886,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
};
#endif /* OPENSSL_NO_ML_DSA */
@ -20,7 +20,7 @@ index f3059a8446..e924e93018 100644
#ifndef OPENSSL_NO_SLH_DSA
/*
* Deterministic SLH_DSA key generation supplies the private key elements and
@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
@@ -2976,6 +2977,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
};
#endif /* OPENSSL_NO_SLH_DSA */
@ -28,7 +28,7 @@ index f3059a8446..e924e93018 100644
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
@@ -3075,6 +3077,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ml_dsa_sig_init
},
#endif /* OPENSSL_NO_ML_DSA */
@ -36,7 +36,7 @@ index f3059a8446..e924e93018 100644
#ifndef OPENSSL_NO_SLH_DSA
/*
* FIPS 140-3 IG 10.3.A.16 Note 29 says:
@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
@@ -3105,6 +3108,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
slh_dsa_sig_params, slh_dsa_sig_params
},
#endif /* OPENSSL_NO_SLH_DSA */
@ -44,7 +44,7 @@ index f3059a8446..e924e93018 100644
};
#if !defined(OPENSSL_NO_ML_DSA)
@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
@@ -3509,6 +3513,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
ml_dsa_key
},
# endif
@ -52,13 +52,14 @@ index f3059a8446..e924e93018 100644
# if !defined(OPENSSL_NO_SLH_DSA)
{
OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
@@ -3517,6 +3522,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
slh_dsa_128f_keygen_expected_params
},
# endif
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
};
#endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
--
2.50.1
2.52.0

18
0055-Add-a-define-to-disable-symver-attributes.patch
View File

@ -1,7 +1,7 @@
From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
From 24875d5f4486540cc7baf23c3f94234ee9800862 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 17 Jul 2025 09:40:34 -0400
Subject: [PATCH] Add a define to disable symver attributes
Subject: [PATCH 55/57] Add a define to disable symver attributes
Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
compatibility symver attributes.
@ -14,7 +14,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 8ee9db73dd..7ed4933934 100644
index 638dac8844..5b1b54c195 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@ -27,10 +27,10 @@ index 8ee9db73dd..7ed4933934 100644
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 619cf4f385..9192898d39 100644
index b4edd825cd..e7b124a79b 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
@@ -1757,7 +1757,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
@ -40,10 +40,10 @@ index 619cf4f385..9192898d39 100644
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 86442a939e..8c33e4dd63 100644
index fde43421ea..807e070827 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
@@ -407,7 +407,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
}
int
@ -52,7 +52,7 @@ index 86442a939e..8c33e4dd63 100644
__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
#endif
@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
@@ -422,7 +422,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
}
int
@ -62,5 +62,5 @@ index 86442a939e..8c33e4dd63 100644
symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
#endif
--
2.50.1
2.52.0

158
0056-Add-targets-to-skip-build-of-non-installable-program.patch Normal file
View File

@ -0,0 +1,158 @@
From 4b634bdcc4dedc8516529d39062adc1305c7bf9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
Date: Tue, 19 Aug 2025 14:26:07 +0200
Subject: [PATCH 56/57] Add targets to skip build of non-installable programs
These make it possible to split the build into two
parts, e.g., when tests should be built with different
compiler flags than installed software.
Also use these as dependecies where appropriate.
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28302)
---
Configurations/descrip.mms.tmpl | 7 +++++--
Configurations/unix-Makefile.tmpl | 9 ++++++---
Configurations/windows-makefile.tmpl | 8 ++++++--
util/help.pl | 2 +-
4 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index db6a1b1799..bc7fc36b46 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -491,6 +491,8 @@ NODEBUG=@
{- dependmagic('build_libs'); -} : build_libs_nodep
{- dependmagic('build_modules'); -} : build_modules_nodep
{- dependmagic('build_programs'); -} : build_programs_nodep
+{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
+{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
build_generated_pods : $(GENERATED_PODS)
build_docs : build_html_docs
@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
build_libs_nodep : $(LIBS), $(SHLIBS)
build_modules_nodep : $(MODULES)
build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
+build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
# Kept around for backward compatibility
build_apps build_tests : build_programs
@@ -606,7 +609,7 @@ install_docs : install_html_docs
uninstall_docs : uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
-install_fips : build_sw $(INSTALL_FIPSMODULECONF)
+install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
@ WRITE SYS$OUTPUT "*** Installing FIPS module"
- CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
@install_shlibs) -}
@ {- output_on() if $disabled{shared}; "" -} !
-install_programs : check_INSTALLTOP install_runtime_libs build_programs
+install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
@ {- output_off() if $disabled{apps}; "" -} !
@ ! Install the main program
- CREATE/DIR ossl_installroot:[EXE.'arch']
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 1920d38655..bfede44ce4 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -547,7 +547,9 @@ LANG=C
{- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
{- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
{- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
+{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
+{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
+{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
debuginfo: $(SHLIBS)
@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
build_modules_nodep: $(MODULES)
build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
# Kept around for backward compatibility
build_apps build_tests: build_programs
@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
$(RM) -r "$(DESTDIR)$(DOCDIR)"
{- output_off() if $disabled{fips}; "" -}
-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
@@ -966,7 +969,7 @@ install_runtime_libs: build_libs
: {- output_on() if windowsdll(); "" -}; \
done
-install_programs: install_runtime_libs build_programs
+install_programs: install_runtime_libs build_inst_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
@$(ECHO) "*** Installing runtime programs"
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 894834cfb7..b5872124de 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
{- dependmagic('build_libs'); -}: build_libs_nodep
{- dependmagic('build_modules'); -}: build_modules_nodep
{- dependmagic('build_programs'); -}: build_programs_nodep
+{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
+{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
build_docs: build_html_docs
build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
@
build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
@
+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
+ @
# Kept around for backward compatibility
build_apps build_tests: build_programs
@@ -507,7 +511,7 @@ install_docs: install_html_docs
uninstall_docs: uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
"$(INSTALLTOP)\bin"
-install_programs: install_runtime_libs build_programs
+install_programs: install_runtime_libs build_inst_programs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing runtime programs"
@if not "$(INSTALL_PROGRAMS)"=="" \
diff --git a/util/help.pl b/util/help.pl
index a1614fe8a9..e88ff4bae1 100755
--- a/util/help.pl
+++ b/util/help.pl
@@ -14,7 +14,7 @@ while (<>) {
chomp; # strip record separator
@Fld = split($FS, $_, -1);
if (/^[a-zA-Z0-9_\-]+:.*?##/) {
- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
+ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
}
if (/^##@/) {
printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
--
2.52.0

33
0056-Fix-incorrect-check-of-unwrapped-key-size.patch
View File

@ -1,33 +0,0 @@
From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Thu, 11 Sep 2025 18:10:12 +0200
Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
Fixes CVE-2025-9230
The check is off by 8 bytes so it is possible to overread by
up to 8 bytes and overwrite up to 4 bytes.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/cms/cms_pwri.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index 106bd98dc7..ba8646f93c 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}
--
2.51.0

27
0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch Normal file
View File

@ -0,0 +1,27 @@
From 3ffdc68f16d6b326ff0854053fc9206be3dabcc2 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 21 Jan 2026 18:13:43 +0100
Subject: [PATCH 57/57] Disable RSA-PKCS1.5 FIPS POST, not relevant for RHEL
---
providers/fips/self_test_kats.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index f453b2f2fb..5b37387d83 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
ret = 0;
if (!self_test_kems(st, libctx))
ret = 0;
- if (!self_test_asym_ciphers(st, libctx))
- ret = 0;
+/* if (!self_test_asym_ciphers(st, libctx))
+ ret = 0; */
RAND_set0_private(libctx, saved_rand);
return ret;
--
2.52.0

129
0057-Do-not-make-key-share-choice-in-tls1_set_groups.patch
View File

@ -1,129 +0,0 @@
From 65c2f454e83f78d5ffdfc0a515d35c00fb1060ad Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 21 Nov 2025 16:00:08 +0100
Subject: [PATCH] Do not make key share choice in tls1_set_groups()
tls1_set_groups(), which is used by SSL_CTX_set1_groups() does not check
whether the NIDs passed as argument actually have an implementation
available in any of the currently loaded providers. It is not simple to
add this check, either, because it would require access to the SSL_CTX,
which this function does not receive. There are legacy callers that do
not have an SSL_CTX pointer and are public API.
This becomes a problem, when an application sets the first group to one
that is not supported by the current configuration, and can trigger
sending of an empty key share.
Set the first entry of the key share list to 0 (and the key share list
length to 1) to signal to tls1_construct_ctos_key_share that it should
pick the first supported group and generate a key share for that. See
also tls1_get_requested_keyshare_groups, which documents this special
case.
See: https://issues.redhat.com/browse/RHEL-128018
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)
(cherry picked from commit 5375e940e22de80ad8c6e865a08db13762242eee)
---
ssl/t1_lib.c | 8 ++++++-
test/sslapitest.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2f71f95438..3a4ebdeeea 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1119,7 +1119,13 @@ int tls1_set_groups(uint16_t **grpext, size_t *grpextlen,
OPENSSL_free(*tplext);
*grpext = glist;
*grpextlen = ngroups;
- kslist[0] = glist[0];
+ /*
+ * No * prefix was used, let tls_construct_ctos_key_share choose a key
+ * share. This has the advantage that it will filter unsupported groups
+ * before choosing one, which this function does not do. See also the
+ * comment for tls1_get_requested_keyshare_groups.
+ */
+ kslist[0] = 0;
*ksext = kslist;
*ksextlen = 1;
tpllist[0] = ngroups;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index b83dd6c552..ab1d08cf8b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -13269,6 +13269,58 @@ static int test_no_renegotiation(int idx)
return testresult;
}
+/*
+ * Test that SSL_CTX_set1_groups() when called with a list where the first
+ * entry is unsupported, will send a key_share that uses the next usable entry.
+ */
+static int test_ssl_set_groups_unsupported_keyshare(void)
+{
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+ int testresult = 0;
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int client_groups[] = {
+ NID_brainpoolP256r1tls13,
+ NID_sect163k1,
+ NID_secp384r1,
+ NID_ffdhe2048,
+ };
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx,
+ TLS_server_method(),
+ TLS_client_method(),
+ 0, 0,
+ &sctx,
+ &cctx,
+ cert,
+ privkey)))
+ goto end;
+
+ if (!TEST_true(SSL_CTX_set1_groups(cctx,
+ client_groups,
+ OSSL_NELEM(client_groups))))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+#else /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
+ return TEST_skip("No EC and DH support.");
+#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -13598,6 +13650,7 @@ int setup_tests(void)
ADD_TEST(test_quic_tls_early_data);
#endif
ADD_ALL_TESTS(test_no_renegotiation, 2);
+ ADD_TEST(test_ssl_set_groups_unsupported_keyshare);
return 1;
err:
--
2.51.0

185
0058-CVE-2026-31790.patch Normal file
View File

@ -0,0 +1,185 @@
From 001e01db3e996e13ffc72386fe79d03a6683b5ac Mon Sep 17 00:00:00 2001
From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Thu, 19 Mar 2026 12:16:08 +0100
Subject: [PATCH 1/2] rsa_kem: validate RSA_public_encrypt() result in RSASVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
encapsulation can incorrectly succeed when the underlying RSA public
encrypt operation fails. In that case the code reports success, returns
lengths as if encapsulation completed normally, and leaves the freshly
generated secret available instead of discarding it.
Tighten the success condition so RSASVE only succeeds when
RSA_public_encrypt() returns a positive value equal to the modulus-sized
output expected for RSA_NO_PADDING. Any other return value is treated as
failure, and the generated secret is cleansed before returning.
Fixes CVE-2026-31790
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:51:30 2026
---
providers/implementations/kem/rsa_kem.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index f7bf368a0d..74dfafddd9 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -316,17 +316,19 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
return 0;
/* Step(3): out = RSAEP((n,e), z) */
- ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
- if (ret) {
- ret = 1;
- if (outlen != NULL)
- *outlen = nlen;
- if (secretlen != NULL)
- *secretlen = nlen;
- } else {
+ ret = RSA_public_encrypt((int)nlen, secret, out, prsactx->rsa,
+ RSA_NO_PADDING);
+ if (ret <= 0 || ret != (int)nlen) {
OPENSSL_cleanse(secret, nlen);
+ return 0;
}
- return ret;
+
+ if (outlen != NULL)
+ *outlen = nlen;
+ if (secretlen != NULL)
+ *secretlen = nlen;
+
+ return 1;
}
/**
--
2.53.0
From c61bbd3f873d28e098f503f0187459ed488977c9 Mon Sep 17 00:00:00 2001
From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Mon, 23 Mar 2026 08:41:20 +0100
Subject: [PATCH 2/2] rsa_kem: test RSA_public_encrypt() result in RSASVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RSA_public_encrypt() returns the number of bytes written on success and
-1 on failure.
Add regression coverage in evp_extra_test using invalid RSA pubkey
which triggers -1 in RSA_public_encrypt() using encapsulation.
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:51:31 2026
---
test/evp_extra_test.c | 67 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 67 insertions(+)
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 5ea95c0dfa..573732bfec 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -929,6 +929,32 @@ static EVP_PKEY *load_example_ec_key(void)
#endif
#ifndef OPENSSL_NO_DEPRECATED_3_0
+
+static EVP_PKEY *make_bad_rsa_pubkey(void)
+{
+ RSA *rsa = NULL;
+ BIGNUM *n = NULL, *e = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ /* Deliberately invalid public key: n = 17, e = 17 */
+ if (!TEST_ptr(pkey = EVP_PKEY_new())
+ || !TEST_ptr(rsa = RSA_new())
+ || !TEST_ptr(n = BN_new())
+ || !TEST_ptr(e = BN_new())
+ || !TEST_true(BN_set_word(n, 17))
+ || !TEST_true(BN_set_word(e, 17))
+ || !TEST_true(RSA_set0_key(rsa, n, e, NULL))
+ || !EVP_PKEY_assign_RSA(pkey, rsa))
+ goto err;
+
+ return pkey;
+err:
+ BN_free(n);
+ BN_free(e);
+ RSA_free(rsa);
+ return NULL;
+}
+
#ifndef OPENSSL_NO_DH
static EVP_PKEY *load_example_dh_key(void)
{
@@ -5898,6 +5924,46 @@ err:
return testresult;
}
+static int test_rsasve_kem_with_invalid_pub_key(void)
+{
+ RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *ctx = NULL;
+ unsigned char *ct = NULL;
+ unsigned char *secret = NULL;
+ size_t ctlen = 0, secretlen = 0;
+ int testresult = 0;
+
+ if (nullprov != NULL) {
+ testresult = TEST_skip("Test does not support a non-default library context");
+ goto err;
+ }
+
+ if (!TEST_ptr(pkey = make_bad_rsa_pubkey()))
+ goto err;
+
+ if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL))
+ || !TEST_int_eq(EVP_PKEY_encapsulate_init(ctx, NULL), 1)
+ || !TEST_int_eq(EVP_PKEY_CTX_set_kem_op(ctx, "RSASVE"), 1)
+ || !TEST_int_eq(EVP_PKEY_encapsulate(ctx, NULL, &ctlen, NULL, &secretlen), 1)
+ || !TEST_ptr(ct = OPENSSL_malloc(ctlen))
+ || !TEST_ptr(secret = OPENSSL_malloc(secretlen)))
+ goto err;
+
+ if (!TEST_int_eq(EVP_PKEY_encapsulate(ctx, ct, &ctlen, secret, &secretlen), 0))
+ goto err;
+
+ testresult = 1;
+
+err:
+ OPENSSL_free(secret);
+ OPENSSL_free(ct);
+ EVP_PKEY_CTX_free(ctx);
+ RSA_free(rsa);
+ EVP_PKEY_free(pkey);
+ return testresult;
+}
+
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
/* Test we can create a signature keys with an associated ENGINE */
static int test_signatures_with_engine(int tst)
@@ -6893,6 +6959,7 @@ int setup_tests(void)
ADD_TEST(test_evp_md_cipher_meth);
ADD_TEST(test_custom_md_meth);
ADD_TEST(test_custom_ciph_meth);
+ ADD_TEST(test_rsasve_kem_with_invalid_pub_key);
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
/* Tests only support the default libctx */
--
2.53.0

2258
0058-Fix-PPC-register-processing.patch
View File

File diff suppressed because it is too large Load Diff

485
0059-CVE-2025-11187.patch
View File

@ -1,485 +0,0 @@
From a26d82c5b141c706bc97455cde511e710c2510a9 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 8 Jan 2026 14:31:19 +0100
Subject: [PATCH 1/3] pkcs12: Validate salt and keylength in PBMAC1
The keylength value must be present and we accept
EVP_MAX_MD_SIZE at maximum.
The salt ASN.1 type must be OCTET STRING.
Fixes CVE-2025-11187
Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research).
Reported independently also by Hamza (Metadust).
---
crypto/pkcs12/p12_mutl.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index f8d0bbd109b..8bb4e30529d 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -123,8 +123,6 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED);
goto err;
}
- keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
- pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
if (pbkdf2_param->prf == NULL) {
kdf_hmac_nid = NID_hmacWithSHA1;
@@ -139,6 +137,22 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
goto err;
}
+ /* Validate salt is an OCTET STRING choice */
+ if (pbkdf2_param->salt == NULL
+ || pbkdf2_param->salt->type != V_ASN1_OCTET_STRING) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
+ goto err;
+ }
+ pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
+
+ /* RFC 9579 specifies missing key length as invalid */
+ if (pbkdf2_param->keylength != NULL)
+ keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
+ if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
+ goto err;
+ }
+
if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length,
ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);
From a749dcdb7c944c18af8bf1ce3bd2dbe38e5dcb68 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 8 Jan 2026 15:25:18 +0100
Subject: [PATCH 2/3] Add testcase for PKCS12 with invalid PBMAC1 key length
---
test/recipes/80-test_pkcs12.t | 10 +++++++---
.../pbmac1_256_256.bad-len.p12 | Bin 0 -> 2702 bytes
2 files changed, 7 insertions(+), 3 deletions(-)
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 06fa85af0f3..ff720894c9b 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-plan tests => $no_fips ? 47 : 53;
+plan tests => $no_fips ? 53 : 59;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -235,8 +235,12 @@ unless ($no_fips) {
}
}
-# Test pbmac1 pkcs12 bad files, RFC 9579
-for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
+# Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
+for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
+ "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",
+ "pbmac1_256_256.bad-salt-type.p12", "pbmac1_256_256.negative-len.p12",
+ "pbmac1_256_256.no-salt.p12", "pbmac1_256_256.very-big-len.p12",
+ "pbmac1_256_256.zero-len.p12")
{
my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
with({ exit_checker => sub { return shift == 1; } },
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
new file mode 100644
index 0000000000000000000000000000000000000000..7548d0f29edd967854aa1a7c9e3a02a09e856f6d
GIT binary patch
literal 2702
zcmai$c{J3E8^+C;8AJBv7GZ2dCiJym#=eYw$r87k$i6e#qGSx&MQ--p#B?!e2-&G<
zp(ytbWy`*f>?7g!TTY$d@1Og}d*1Ur&wI}M-{(94fh8FXVgv{*P#7~R-Z*}r4a5X0
zB{1(n2+UgmftdynATB>6SSbNw``xkvgBZRq<DUr#aQGphY=9{s{Zq06f)KbSiEq=@
zuO=7_hBE-HF!+DIftjHUfDnw?Io=rL&IkdaAe^;Z*UPNgWxZXY4F$u|ci!O%jMKbv
zd)TTQUXF~FIe~IUfnL~tCys`6g@O$(y^Yd!JG#AvyAj7SobrxH(aw3j4Y*<mEpVN)
zUuI%gw=XA=D5VjU0kva;PX~&ebGvUcsE=UIkzh(O|GS}F5$g_6mv7~9QAl<HkGD2$
zccY^y&pT#|iCfA9`is_q3gv9>Xe=Ok_$P-58ZhTOj;RPgnc~Asj^9XnM>Zbjxjl1v
zTWKuNs=~osbADcuy<wzs&A`5C=UjntFnJndgs3^x4=)${T=?m&W?W~dwppSlnZYl)
zJ!>F~B4YfJ!@QNQ7C%(T8gn*2<tnJu2S~Zor%>OE7SD5(lUfA5d6HUYRDPNJ>XlkS
zE5yBqF@qG8hu7%^5ia-{oQQ)0<4*IPPArQcpNH7!q-Tn(ie<QL_chg_OEP+nCZ@~z
z(`oxWgBl?Psa?-cC^3;sw-`U?(pPv&W<o1{-oEsS!~419;N#m+T=ymE#OH&5sYMAq
z8tvL_@q8hIzAc^j=6H!D6LFDX=;&;d8@&6FtLKv6EzlG<xI0SzylBy5q5x82Mu;<L
zscC;(^9snFm{NW7TjH0krm8=6@-z0y3iA{%MZ!YlP6y{VQM;%%pZcDV0FYclKO%WQ
zlr2UFVip>U3g|}4vOGkCZZs9K+`IQ2{Nn0S%KLUD)mZQ9j!kRiu(}Gx;=~>?WJBgK
zf-0wOM=&W1cXFYP*Sf@flg_hXs><Bc5`6W%4pLP+<vf^nL0K4w!EN+|!*r-?H@<B8
zn(!SRhJ%WsJq~-5^(p$0s#6_ZvP{`VOSTR*LM46Gyf_=5Kbp36oF&q%JltJJ)@rxa
zecU*u%e!bZDj6-1yIWau8$F-N0OV7Dn<367T%*wxL(L#i>!y~szt+SIeCct0g$G>v
zDes%5hnH)71wYo&#u#f?AE=-1+-X*+ma@Q&mxLTO=?|AJwqB_JJSEH?K3Rbi6bX$x
zU}8;JU#DkH@>!T9`N^Z!5;sZ+rgaeJ1UtP`3(;!LbEncCg9G|LVC5#+G@c7_wyI-e
z<J;`tWY@_+gImm0s%yQjp-NS<dhYfkZq_<gBBhSjk`xM@kq#OdONMT%y^GOmmS3%V
zb#<sCAI?1MU+=za=v?Sapm-q9m+`Qdpwu$sUtw8lM&g^wHz#LB!yBGk%y$AE>uel5
zPSk<>eMTwxrl^P|A*U5zPfXky`aLD3YeL>-mX*)F_v9BQKXR@?^CVz-i?qy^?vp?N
z2)DLkiEI7VC-}s${yd(IrsQVr(I_yrVGdi*W8XybZx-%~Mje}3w8XX(bx+rw)I?g2
z0R(8=4_^EWK+sSK0gC%>`+pyA*s1@riIoKe{vOJIH)a0`IJW&7T9*oZo&OOyb)Kdq
zWpUq|jW00%*O$XaAOy(JfDD|bNykfU+|eSn%#lLi@8f(Ab0>)Fu6*wcke2yPfkU2?
z2fMC%=IxyjTJNf@qTL4{tXh9>p{Y4vKU<eCXH9Ep?sRhB274MR!L60Wu7gYM3jgK@
z2%Iv5SF@5nllk)T`J8LA+)wByDsvYrQVnLCwsfypv=!+0ofEdR>+Q{^a!+^A8)Nuk
zC-PLo9j3JCZ_4KbX?*jM{D<HCnmCDT29B4*0%xp)5V_(K3ZM_R0U8npQD1MJ&Zb7}
zL?_-<cRj{zdM;cLPSwO>Oxp(A!-F}COwBy4og}=>A-h5T_Kb{a;3Nk75EQI&>xPfb
z-nIbucoba5n$*Ksy|T{K>yRd~nNZ!uWGng=!RncS*;z=7ob0SOzvMapjJ+>=?FfxM
z3|Z~-8LgPeDW3DV6)xpX2oY&p4n7f<X}o3p=$RGax~Fk8^FH60dtLkkIRZwh!e@-G
z$67QU8k!Nc;$nY+r<|J39&t`==uqD6nTzw_K3P3TSL@QFRme*XUcJ1@`7V~sskJrz
z5SiaSwZ%*fI?Qemi|QU7FDKt`+-vjw_=_Y_@TuZ)Kuw=P?w#?Vd0s&kSM{hQQsDF-
zF{1;YP2Z1{%ch#57mH1V=9-HrFLlBz3Zyr0Wz;k2gwVlqMSy+_=N}L|CllDXo)N*I
zq_pEpt26zn7I_bi4=(XM>&$Nu6cge&Q9eQ*IhfBZ{T(N7N8C=iFB+C1&_*$h|GoZY
zl_I$0t+Xp!omN>{Ta*0LU8Wg^RZ~A_+~(^b=lc5_>u!?%iMJ7=CBo1^FAixpNmT!t
zWjUoJG6DqKFxuzmNuX3DoH-v6c7gf{fBlKjex4u^;W9{yv^!Yp1la`6R)))^OE9FT
zKQg>Rd=;?BF&w*$HuS$dBII5)5pBD3w|J$!hF!y23twq-!x#mU+9HS_IfPx^QV{D^
z3@%kv(baxnomrmfaT=-1jvmDgT$~rsI@nQV!w5L%WQZ6QFWrud-4_XfgB>+FKDq_J
zc*?tqyVz`4eijaCo5U#=*4*`K$cfe{dG)aJ^;xD*Me8MEyYfrDhaSV+rrNI^ocYWH
zZ8MDz*j`JO0_n4hVV|k}9R{Dxxm(vCV`HWJLIClq)iRdfpwTMA0;NGuZjYZJNlJj`
z@GPQmj>w-KBCC~VwT@#N#3q}BqXeAV^z$5$a)QXc0&VnL<%cP3GFdsj-!MyvW|^tE
zXK~`)6H(J&r4y$Qzv34by!;z!-&pE>jkpFljyS7s=B3uWcVEF}<#$STg|)p|SGd(M
za1Pg|<1|h;#`ap^9D{5=?z|**sm=zTGV>q}C?s3;WQXHasmcB$Z&Uo>DYc?wp!ULL
z^;L+rrWms;%zb%!kPFg)IPy3nHKG^FLwy21F3E^lo?1GUPr9C+eaKuROgk<lzpM3a
zLPwXcsEY~5_4w4=U&dfFc4*K`2)*K?%U``V(>nFW^A4?ARQyUtXOh{bTTfqm#pguT
ze>_#^ChZB^$Zw+w8i*@3a3GP8zZS~_ZN$*z$*wB<r0ie+BA=@2n%0ERx-6zmOz=qJ
zXle<Q9PdXVsi&2z_X?=NWbEVEhoQwB*XtZKF}SOjN<Ch4k7NC8yQ1g>ds{QTp&of8
zApQfe%zW~{KzMsxpRy-!*n2?7`5xr5Dv@;s(xiaffIndJ;}FUYXaF)lB`bh{zypmm
zeyx|2|96oCgRK6q%l%KYgNQ^{_}^8df>pH9gK{m(hJ91zPrZW{dBbJJEOn!kU=t9y
PrInqCy{(}E7zFwoSH0HC
literal 0
HcmV?d00001
From ed778fcfb24d7623e7b2ce9beee4af9243767402 Mon Sep 17 00:00:00 2001
From: Alicja Kario <hkario@redhat.com>
Date: Thu, 8 Jan 2026 19:31:42 +0100
Subject: [PATCH 3/3] Additional PKCS12 PBMAC1 malformed testcase files
---
.../pbmac1_256_256.bad-len.p12 | Bin 2702 -> 2703 bytes
.../pbmac1_256_256.bad-salt-type.p12 | Bin 0 -> 2702 bytes
.../pbmac1_256_256.negative-len.p12 | Bin 0 -> 2703 bytes
.../pbmac1_256_256.no-salt.p12 | Bin 0 -> 2692 bytes
.../pbmac1_256_256.very-big-len.p12 | Bin 0 -> 2711 bytes
.../pbmac1_256_256.zero-len.p12 | Bin 0 -> 2702 bytes
6 files changed, 0 insertions(+), 0 deletions(-)
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12
create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
index 7548d0f29edd967854aa1a7c9e3a02a09e856f6d..a1acf2fc21b1cb17b40911f7dd126b48c91d50a7 100644
GIT binary patch
delta 69
zcmeAZ?H6S+XyWSL$imBITx*bL;KjzN)#lOmotKf7&%o9|7s2H*P+;N6cek<Fpl4Xj
Q#KghC#Kg!j*_q2508~8>eE<Le
delta 68
zcmeAd?Gt4&XyWSH$imBIRAZ29;K|0R)#lOmotKf7&%nk&2f^hrkZ0k@cek<Fpl4Xj
P#KghC#OOcSh07ZNMgtGS
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12
new file mode 100644
index 0000000000000000000000000000000000000000..7f4e1e89ca5c24de74e601dea8f62f68d43c33f8
GIT binary patch
literal 2702
zcmai$c{J3E8^+C;8AJBvTEdKFh|t&CW$ZEbB}?3DkbP%DN@NV#mE7#R30({tLdIUv
zLLv7KWy>y%>?7Olx12h^-#_<{_q^wMp7)&hzt4F90!uO&#0U^rpfG0Hc;omzHV_l2
zguuKDAuw+O1ZEmQfVlpQU?l{I?RU!x3}X1cjDIE|z~P60vH_-m%umS*2t(jnm3$j+
z{xu<BFq{Ekg~9*x4a^K>07PKSF7d`74@L+`7Q$J(d9Bo%UEaqH+K@jKedj%%z&Ont
zw~MX1?(N7}ksYL96y%NVbLMEcuav*erN3UXW=FTT@G#<7hLhhD$vW9@wg5K_p#`pc
z`s+;W%GTwiN^;39a=-eq!KZy?&bghp>D0$Cmk2PqNbvn&4$`_E)ah4oTo{^_&*P&*
z+gWcf%=L-cWa5@Kf&QYsuSPzdGa3s>9sJ3GL<8o0$1&yMCsTZQsqyPc?@7i(Jdrb(
zw^YW0tjZnCwdUug*c(PFRt@Z%w$J1nhmfW*Mu?h&3*lwrp9?;{(~9fp&@oH&A~E<U
zw`KNcl99$AIm}z>>hXgGtTCtKQ?7zae1ViZy-M{xXo*}$1?ff5+o!3eMrD_|uU@GY
zwnE%%7&Azb_4MXnKytwaa7YIw#_i@i9at7&K2Pz{Nv{-nHOp}ME~oQ@m*n&vO-z^b
zrqlL#1~fzSQ#)UrkYgg2ZZm$)p?~2io(Ze)efP>Y4)5=pjgP0uay^iu6JHGcr5+{p
zc(ik)#p@*!9VwIe_IRmM?$$+up`(jUPRPz9uI@|zw?R|f;I1gevtor$h(ajI84=Fl
zrKY_ttt%i8VoLSR!^E$fO;vyD=B4kEl;+9a%7lf8?RL&XF}o;=Z+&-YAV?vh50ShV
z#ulRsF$;^84eUb6vphnBt~V93+`IPz{POBi%5a;?`B<Oo_6=*)kcJxB;=~>?XhY&K
zf~ux&-C|M|?chQiuXc+2C7or#RF!(9CHU!k@28&cQ1E2h0cBzw2DZ=-5AH+Vy6~mb
zPNH{o8TQKucRB1$)~4u#=bh{5Ql+Xk+VXX>Bh<=oS{G;I^G4G)k28_YszY6MB<(g^
zy(f)Rdc2D^qf*gAIXe}_k?8ph1|X06+YE6w!HGsw4l{#5t(#ij{aO>#|FzrgH6C#7
zBM&#r3@z9A34g4kjWO1)Jk;Rt*lt#<mbSo+7l$4-T^K4|Y&}>1c}kQ$e6k!Tj0}t0
zXJSoQTcc-A@>!T9`76q<CaxC~OzR-b33mFY7NXUg=T4<P0SESez$#3#X}%EQY}LTV
z##8LyX4T0-Lt4z#s%yQSWJ}aCyYKcPZq_<iprnshla%sZP!5_HONK71-HXxcmfx&<
z^mM5s9|WHFt##csbSdy7kUddnOL^FfWz{p{Ut?KnM&g^wHYR7q!W&*#%y$6oYiu0b
z&eZ+~y+$ecrl?y>BF<m@yfASB^m{5QP9i>~mK862b`=*UKXR@@b0uN9i?ocEu9H9i
z2)DLkiEBOV6@F@1e-_V1Q*pQUY!sSWH;1j|vTvXSHwt#dqK?fhT4LLXdi-@KH4&C$
z00A2JgBSk-5Ht)zfa1Q}0pG_5cIv-uVr2n=zlVz7P5FNUj%}Z&_N9D3mwyCKotJ5)
zs)XOo#+R6YYs)uAAOy%@zZ{&VMaN67-_fpYnX3$i56Af(<V+CP-1vs`QI>g4L4#hC
z`#Wy>=4~AiTF;8DvfT$?ta@KhfvGuPA6us%XH9EZ&UA9`I(wRIf_p2AT|1Zh6~T=U
z5IA`TuWltHkn!rt*=#3y?x*w<wYiJssRpx6n|fC)DESw9&xqRD_4H&>xu@IdjWL3-
z6Gf`wHd9*kq3YQn8sB_`;K8AP6DM)i!13~ppc(66M2>`{66k|%pr)ij)VJIGS=3wG
z(TO)T+>S9DUJK_$Q?;-dQ_4VFcnD{qshO9xv!u5<WG6Vlo{=#PoWx)sDhq4eyzXnW
zyCuXu9tD@PuIy&4{<6l@<B%q~kx<>qWGnU!!RnQO*<MJCnCz%GzvMOloV_<|^$3kU
z2wmy*9W9^8E}HYa9WL!d2t`tsLrz5H8gCmver`p$=4BksyvH}@Q5XMEfq+pd_Z_3_
zvldQ=g{4P*akW3kQ%1ede(Q|*;DMt1b61yvJ(5PSp7y23E09;3y!yG5^PMaiQ>&{N
zLgjw<(h)Z?Xg9k~EUbHcyqx@?ahKxv@fRtg@H6G(z?xozoIB&e^Sr`pZW>WZl|j>g
z#EkZTHXR-*lTS58FBX}I%rzI1U+IRI=gVx|POoRu4W)w>3V{nPoPR*<oK0Zk`bGqU
z;*$2StuFLu+N51HKBU;|w2PoYa7?J<MA-;wWPd)R<aeB+9dRq=f!K|7Aqv?v{`dM<
zRm$MvcQS5lb=sw+lqSVzJ4`bSE2jP~xQ#c#F7*%A*W9H75+e~}#iGz4Zw?uEDcL@O
zWd)Ta5&{HUH`){ANg$Ue2%Noj;~e!9{@PQKy<A};!gZiB!ft=517s64TM@2sUy|Ye
z{l|t^h_3?|Ifi1F(S`w+M?^ddC!%e)?-qS&t6|r)*2Y)ZTsM{lNpBJ)jvQ`W-Bc3q
zQ4T3lR@2jYXq{1(=*f@LV@HqT`Y+B4Y42~JXTu1&WTzvIik2edV)u}NaIm8m$4B>&
zm(O@ta2J~m%TB`~lu4X&LCsz7hU{p~;@6KV-kfIoRJc|wzN5I*bKp6|ZL0Ie!G+H}
z$Tq`xpY4rw32=XQ@y2IrU%SC)bMDr)C)ik--cUfIYNeFrH)yn)s8C7p)5!4?RHX`_
zH8hJTm?H{ih01HES*_ui2C&H{;j%)`lnc2IC<S5EZoUrso$8|$Ho45~o<qzMqFHWg
z?s=R<*F@CxH<`rggKzkS1@C}H+96B5pAlC-#}Q}M&D_+QVUI7k%)Aci&Ks1sYf85p
z`p@7fy3XTtV{DHF&N0~L<Myk{&hxWDr_4Mn`<0Tdy0gM@=c&m7BkxlD;VHFZW1zNz
zWsMbxj+QvH8_Z*QdVmYkfH?9LkRH(w<DotU9~Y;`EKe<+%B#GVm36>eBT73iAib~k
zYeGktebEpXjqCQUx4(?Rrf<`rmk|0zN0+~OZ=`kTkLMm(wW#?QkIp2sO}Fwpz2<YK
zUU)K9=Pu&~ThF7=gbgHA8aPlW$X|<PK{n!O(qw0qeNxu1f00gAbxv!+XI&T5CMI~K
za5VLVNsi%BNGiW-^=>{jgoJ$(`zWl4<651A76y0qQi<mq?s2TYZD$mnU~g-tKiI8^
z0wjI_mYGlS7YJ{++cWm$b$d_fIN!q@Ruz(-P?|Il2?PKpKMtYnfF>aKQ?ddGFg(ae
z^VfO>#eWw$FbMg7UG9IH9RwLs9&lHk3RcrW4=A*#8um_=J@W}(<PDb>x73SHf=xi+
PmR5F1ds{;TFbMQFNfFkW
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12
new file mode 100644
index 0000000000000000000000000000000000000000..9a4fd459227c52b3c4a5618b874afd717de2afb7
GIT binary patch
literal 2703
zcmai$XEfXi7skz)8AJ54N_2*(`RmK*W%Lq#C4=ali55gKL>FSCcY-WN8G`5}A%z67
zJ0x24I-(DP&09`#-uKIXxaXeddG0y)+wVL8mMR4dA_uTkP#C3Xyk7h<4Tu6%ilsb)
zU@7+iEF}@ZLY#g^uu?3<;=5%E29bSVdOs5oVDm#jX#fL2<fo(tI3aMAYL;DRpSnOW
z7)}OI!{Gn<2Bw6P0bDRj$9O%ED>(!t3ZbvxyIp2RE8*!3Z7vv#y8j^>OFqvWcZ9CF
z<6%o)mE$j|>+gXca-eHYmoC_0(A+8Awj@~@yXw-d!|@*~@M<}4_W@@VwjHj1_3J|H
z=DuB0HNG?qKdgA6{rN<Oe(CUC2H`2pF&vC9X8$mn%WKvR>h-R=C<@9hVDeNW9`1A(
z<$1>JQ7{VYLw`{{k;h-nos0#9&i<t1MFK`F7crHgmvb!9LeqDWKH&7mnC>mu?aNO2
zn^xKwsVpxG(Kb(1ZE0Jz9$YKX3&hQ%bb0E|v_i}IzZ8CcuM*eOqh^@sjwAC)?#dd@
z!t?5VqBH6sDaMZ$Qpa44Pq_su^#W4v4@x%<AO-SlC52Z(@1CWW>6Y6u-nv=OY0C4k
zc}hD))Xjr+g_i-&hT*l5CO>Gq--D*&WO3u4oOMr;kT(gH=(ATCwHDX3)i+qrpHDkx
z8c_}^NbP-jiH`|iiy;4!OWI&6SqQH3djHxhF51T_Cpx}Ul;M#Osp93xUy6|&PbYhK
z+udLBBJYVLzPnhf77x3D)v<Ln&ka0$!q9K+69JlI1ouTsiSZRRRd65#7r5vH)>@DE
zRc?Y@D^hCjeoOqi*IM(ZdVa<+PI?*dA%k5BKj^0a#%CGX>DAaD<Oh;W7~)Aj4yK7w
zhZqLOiu&~-B&ePsL3dh<s2)Ci34V3!JY~E~Rw352wtLqMF{UJsH@>vu88yez=|bgF
z_roaUxO*6odRx8x-brFqsG2g@v;=QWkCRk|9!WQfLr@mVW@I1v_$(dj+!tLoZ_j;S
zo$RD?^oY(%e|wHJs^HK-5-O83SCwcGogh@7s@zzN&!0@&yU5~glN;-6z^QgwXf(CV
zX)v#vPYOkG<Q`U)+(RyBk^%XI-xews6YPmZnP5W*)U37r{jYT~!(aQI-$VmWL-_GF
zk+JnUZ_ZB*#3}On&BsctJqK;_wZg`j>5`!HR;{tJ)sE|pU*@=JLuV^7oV>wtClu5P
z+uNk9Sr%jcBp)f!t;C%YtU&{WGQm>w%1V@C+tQV^Ca~Y&N3`TDjq*z_`VJ*@Y<#EH
zyX*#WXkfdcd~Lmly=bX?R{w(`p1bu9RS4nptt9CJM}&<s%7m=X^yo&EqRFY*fQC9@
z;v?IOq3ym0I*x_jSiBoTtc;1aL{u>|{tcR{ZX&+5e0O${FSPlk@p2E)y-h=R;6NCD
zG^m>r-5MFT#^tc#?T(6LBR!Orwde9IGpTy%c_g(m`-y%FnkNX$TP0?;_g((^N2r-8
zRb0onLC$A7jbhO>L|GRzw-%1M9V6Iw9_=oIeYfzCFY?0BxIMP3LW8y8vM$_Y3cy0+
ze(>U70D=ZXuu#l*+xPo;!mj+6P1IB%@b^&ayD9Ncz_A!oR<$nhcKk=+G`Jg7%L#bj
zZFz<Ay}ceX0l`8>hsEJU6;ia|&VAMD_ND3|_;{T6S?)~5wlm9k0m3A|)qm7|_T<o6
z)2OQlLLAt%kg@#eg;pFIC^Rr)8KUX+rmyP=&Ye#l+@VbqO>pU;vg~G1yve@%5dz0A
zL@Sz#uw}k(63eldV0=cplwZ10nX0|mx~Fl|xU)cO@EW(J<-kBTfpNZ@)DpuEyObj6
z98jc1eUlUOC$cPuv!8wQX{E2&(zdk=@n0|t;K>yblm>mY@KYAljy#QE%_f8$L?zx;
za=t+Ay02X4PE|pp3_3@;LIdfG3=G}P90Wa#Acq0IR^;Sq;3P7uAW>M$-W@OVqkRs>
z=}5S^S#>{o?Z!66fK8g<ZbEG@g$3U!54C#&>R=@;e72|2$l87R1?^z=);SV=7PL9&
zHCZ{6Q@rFB5i0D74dU%w54_|SZ;8-*`oa`@+g&e;@|b1HwITkoBo-xG=`}^tq%N8d
z4$g?&aI(72R8B~z4ZFradM4%a!pU*u7^f7Vp=$kf6Y^S_Su<~TxtA()Zfi>`Nc?wq
zHGX~VZo@kjMGa3c){`H#9Cdns`bDUM^SR80U)`W~?)~Y2WoAx!XQjxbYXA8^VkU>b
z7>rMpOQaegSBv$zmfDK&uhl~<3q*D!G8!q=gGgY>B0#I1{tt+ygFb9pQx~gUQri8s
z!;$n{6?cS;4lHrM>d3Ag5EEoOQ$B&4I9bjt{T(A^S+Sq;h%Y3AqZ4ls|9j)>8X0iO
zdl6@v2Gz2%&Q_`ChZGBBn+86PnBBJlj*X9Ywq1mL6Yufxm2gA-J?KPSghYqf)+J?=
za6BN`j_xr#Qv$v+flVwd<T~MV^zCO{$9bF;JWeCk;g%<BJs@-c#i~%rbV0K8^rt#E
zE8h66(v8KgBXxZ3Cb(RSW}++(9u#kM)zK=OsYX|s-_a8V3GZPA&TT?&?Md?w$OM+k
z$ZM!QHp?tebYn$m&>|->!#9>WR8I~RXiyxEIT^gV#cTKCVvl+K;9y%7x=${Fubwk+
zVs5nQlwXBII%hF5g>?@+nscI*OWr)GdV7`PbJ2DQ|Dn{{z?s_^qk-C68%Gu+e~V1L
z6PmZer9k@PYRDJDP`CCMBgT&HCUmUGU=Scsvsp&<8#GFuo1-+~*}dsYM71oSGPcN5
zxKzQO9VDTeX1a}`7(plNhl+AIbZX_<AS5{vM+Iug_i|5CXvDK}2EL)zc-qA0mR`gO
z^vy)hpNb^TpPfdpta$jg5Wi71dh0R_)1A}T+|5g^8+YBnWaak=_l9)7+m?=K9=?X@
zRCkyr>7fUVF}4BbpAKGE_bM#<Uomv69+plv?avOyC=il;C*G&{z*Fk^ra)bV>q?st
zH5GnJXPE2y{0IZ2ndjV%O?W~xn2GQVd{L4Svp%<WCBOQ1cJ>)%9XIi!5ci?pyA>H#
zzM;g=9oO&GXk~{&XB-fr);yZU=XR$ayJ<a|(|Kp6?eab)lMBf-^Bt`AZ&(}%T1|5e
zE+X!*o%~KBr?!A>GaUi}`D?Y@-<%(bo9(T!O3MEAFWi-y-gy=HqSI>H%nXwdhNze@
zOE*3VNoAF*Jt`ms;?Pa8PlAi-Za3JdpfI<rOWocwPNRJ+dLv0#D+@!-(S9ieAn*gQ
zlq^!eK$!cTpVKDqSh+!`Ssv$7%i=UR(u9FXzz;C^aR{XaQ~-&ek{aNJ!2NZVe{GbM
z`gf57gUK%cugv{VwS(}6SNc9sB!K1BkRy`qayo-^<<C6>R+&R3_)RpTl3+6sxQVGH
Mua$+4HW&o@8(GQMf&c&j
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12
new file mode 100644
index 0000000000000000000000000000000000000000..c43b4be04307a8c5d2c002d4a31cfdf0ac9217cd
GIT binary patch
literal 2692
zcmai$c{J1u8^_I<8AJBvhA_4vLO*MlvB%h#EOD!e5@U@C3CS3;E4kTs6Vt_@A!O_o
zEfjL^sBGEAjO=5--SfVu&inpz|9H-GzTfY2&hy{rd;tOn9t>gy2pmutyJEa~{5BVe
z4OBv4-+~a>*8l=L10X=I{)}KH1c>8z%MJ`;`M%75CLqA&hk$YcmVm-f$q9%-;CdvX
zRS*B_U@#cY0&v3M|M>=Hhq3_TFn0HNbC4%11f&Szty#NLYR|3g;{mPDAB?{99#3GM
z6pY)#RNnA*Wv$2#R51(m#`L=J)ZbUjU*R)eDWN+toozhLcoyN5_e6?8_M3IU15Id#
z8=m+!6}z;4A&EpO38(aFADVpLQRki6e49>t40DeFQ;J0159CPNw}CqRDh>-nvhoFd
z3>cd$ZH2i$F>7r6@)pov^mnu<Cvrw&0lB?Dc_dMQwa{TqdDzi}5MFNdM$&t-`Jlk<
zsSE2G9|P^mU99zHXXUu-hbxv%oEtYz=9>qTC(&kz>b<jJWzt^?KEKn8Yi~EOO2m>`
z{F7TV`!Xq#=AU@1TbSDM0|lHhC*o5sfl7RVlsi3Yb=@eLTvrwOdC=RZsikIR7x*t-
ztP!(A+^hd+lA`G4eSA)m4=#+8bWvm7Xu8vm;Sdw@k{%hyrYLLKhADSmJ~MD$$=KDx
zaxrf*ZCjvUHzYr`<HZprCSoCy^-B)(t3dHoXoc^)SH5w0|Et;fc&Z}b134z~MgL#g
zQKFAWI#!#pFC|g86%yYbE|8SM&k;;r-5qj*Hy`nJo%fFfP4I&|qf}2x6+R(~B4ww<
zd4m=jx7YP9f;@>SRk!vNzpXV^{%M$(zD-t}rFg3o<{~!Qc=x58qNu)gT_M*&Dha)a
z<n2(d7(<9vXsqJ(PNXu&BNXUHV<E@AdoRE*FCC-|wQ8J+^{HxGwMP!>Xi;pAoDl;K
zWF9l9X6kx4o2EoNAIf~WL)tIt6bHJp)H5x?&)9n>^-Q~p7uzN%6YbK!j(WIvAL`MG
zFP*$BamSElr+i?G$Jv5D!5lc_R?Czt)pXETu2meSk#_aYO~>brq^%uhN;YW@cGi;h
zTOEy_G)x!?&O40AMT_QaRutbx&1SFwd9>fAh|>v|84UGMD+tuSvH9Jv)iHhFx;$Rv
zfvdfgp(cgF#cDsXPqmDXtTjsyb&j`hG-*}I+u%lvLk=3x4wlZhoUZ#aA;BFsUXBx!
z42|1i<4mB_nVI84HWo?#s*1~rE5!uMS_pfBlku^+Xziw%V`)#o*Lyx-RK~e<Ux@Rz
z=wM>wsm^b+YL%eD%~o1fHQtvMOSCe(?)D;X)woq4<qwvV)bibtF1l!2mQK5^bJ5zi
zyY}5ihP2@i!q0o@op(*$3;YNaFXX9G0q$Z&?Tq->7>?@U_{Or;@oA~B`WH5{?LZry
zi)X`)*7u;tECt^f6}}+u_SFxIjuU3y)6lpq?o(=8@xo_Ib#D9<?=m!37M45D$Y}07
z`ty%4dpnM}mi->Fr>1qM@LUXyYxZ6Zq7y6DFnTWcDpF*%U{fmU(8{Jcwv}jfy!NO%
z!uBITfX4mc#XkUohC&EX+;=<R`}n|){g+Lg93b%bQ1!d1{BOW<?A6sjpYP}XufVCr
zT9Pzn{BAY8L<d}1yg3XZKnD7h;0!$`UUub<KB;+z6apWL^V`cABho#DhVqfNd5wVs
z*zuiB4`b`rb_k<;$x+?ugD*zAx4Xd7TBw(+!;iPRB{XL;xo3qtO)=qG3x`u1pY}zO
z)ejIjWeTrtry!j1>dC3>%gX#unMYbP=gLz}rW@CcF4|D@&-R>@aB}MI&Z6;8wlN!G
zL|{j%G}8^XwCH`!Q-KVj*$9!neg8&Y;<AbBg`0s>_Cbgo8Cf;Z2gmEWvL;cxk;k)W
z;TzG3w{$!X(W}_G(-NtA7_=p|zcnnFx6slGYwsrOZ4KEB3UFp+O#>&fIEN_08rE+3
zI&7_r@{dNrmF!7ftW{s>Y~3ztva1PI9c+$Ly9iEf0(xUEEn>XA&iXud_BnS?*75-g
zvlp_|<2zD5mR&UC6&WV)LkN+iE(RY-C^bZyKYngUxPmp0X5SY2=vf>8P=$cjDEIxy
zH0CUv3=K_>`g+y*v_Ki{K6m&@>481fYtOH`_ivMRf{gUfKVE{o(iJq$9iQ#s$e37O
zJ{zL+JJvwj!lcdW2C=aA@!?|fgN7}t-=|;Xh+@yw53g7EnB?3U4Vo1c)AG=XN+JbL
z{t+|M_r-E(xJ)_K5;b3BAwJVoNO@%#R-Ui08kt_lW*EW*s}urfn|c3$IJsHCMvct~
zCdDOf-&)+6&-BS#D12}+_Jq5LNl;9P>sZ+^d3a|wqvUs-suOWN<$=`AbWtkBGXD3v
zSC#7E;&%!jT($b8rPM~%XPazOEK8RD?zq)ALGE=AR_NE{0upZ{q>3e=f!;g{*W?s?
zg%?#clE?@UY{hI_L?D4uo*;ZG{N`!eXZ)3?;@i1mM8ws8QiRjaLOaMIaJnK)<-RP-
z{ritiFA`s0pXV8jT|}7%To@MjEF6n=+_+oxwY8dC*IplA;c&xT5hTAxkU4O<d1*~e
zx?4TCL|x0s;Gum+S)$i*q!Bl21lM<NR#bmy;|v#C)IB?0(yVCVc3kYX<aIdMRgdS>
zwcwY}1eb8<noP@1z#-IeoO(g^UGMtrXx-x1k1F1rVEbH1FP7d^UFhEP8sxV$c;n(O
zWF6?3VZOulM!p2NKRti*3$3@!<cl?b3;hWuR-q>Zkf~fM<@gO6ttBB^67=-;=n;~n
z0q6}*BMN4SB3U8I`e}A_99uso*&<9))Qx&J*9EB}hTO_GK)us^l)|NynccmQUO+S{
zP0T!xlj$6bn%q@LoZQ>R&&_!UG%)r#>io?3`gjg_D{tkdRu6f8#bxHT%Xi$QzNM>0
z*7u#nQ4QTjndX>o8=Py9!>5f`q>eMwfyb=8NPTL_c3oLvxHGimfZ=y3{_vC<sgI!6
zf<>Jrh=HCoy9dm3ak8HeQja+B5|$q}4i%t11s@it$1F}P9LpnJ$;#Seua;mO7Lec9
z_%))U%f9MJOT=~g);V85W70Pm(DMl6qJs;&-m7Wt#-q7=cFkJ;#UoS6T$3%wFTWOY
zqn&*+QF~1R3tP#fGQ><|H0pVfNXTFFWq}UTDDrqmrE^l&uYZw`Rd!73!Kbgzr;UvX
z$l(~;3FACNBaqbNnpIo*v|uvkN$jK0BAzR?E_!I(rSm0TZ}>+s{*E0{OoFqcmGMBA
zDiV<S0a$h+)n6cjT^`T4lUJO*prb+$b2v4~Mxtr*zzx6yF!*r@<p$IM>7SAl5c-Fv
zV36ehHMsxja}ddh@_@VAG_aNds$Zp9)3j%z?3qu{ykMBJw5?He5^M|tx3zPUbapf~
I0fRt)19nW)od5s;
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12
new file mode 100644
index 0000000000000000000000000000000000000000..6920b89a6c7f1cb9294b399d50ac2d4d6202e25e
GIT binary patch
literal 2711
zcmai$c{J2}AIHs@8AJBvhA_4v6Z+XNV>iaW6StZuG1i!DQ8I??B4yuAD4A#o*{Nuu
zkb6gE%f626BjM?Jo_p#%&p-Ej&gXp3`~Ci$^ZD;}-T;a1E*QiNkl3IwR#cp6+%5-*
z1yn*}-GPu;HvkeV9Uwt2{fb~EB#6Tg%LWW$`th0mN<e_~PXXls%mKMyk{u9%z;!AG
z*4_Q8gTP=o6Tl9G|Mwc070LvN!dTtnOhF#Z5D*H&{dnVIsV%31w>z{he=zFidm@Q>
zl0S9_S9R6Pg}EX-K+z<?3)kz)RhOomzs6&@R<i2IaI*3+;aY@K-;=3&*>5%hcPyz1
zu7Bd|RLt_`*~Cg}NjSAn^APiSPlbDC`)xYy0n9A|Of3?6KaeAC+Xm|JtvD<U&dTTW
z)}wE)wH4-iM{lt3%9=rc)7?|2p2!)A0c7_7<Pt{%mI8;-<zYt?0z{e7tBLO^rh|Mp
zrp|7vehjcFced1-ot5FN8?IQvI5ljY%r_09OkzzC)%!+aWs+YCKEKn6ZEx4JNWfE=
z{E}KT`!cEGrk}Vhn;DvM0|o5SC*qRNgGzjW<eNRpwcTi`To*;zdC=RZDWxW5XL-+`
zdn{suxLx-VlZ^88IzA`P0~aKSJ1aA9HQsE;v55$HN{)=<lNHph!xTC%XbhZ@H*_&G
zU(B0K-R0}o4$e>McyUCHj##+P{3VC6#8*5OQsMLNl}{|u?@~4~t_8(&M}|Ru(f^lb
zr0|20j`b$|OL6oKxrDce3zhQWb|hmLH~XBR?fX1kXZ)^%CV0V}kxHi|3ZIaLk<wG5
z+<^-XyPG=aKpy1eN7ue5eBEfM`cpqIeV3v<OZ8GA%|&draetR^jBN3#?FzmEQjG6K
zB<+T9MC(H=LSj%?I*|%&_tBuM4TWsCZ@&P)Jb#cp)T*ix<Nc^@-4;2hrB1avazYH)
zQ@Bi^YAKuHENWuyJZRIE4oTm{Q*79(QjgSlUqi3G6peO8PnK;^Cf2!s6Mb(#4eH)W
zES<a{c2l2euY6#K%gJnYf-#`sTEmbjRkPPss6h?WD!=L2O~>Vpq;4E$iZ`kacGggI
zTOACZ)K3`j&)bj4L<#3?R}|ks&t@<Id9**K$kXu`=ya733kcM<q3PZ4)zN)lyWC$B
zflIyAp+>pE#cE%XPc`(9%#WAvX&rChYE*wDYeg6>4nAlw8Z4b}K3)4|LX0zPyqq8+
z9um99!XCf6%E%lSurf>ZQ$npItQC{YYap!gj)uqPqBI+4j-@^UU+MXPQyk~eej&=;
ztc8n-YjJv;RU;1#YO+v&^w{eHszg1r>sBw~+GE!Wr0l^;qH?|)(pej8&D3eLV;7}q
z{mr)9K%X}JLGXF+YUeFuw*p@h)f0KDl#jC*rI``;8pl>W9M@2`K0YlGR`<ecwjF3&
z<>1<KrS;wEF-ayiM20Vjx-R+Rv9W@T+p4M;M7>L`D_(f-D9w$3;$DH~O2cyJ=^0I(
zM}IyHv$bK1ZT{XP^3=HY6p@3jdfC>qUU*{761JMlxsDWCFW8odJhZTCifJVq9IrX5
zj<Eg+kf5<YdGT)mK|>%UDB*|g|6{yi$Npv$I~xf6BUJifD*O|09D22N&*b~M{UdN{
z@aC0jQoh&fUt;|)E`|<6NRWX(c{p8%L6ly*sax4JQyB~&iuK*k86&T{3k>BWt@9cJ
z2Jqv1+wO*zt?dwc_p*bE;|Cv{W^Z?axurlaM~5$Wb#qA0WKz!>XDTZGax<G_8;|BW
zq4f_CICYAsX(K0?@#@K`><bFKPZ>w*Gj`=EnCXTMgL76b`9?h_#T*^GyR&G#lWmOp
zXd&2<63uvvB{k~1+Nl7#z-)xj{&&9yZt@Do<!orclx-j)M@m{5^ughZwlpU4+x6pF
zwD7H{glk&vhuC%e+-b2C9URuYrN1>Sh`Z3-0&nXo?PUqs4)k|oW=;hsGC2jKVD%eU
zee8EOg?UFK;qtbXUCfV`R$028Q>EAAA9b)eNPI)E<KwYgbEy&I?X{L?@Uzc3d$Lvz
z(765J<sP4r^0Dlq8PDrsvfiX%@s`D)BQg2<>!uH$+mJ5eO`}+M1wMMz#NAUQVO7h0
zJ~9m13nxQD(j%8HIi2P!qor|%pOhTfSGxTCl3V{SMJv!i_soN3$SZAr!`$)N4z`Sm
zl@+64`MY>MNi$5F#Z_`)&4a_mq&xLHExw<AlOc;dQ#rg+-Gj-wIT|?2FQV?Q6`5EW
zF!?Zgr0<LQ&~TYTiaC0|$V_ymv5@*oKdd}oZvA?CEsK6I1FTpG7&UP}ggCmI!A1>D
zNSNZ1wy(`@jAy!(9W*hh7=OY|2oo3`>@rq1Oc~yr%_zA`P;w-1Cf|_=O&4yVn#bL(
zeO09bE`BHH&QYUVTH4Z}^lY1DifP&0&yBGDCeW?+&f4l_8UKVE2#I1bXn+@&++`V5
zui&DhY9a*zf~}eC3h~8L%i{%4g@>M|eI{OfD!Q91LPlKbuZ(cqTWAN_2TWIlDW*v?
zrKLSEK1Y6iWu9v=W)W@de|A{Zqi`(BVe3}WQfoD*wyiF)!v3l$3M9Khk~(k>J-?wW
z*{u>(qM~k~ch5GXEWz_Q(tr~^Lg=%b71rI`(%`@fyJe?~n-neFh>h75zXAul=x}|y
z9Q5)T|1!a@(YWjc9MUpQP${Us<yDs*rCt2`e#M&;ET0QkizT;}7P|L62YJo)-Z;An
zSOz#`nC@}Bku3qzrsqSy(0bc2Uo3f>SD)Zw<a&YusjB5twm+az>SDqrflqIY9w94L
z0iD5VM8OPMC@WY&H`Qj9z|xOPG7CcqyS5nRIwKWDkURN$=yz)OlR4xwv%9}z7Z8o|
z6En|ar8>tVC%?%hOzwXp&dquG*VDhV)%u$7^l=?<S6$0ZsUGrJB4p;Z%XWmeyj@kk
zUe|Y$(4y};$}q)sTM=9W?LTe3s_f914mf7vS=pzYWYd)uM$n)o`47KK_Jb!smiP#2
zEm+iAhUn=?vbw`O7AO08Aa#fXPeIvX!w^2&Q}AJNdi3JN!m+%{i&<Iwtkq)l!vf0t
z$G#2dsInz3NwL^2pIWE0SX}xR9eM^~Safjqo7Z}3yWwc=zD<+5U-8IP631lo@e8j7
zTxmv6CTcFr;bCieEp!o#lxiIp5()WhzAV6A5=|NJsB%io`u#7;v8s+q9r*O6`P8v7
zJ{baCGk%<FXatgST<y_LJ}roXdlGX$q=@Tcjk6AxaQ;k*=NsNpoS#ESB!lGSU|~4W
zrGx~eegc+NK<PIKf0z3+&ZIRbPw1$?y&QH`ih*#dED#+FgaCFwH=&#W22lMa*#TJy
zJitWz_gY1z|1>!;E9mI&_kX4Ce<~hCJfhtHmL?6Xu7~bdY*I7snJ9ba9XQV)rXXo;
V5S0iUgTSqA9L1d+j4@yk=wB`Z-!=dM
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12
new file mode 100644
index 0000000000000000000000000000000000000000..0e63eb6077fd94da26ba86f1b6230daab5f5ea3d
GIT binary patch
literal 2702
zcmai$XEfXi7skz)8AJ54LNMA8HGehB=w<X0eI<kForxAL7@`ZY(K|sFqYOcGl8{0|
zVs}Wi=z<Y_^f&vy?@7*n+7I{K^E}Tz=YIR02f)!JgF%!4js^;&7LC`9KcoXufl6`I
z2M`?f4uGR30XT@`&j?nEgP4D}Ou!(D?@RY*0s^dm2q+z(4~YDfv;Y?bu3XKw?c`k-
z00zS;09qLQf8W5=Pzrz>M(q%<3v!`^fJ7mT^*guAOz9;&oS@AGV^R0sN8>2xSmO>b
zHFw-?D64Y(Bz64UF+=tY&FRtwTTB{TrJELHOCuK@hBY|heFZ@^=gltQgvPbQ)vkP-
zk6qujO{yl8h7yJq&b2-t$uKVNzs(>%fjNYM3B?@mM{{{iyFtBPRp&*4*##^fs-*p`
z?xH-8m>nu+VLj+CDo65!E4dS~fY8aG47@17knKFCGUQ^GEm~;mPSSh4?ifqNyzQ>+
zq@PKpwW0FTk`R6Kc-4lMW$WJ60^I=o99joaccK|m&i|$G^E>6Zo*q?$L^nKzcXC(O
za2A1A_Y;F*2U#J0w2(IDN_@&KP^l-7a&J(&aR4QdXCo=R0($#2wM?hnmigArdM*>h
zgXT%C6j4`q_GMls_+>1wwKU~k+r1tP4Hug$|HO=2iiEszh(w>=^-(Kv4I4fEwfwoX
zLzWSxz=G7?7Z-$>u+?zNFS+EeEG6?nRi5u&dB#P1JLW{kcZxDS6e3r=82L*flJm(#
z?{>S}OI}ojNaEY`)oSt38#rwn2eaIO{l`rGR^H*DS!Qrwq?8z6QBwscQgEJ|(SNn|
za98;z$fY8s_U>uox1H9SKh^Rx4)M}U1a}$Sa@bxs<0+p-WT$6if1oc&GGPdjd>BL*
zqXsbuiWT+kLrTy*MuG0M7STL-@B;ku)>+DjF4^m`9<|-urpPfxd4kb}C1TVJ&!7X9
zOWh5nlH=)NLg{Yw@_QwT(V%O}T+$M}G~AC;ulGp0QtgAX(AFcns7EL1P^Z4=vN=1R
zdukL%m7@m?mU^4B<k9Q)4P>D*IWrZB2GMb1^|A7eh4}o5w4L)T-Zr_hz6QKXm$`aV
z%d9%<irIuv6ld;!RY?SDDU$-oC;m2Hv5;U#BFO|9K%l0r?eBiAiy8jb@ANtva2z6h
zXcHM*tMlUe)Ige~tY3em$lkNpCSNOTgq<o0JZse)D_iNf*7#+XhdyMc63fLK6n8{L
zo3Ob_&YEE}(o6D|65UALD#7VDK&TTeG%hViDYPwKN^1i94t~T)&d@2n;AZSl#KgvT
zTE5M05Qhe|8_3tzyW5GD%4hZ8A41%%x35A9pKT;b7dRlTmC(i%eI^Gtq7;meO$XG~
zh~pnGKOfrcyRYp~=!GM=BE`yB=u1QuGUH!kXzIq}Tg$g+7WhJ%Ul=X*0NtB(414y(
z;fI4dDbcNwp{v~XU%lMWahJ&tWM%ERJ<5!$UU(cxEzf*n+<@i@!tz!~neBZSfBq3-
zYC;p&aXQHLRJ&0unvNvvZ0g#=IlE;D+svciMsjQy?(;>S8yL06c2%geH(b<(8BYQ@
zXxtB8{0$&z5CjLsez$$Tj|c41|Jg)K0|I{!rM{aI{{|fMAte>70xySu1x|yTezlx{
z*WH$vXrJ3_!Q&7dWOP^@PEsaE3vS(0scv7a4upS*^E%0$uGn;9`%r*1&TsV_b(=Zb
zchWHI>Vc33*3D%sK6+vlh6W1t4cUh1dc7FyI)ZZNk_Wfw(?k=TJ7_GrnG|kvY=4Bn
z3G>kkCL)(JUp0y4*hw%yC11!d-l$B~T4>!-ziHH2pgDMz$HHP@Ae+cM*G+DT;ecI8
z5w-WI(xOh~#QaEXOJN)*r{1lM6&qSMw!wb$rv8Xr0YPcdM{{2#L9NK+aQ19s=w4Lf
zT}7vJ^tRjbHJ(&u3|hZ)q$?zVu}I&*&D37d-4L?x?_)_xnFdaxunZK1wd~ySG&|Vk
zWS)wIi<?&WQ`Uanq#CeJ6WmUy?WHp3J4VpDC7}0~)52zY8V#-7mY&lOW^bIKFeicQ
zgPs$W(>cY9uHhlV9=Jf>&b5FG9`TlN-6zjYaJSubqo@zrCS4lhA4%fSvX!2bWDVM)
zxuBqo$ghr;*I3Gl>GYvj`A1KroS!>7j2z+>{nb^ho~%P&DY0tg%`ElOWX^7EXa<V^
z?xxDGr`2t6r=qCg$@yCH!<K_iuTQ@SRd79%Irps_)XKd#<-f$rCGVsdnN;mJ_eadc
z@E83L<K+^m`lyv+J?_P}BEl=Rkjes)?eL67Dz!i|Sh5JvY-jufVqvcbo6^w1X_b_A
zf9r4{KU2XUprQjx+^#rqX!*wk+Dw;^<HwJdGE0BQN?BCwraa^e&fx4M=*R!w_^L(*
zT=GuDiLODVtgN$D>e)WkJjJ@cw*z+jjlV<V!>vtcA)mwu1YZdc)X$wk#92sm=<=GR
zY!V&;f^F#>a<C*2Dibb?g$7?EevZEVl>0D`s{-LTQXOV-wAuqQ^IND2kxUn)NKb#F
zeY4`V?+U|M>>5hj$9A0CrD!_JeD8ko*RDExB~z8?DziJfq9EZNoWPlN@U0zb{sEbQ
zQW<%5)kmh8<%zEBNOgMD1a|nw5~s@1-gP=Or$bH#uTJr5L|p74uP+>Iqs;KhIpF0p
z)^+TSHtq5&a7gD2R;IA-zI$^{lv2s-$5n5xP<<}iEaBgmS{*oX9b?v4ePivwX6R?0
zse45CMz|D6UswtLLLBPW`eMl3vDt))6&VZ!1ZvjHXnuo6$@6fQ`ag}Bx<FRT0?K0x
zh{DARj_g1Ql{Ax0EY%1mSuaGC)4o$P&l)Mog*+%wMZJ@IoI)p_l{0XPUPZKt&n`ZX
z6X=_coI4gtoI5#=US4+hX(64`G<xYU4KtiE*4)iYt^45e6`PgcBitL@`F2w}ym|O4
zwo}c1imZznFv8mSn|<1QRo#1i!S9lRYxS^nvPpk-2=+QL*=PJ+iZ?u^o^KM=Rk)_O
z4pCL+r*?w5tj&!uL7EX~u9t<!HG)`(Pr>IU88K_KtC#YtZ)azpP}lL0&I|GH>%Cf0
zQRQD1`FY~{JsT};(U^=q64VNzQG8~5?7p4WqcN3tV$v?}T{1DBOgGoTZugqao~YS0
z+u$tX2HVQ-Bynj8$Tl+|k&wSu%KgmvQTUnO8q1{YU;n~is_C6mhA%j-q)kt=2w_PI
z2{Q~ICLpQoa<vBq!~i^|DfV$tF~jW!Yh^U{mQ|_i8|EpDw|Q?Q8E0v3pfTDng#-kC
z0G66f>K6!Wztc1N<Sk2A=oH(dTv}PYI%k?N5CQlAdOr@K^nel|{!`Kd2ngIyN9or_
zNvZ!9xxZ`RKfByN6ofad(&xSc5iGBY8j)<5(;l2Hf9B!8!WtsMZ>%1b1e=DyjZG|g
MEzPyHz#!0n06<CBdjJ3c
literal 0
HcmV?d00001

207
0060-CVE-2025-15467.patch
View File

@ -1,207 +0,0 @@
From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus68@gmail.com>
Date: Mon, 12 Jan 2026 12:13:35 +0100
Subject: [PATCH 1/3] Correct handling of AEAD-encrypted CMS with inadmissibly
long IV
Fixes CVE-2025-15467
---
crypto/evp/evp_lib.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 9eae1d421c2..58fa7ce43b4 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
if (type == NULL || asn1_params == NULL)
return 0;
- i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
- if (i <= 0)
+ i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
+ if (i <= 0 || i > EVP_MAX_IV_LENGTH)
return -1;
- ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
memcpy(asn1_params->iv, iv, i);
asn1_params->iv_len = i;
From 6fb47957bfb0aef2deaa7df7aebd4eb52ffe20ce Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus68@gmail.com>
Date: Mon, 12 Jan 2026 12:15:42 +0100
Subject: [PATCH 2/3] Some comments to clarify functions usage
---
crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
index 382576364be..e73bda64e3d 100644
--- a/crypto/asn1/evp_asn1.c
+++ b/crypto/asn1/evp_asn1.c
@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
oct->flags = 0;
}
+/*
+ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
+ * If the length of 'data' > 'max_len', copies only the first 'max_len'
+ * bytes, but returns the full length of 'oct'; this allows distinguishing
+ * whether all the data was copied.
+ */
static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
long *num, unsigned char *data, int max_len)
{
@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
return 0;
}
+/*
+ * This function decodes an int-octet sequence and copies the integer to 'num'
+ * and the data of octet to 'data'.
+ * If the length of 'data' > 'max_len', copies only the first 'max_len'
+ * bytes, but returns the full length of 'oct'; this allows distinguishing
+ * whether all the data was copied.
+ */
int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
unsigned char *data, int max_len)
{
@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
return 0;
}
+/*
+ * This function decodes an octet-int sequence and copies the data of octet
+ * to 'data' and the integer to 'num'.
+ * If the length of 'data' > 'max_len', copies only the first 'max_len'
+ * bytes, but returns the full length of 'oct'; this allows distinguishing
+ * whether all the data was copied.
+ */
int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
unsigned char *data, int max_len)
{
From 1e8f5c7cd2c46b25a2877e8f3f4bbf954fbcdf77 Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus68@gmail.com>
Date: Sun, 11 Jan 2026 11:35:15 +0100
Subject: [PATCH 3/3] Test for handling of AEAD-encrypted CMS with inadmissibly
long IV
---
test/cmsapitest.c | 39 ++++++++++++++++++-
test/recipes/80-test_cmsapi.t | 3 +-
.../encDataWithTooLongIV.pem | 11 ++++++
3 files changed, 50 insertions(+), 3 deletions(-)
create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
diff --git a/test/cmsapitest.c b/test/cmsapitest.c
index 88d519fd148..472d30c9e5d 100644
--- a/test/cmsapitest.c
+++ b/test/cmsapitest.c
@@ -9,10 +9,10 @@
#include <string.h>
+#include <openssl/pem.h>
#include <openssl/cms.h>
#include <openssl/bio.h>
#include <openssl/x509.h>
-#include <openssl/pem.h>
#include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */
#include "testutil.h"
@@ -20,6 +20,7 @@
static X509 *cert = NULL;
static EVP_PKEY *privkey = NULL;
static char *derin = NULL;
+static char *too_long_iv_cms_in = NULL;
static int test_encrypt_decrypt(const EVP_CIPHER *cipher)
{
@@ -479,6 +480,38 @@ static int test_encrypted_data_aead(void)
return ret;
}
+static int test_cms_aesgcm_iv_too_long(void)
+{
+ int ret = 0;
+ BIO *cmsbio = NULL, *out = NULL;
+ CMS_ContentInfo *cms = NULL;
+ unsigned long err = 0;
+
+ if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r")))
+ goto end;
+
+ if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL)))
+ goto end;
+
+ /* Must fail cleanly (no crash) */
+ if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0)))
+ goto end;
+ err = ERR_peek_last_error();
+ if (!TEST_ulong_ne(err, 0))
+ goto end;
+ if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS))
+ goto end;
+ if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR))
+ goto end;
+
+ ret = 1;
+end:
+ CMS_ContentInfo_free(cms);
+ BIO_free(cmsbio);
+ BIO_free(out);
+ return ret;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n")
int setup_tests(void)
@@ -493,7 +526,8 @@ int setup_tests(void)
if (!TEST_ptr(certin = test_get_argument(0))
|| !TEST_ptr(privkeyin = test_get_argument(1))
- || !TEST_ptr(derin = test_get_argument(2)))
+ || !TEST_ptr(derin = test_get_argument(2))
+ || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)))
return 0;
certbio = BIO_new_file(certin, "r");
@@ -529,6 +563,7 @@ int setup_tests(void)
ADD_TEST(test_CMS_add1_cert);
ADD_TEST(test_d2i_CMS_bio_NULL);
ADD_ALL_TESTS(test_d2i_CMS_decode, 2);
+ ADD_TEST(test_cms_aesgcm_iv_too_long);
return 1;
}
diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t
index af00355a9d6..182629e71a0 100644
--- a/test/recipes/80-test_cmsapi.t
+++ b/test/recipes/80-test_cmsapi.t
@@ -18,5 +18,6 @@ plan tests => 1;
ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
srctop_file("test", "certs", "serverkey.pem"),
- srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])),
+ srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"),
+ srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])),
"running cmsapitest");
diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
new file mode 100644
index 00000000000..4323cd2fb0c
--- /dev/null
+++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
@@ -0,0 +1,11 @@
+-----BEGIN CMS-----
+MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G
+A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V
+b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV
+NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd
+sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2
+CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu
+GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P
+AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl
+paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO
+-----END CMS-----

24
0061-CVE-2025-15468.patch
View File

@ -1,24 +0,0 @@
From 7da6afe3dac7d65b30f87f2c5d305b6e699bc5dc Mon Sep 17 00:00:00 2001
From: Daniel Kubec <kubec@openssl.org>
Date: Fri, 9 Jan 2026 14:33:24 +0100
Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before
dereferencing SSL_CIPHER
Fixes CVE-2025-15468
---
ssl/quic/quic_impl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 87c1370a8d6..89c108a9734 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -5222,6 +5222,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
{
const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
+ if (ciph == NULL)
+ return NULL;
if ((ciph->algorithm2 & SSL_QUIC) == 0)
return NULL;

266
0062-CVE-2025-15469.patch
View File

@ -1,266 +0,0 @@
From ef48810aafdc3b8c6c4a85e52314caeec0cb596c Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Wed, 7 Jan 2026 01:21:58 +1100
Subject: [PATCH] Report truncation in oneshot `openssl dgst -sign`
Previously input was silently truncated at 16MB, now if the input is
longer than limit, an error is reported.
The bio_to_mem() apps helper function was changed to return 0 or 1,
and return the size of the result via an output size_t pointer.
Fixes CVE-2025-15469
---
apps/dgst.c | 7 +++---
apps/include/apps.h | 2 +-
apps/lib/apps.c | 55 +++++++++++++++++++++++----------------------
apps/pkeyutl.c | 36 ++++++++++++++---------------
4 files changed, 50 insertions(+), 50 deletions(-)
diff --git a/apps/dgst.c b/apps/dgst.c
index 94415128d7f..7168b5f8b84 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -721,12 +721,11 @@ static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int b
{
int res, ret = EXIT_FAILURE;
size_t len = 0;
- int buflen = 0;
- int maxlen = 16 * 1024 * 1024;
+ size_t buflen = 0;
+ size_t maxlen = 16 * 1024 * 1024;
uint8_t *buf = NULL, *sig = NULL;
- buflen = bio_to_mem(&buf, maxlen, in);
- if (buflen <= 0) {
+ if (!bio_to_mem(&buf, &buflen, maxlen, in)) {
BIO_printf(bio_err, "Read error in %s\n", file);
return ret;
}
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 6a23dbbb131..c9471ddc4ed 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -253,7 +253,7 @@ int parse_yesno(const char *str, int def);
X509_NAME *parse_name(const char *str, int chtype, int multirdn,
const char *desc);
void policies_print(X509_STORE_CTX *ctx);
-int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
+int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
int x509_ctrl_string(X509 *x, const char *value);
int x509_req_ctrl_string(X509_REQ *x, const char *value);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 0e436582030..76f3c1683b2 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -49,6 +49,7 @@
#include "apps.h"
#include "internal/sockets.h" /* for openssl_fdset() */
+#include "internal/numbers.h" /* for LONG_MAX */
#include "internal/e_os.h"
#ifdef _WIN32
@@ -2010,45 +2011,45 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
}
/*
- * Read whole contents of a BIO into an allocated memory buffer and return
- * it.
+ * Read whole contents of a BIO into an allocated memory buffer.
+ * The return value is one on success, zero on error.
+ * If `maxlen` is non-zero, at most `maxlen` bytes are returned, or else, if
+ * the input is longer than `maxlen`, an error is returned.
+ * If `maxlen` is zero, the limit is effectively `SIZE_MAX`.
*/
-
-int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
+int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in)
{
+ unsigned char tbuf[4096];
BIO *mem;
- int len, ret;
- unsigned char tbuf[1024];
+ BUF_MEM *bufm;
+ size_t sz = 0;
+ int len;
mem = BIO_new(BIO_s_mem());
if (mem == NULL)
- return -1;
+ return 0;
for (;;) {
- if ((maxlen != -1) && maxlen < 1024)
- len = maxlen;
- else
- len = 1024;
- len = BIO_read(in, tbuf, len);
- if (len < 0) {
- BIO_free(mem);
- return -1;
- }
- if (len == 0)
+ if ((len = BIO_read(in, tbuf, 4096)) == 0)
break;
- if (BIO_write(mem, tbuf, len) != len) {
+ if (len < 0
+ || BIO_write(mem, tbuf, len) != len
+ || sz > SIZE_MAX - len
+ || ((sz += len) > maxlen && maxlen != 0)) {
BIO_free(mem);
- return -1;
+ return 0;
}
- if (maxlen != -1)
- maxlen -= len;
-
- if (maxlen == 0)
- break;
}
- ret = BIO_get_mem_data(mem, (char **)out);
- BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
+
+ /* So BIO_free orphans BUF_MEM */
+ (void)BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_get_mem_ptr(mem, &bufm);
BIO_free(mem);
- return ret;
+ *out = (unsigned char *)bufm->data;
+ *outlen = bufm->length;
+ /* Tell BUF_MEM to orphan data */
+ bufm->data = NULL;
+ BUF_MEM_free(bufm);
+ return 1;
}
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index deecec6bcd7..2681114fba1 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -40,7 +40,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
- int filesize, unsigned char *sig, int siglen,
+ int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen);
static int only_nomd(EVP_PKEY *pkey)
@@ -158,7 +158,7 @@ int pkeyutl_main(int argc, char **argv)
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
OPTION_CHOICE o;
- int buf_inlen = 0, siglen = -1;
+ size_t buf_inlen = 0, siglen = 0;
int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
int engine_impl = 0;
@@ -508,31 +508,31 @@ int pkeyutl_main(int argc, char **argv)
if (sigfile != NULL) {
BIO *sigbio = BIO_new_file(sigfile, "rb");
+ size_t maxsiglen = 16 * 1024 * 1024;
if (sigbio == NULL) {
BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
goto end;
}
- siglen = bio_to_mem(&sig, keysize * 10, sigbio);
- BIO_free(sigbio);
- if (siglen < 0) {
+ if (!bio_to_mem(&sig, &siglen, maxsiglen, sigbio)) {
+ BIO_free(sigbio);
BIO_printf(bio_err, "Error reading signature data\n");
goto end;
}
+ BIO_free(sigbio);
}
/* Raw input data is handled elsewhere */
if (in != NULL && !rawin) {
/* Read the input data */
- buf_inlen = bio_to_mem(&buf_in, -1, in);
- if (buf_inlen < 0) {
+ if (!bio_to_mem(&buf_in, &buf_inlen, 0, in)) {
BIO_printf(bio_err, "Error reading input Data\n");
goto end;
}
if (rev) {
size_t i;
unsigned char ctmp;
- size_t l = (size_t)buf_inlen;
+ size_t l = buf_inlen;
for (i = 0; i < l / 2; i++) {
ctmp = buf_in[i];
@@ -547,7 +547,8 @@ int pkeyutl_main(int argc, char **argv)
&& (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
if (buf_inlen > EVP_MAX_MD_SIZE) {
BIO_printf(bio_err,
- "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n",
+ "Error: The non-raw input data length %zd is too long - "
+ "max supported hashed size is %d\n",
buf_inlen, EVP_MAX_MD_SIZE);
goto end;
}
@@ -558,8 +559,7 @@ int pkeyutl_main(int argc, char **argv)
rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen,
NULL, 0);
} else {
- rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
- buf_in, (size_t)buf_inlen);
+ rv = EVP_PKEY_verify(ctx, sig, siglen, buf_in, buf_inlen);
}
if (rv == 1) {
BIO_puts(out, "Signature Verified Successfully\n");
@@ -578,8 +578,8 @@ int pkeyutl_main(int argc, char **argv)
buf_outlen = kdflen;
rv = 1;
} else {
- rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
+ rv = do_keyop(ctx, pkey_op, NULL, &buf_outlen,
+ buf_in, buf_inlen, NULL, &secretlen);
}
if (rv > 0
&& (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE
@@ -589,8 +589,8 @@ int pkeyutl_main(int argc, char **argv)
if (secretlen > 0)
secret = app_malloc(secretlen, "secret output");
rv = do_keyop(ctx, pkey_op,
- buf_out, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
+ buf_out, &buf_outlen,
+ buf_in, buf_inlen, secret, &secretlen);
}
}
if (rv <= 0) {
@@ -857,7 +857,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
- int filesize, unsigned char *sig, int siglen,
+ int filesize, unsigned char *sig, size_t siglen,
unsigned char **out, size_t *poutlen)
{
int rv = 0;
@@ -880,7 +880,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
BIO_printf(bio_err, "Error reading raw input data\n");
goto end;
}
- rv = EVP_DigestVerify(mctx, sig, (size_t)siglen, mbuf, buf_len);
+ rv = EVP_DigestVerify(mctx, sig, siglen, mbuf, buf_len);
break;
case EVP_PKEY_OP_SIGN:
buf_len = BIO_read(in, mbuf, filesize);
@@ -914,7 +914,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
goto end;
}
}
- rv = EVP_DigestVerifyFinal(mctx, sig, (size_t)siglen);
+ rv = EVP_DigestVerifyFinal(mctx, sig, siglen);
break;
case EVP_PKEY_OP_SIGN:
for (;;) {

30
0063-CVE-2025-66199.patch
View File

@ -1,30 +0,0 @@
From 04a93ac145041e3ef0121a2688cf7c1b23780519 Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus68@gmail.com>
Date: Thu, 8 Jan 2026 14:02:54 +0100
Subject: [PATCH] Check the received uncompressed certificate length to prevent
excessive pre-decompression allocation.
The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research).
Fixes: CVE-2025-66199
---
ssl/statem/statem_lib.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 9e0c853c0d2..f82d8dcdac1 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -2877,6 +2877,12 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc,
goto err;
}
+ /* Prevent excessive pre-decompression allocation */
+ if (expected_length > sc->max_cert_list) {
+ SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto err;
+ }
+
if (PACKET_remaining(pkt) != comp_length || comp_length == 0) {
SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION);
goto err;

64
0064-CVE-2025-68160.patch
View File

@ -1,64 +0,0 @@
From 701aa270db8ad424cece68702b9bb2e05290af9b Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Wed, 7 Jan 2026 11:52:09 -0500
Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
When a FIO_f_linebuffer is part of a bio chain, and the next BIO
preforms short writes, the remainder of the unwritten buffer is copied
unconditionally to the internal buffer ctx->obuf, which may not be
sufficiently sized to handle the remaining data, resulting in a buffer
overflow.
Fix it by only copying data when ctx->obuf has space, flushing to the
next BIO to increase available storage if needed.
Fixes CVE-2025-68160
---
crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
index 1dfcac8f2ea..e4af2a8c4ff 100644
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -187,14 +187,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
while (foundnl && inl > 0);
/*
* We've written as much as we can. The rest of the input buffer, if
- * any, is text that doesn't and with a NL and therefore needs to be
- * saved for the next trip.
+ * any, is text that doesn't end with a NL and therefore we need to try
+ * free up some space in our obuf so we can make forward progress.
*/
- if (inl > 0) {
- memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
- ctx->obuf_len += inl;
- num += inl;
+ while (inl > 0) {
+ size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
+ size_t to_copy;
+
+ if (avail == 0) {
+ /* Flush buffered data to make room */
+ i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
+ if (i <= 0) {
+ BIO_copy_next_retry(b);
+ return num > 0 ? num : i;
+ }
+ if (i < ctx->obuf_len)
+ memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
+ ctx->obuf_len -= i;
+ continue;
+ }
+
+ to_copy = inl > (int)avail ? avail : (size_t)inl;
+ memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
+ ctx->obuf_len += (int)to_copy;
+ in += to_copy;
+ inl -= (int)to_copy;
+ num += (int)to_copy;
}
+
return num;
}

67
0065-CVE-2025-69418.patch
View File

@ -1,67 +0,0 @@
From 1a556ff619473af9e179b202284a961590d5a2bd Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertp@openssl.org>
Date: Thu, 8 Jan 2026 15:04:54 +0100
Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted
trailing bytes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When ctx->stream (e.g., AESNI or ARMv8 CE) is available, the fast path
encrypts/decrypts full blocks but does not advance in/out pointers. The
tail-handling code then operates on the base pointers, effectively reprocessing
the beginning of the buffer while leaving the actual trailing bytes
unencrypted (encryption) or using the wrong plaintext (decryption). The
authentication checksum excludes the true tail.
CVE-2025-69418
Fixes: https://github.com/openssl/srt/issues/58
Signed-off-by: Norbert Pocs <norbertp@openssl.org>
---
crypto/modes/ocb128.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c
index ce72baf6da5..8a5d7c7db00 100644
--- a/crypto/modes/ocb128.c
+++ b/crypto/modes/ocb128.c
@@ -337,7 +337,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
if (num_blocks && all_num_blocks == (size_t)all_num_blocks
&& ctx->stream != NULL) {
- size_t max_idx = 0, top = (size_t)all_num_blocks;
+ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
/*
* See how many L_{i} entries we need to process data at hand
@@ -351,6 +351,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
ctx->stream(in, out, num_blocks, ctx->keyenc,
(size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
(const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
+ processed_bytes = num_blocks * 16;
+ in += processed_bytes;
+ out += processed_bytes;
} else {
/* Loop through all full blocks to be encrypted */
for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
@@ -429,7 +432,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
if (num_blocks && all_num_blocks == (size_t)all_num_blocks
&& ctx->stream != NULL) {
- size_t max_idx = 0, top = (size_t)all_num_blocks;
+ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
/*
* See how many L_{i} entries we need to process data at hand
@@ -443,6 +446,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
ctx->stream(in, out, num_blocks, ctx->keydec,
(size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
(const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
+ processed_bytes = num_blocks * 16;
+ in += processed_bytes;
+ out += processed_bytes;
} else {
OCB_BLOCK tmp;

37
0066-CVE-2025-69420.patch
View File

@ -1,37 +0,0 @@
From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Verify ASN1 object's types before attempting to access them
as a particular type
Issue was reported in ossl_ess_get_signing_cert but is also present in
ossl_ess_get_signing_cert_v2.
Fixes: https://github.com/openssl/srt/issues/61
Fixes CVE-2025-69420
---
crypto/ts/ts_rsp_verify.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 3876e30f47b..40dab687d1c 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
const unsigned char *p;
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
- if (attr == NULL)
+ if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
p = attr->value.sequence->data;
return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
@@ -221,7 +221,7 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
const unsigned char *p;
attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
- if (attr == NULL)
+ if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
return NULL;
p = attr->value.sequence->data;
return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);

28
0067-CVE-2025-69421.patch
View File

@ -1,28 +0,0 @@
From 0a2ecb95993b588d2156dd6527459cc3983aabd5 Mon Sep 17 00:00:00 2001
From: Andrew Dinh <andrewd@openssl.org>
Date: Thu, 8 Jan 2026 01:24:30 +0900
Subject: [PATCH] Add NULL check to PKCS12_item_decrypt_d2i_ex
Address CVE-2025-69421
Add NULL check for oct parameter
---
crypto/pkcs12/p12_decr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 606713b9ee9..1614da44042 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -146,6 +146,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it,
void *ret;
int outlen = 0;
+ if (oct == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+
if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length,
&out, &outlen, 0, libctx, propq))
return NULL;

136
0068-CVE-2025-69419.patch
View File

@ -1,136 +0,0 @@
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index b7a5284fa59fa..7be233db5e0b2 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -123,7 +123,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
return -1;
}
- /* Now work out output format and string type */
+ /*
+ * Now work out output format and string type.
+ * These checks should be in sync with the checks in type_str.
+ */
outform = MBSTRING_ASC;
if (mask & B_ASN1_NUMERICSTRING)
str_type = V_ASN1_NUMERICSTRING;
@@ -191,7 +194,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
case MBSTRING_UTF8:
outlen = 0;
- traverse_string(in, len, inform, out_utf8, &outlen);
+ ret = traverse_string(in, len, inform, out_utf8, &outlen);
+ if (ret < 0) {
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING);
+ return -1;
+ }
cpyfunc = cpy_utf8;
break;
}
@@ -286,9 +293,29 @@ static int out_utf8(unsigned long value, void *arg)
static int type_str(unsigned long value, void *arg)
{
- unsigned long types = *((unsigned long *)arg);
+ unsigned long usable_types = *((unsigned long *)arg);
+ unsigned long types = usable_types;
const int native = value > INT_MAX ? INT_MAX : ossl_fromascii(value);
+ /*
+ * Clear out all the types which are not checked later. If any of those
+ * is present in the mask, then the UTF8 type will be added and checked
+ * below.
+ */
+ types &= B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING
+ | B_ASN1_IA5STRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING
+ | B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING;
+
+ /*
+ * If any other types were in the input mask, they're effectively treated
+ * as UTF8
+ */
+ if (types != usable_types)
+ types |= B_ASN1_UTF8STRING;
+
+ /*
+ * These checks should be in sync with ASN1_mbstring_ncopy.
+ */
if ((types & B_ASN1_NUMERICSTRING) && !(ossl_isdigit(native)
|| native == ' '))
types &= ~B_ASN1_NUMERICSTRING;
@@ -356,6 +383,8 @@ static int cpy_utf8(unsigned long value, void *arg)
p = arg;
/* We already know there is enough room so pass 0xff as the length */
ret = UTF8_putc(*p, 0xff, value);
+ if (ret < 0)
+ return ret;
*p += ret;
return 1;
}
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 17f7372026c3b..01e2269444cba 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -198,8 +198,10 @@ static int do_buf(unsigned char *buf, int buflen,
orflags = CHARTYPE_LAST_ESC_2253;
if (type & BUF_TYPE_CONVUTF8) {
unsigned char utfbuf[6];
- int utflen;
- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
+ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
+
+ if (utflen < 0)
+ return -1; /* error happened with UTF8 */
for (i = 0; i < utflen; i++) {
/*
* We don't need to worry about setting orflags correctly
diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index 50adce6b26fd2..8b5f2909e8d96 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -213,6 +213,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
/* re-run the loop emitting UTF-8 string */
for (asclen = 0, i = 0; i < unilen; ) {
j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
+ /* when UTF8_putc fails */
+ if (j < 0) {
+ OPENSSL_free(asctmp);
+ return NULL;
+ }
if (j == 4) i += 4;
else i += 2;
asclen += j;
diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
index e08e2a11be9b7..56af2b369b4dd 100644
--- a/test/asn1_internal_test.c
+++ b/test/asn1_internal_test.c
@@ -554,6 +554,22 @@ static int posix_time_test(void)
return 1;
}
+static int test_mbstring_ncopy(void)
+{
+ ASN1_STRING *str = NULL;
+ const unsigned char in[] = { 0xFF, 0xFE, 0xFF, 0xFE };
+ int inlen = 4;
+ int inform = MBSTRING_UNIV;
+
+ if (!TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALSTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VISIBLESTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VIDEOTEXSTRING, 0, 0), -1)
+ || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALIZEDTIME, 0, 0), -1))
+ return 0;
+
+ return 1;
+}
+
int setup_tests(void)
{
ADD_TEST(test_tbl_standard);
@@ -565,5 +581,6 @@ int setup_tests(void)
ADD_TEST(test_unicode_range);
ADD_TEST(test_obj_create);
ADD_TEST(test_obj_nid_undef);
+ ADD_TEST(test_mbstring_ncopy);
return 1;
}

52
0069-CVE-2026-22795.patch
View File

@ -1,52 +0,0 @@
diff --git a/apps/s_client.c b/apps/s_client.c
index 7b2cabdc428a9..d0611433261dc 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2847,8 +2847,9 @@ int s_client_main(int argc, char **argv)
goto end;
}
atyp = ASN1_generate_nconf(genstr, cnf);
- if (atyp == NULL) {
+ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
NCONF_free(cnf);
+ ASN1_TYPE_free(atyp);
BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
goto end;
}
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 10b581612dbb2..d0236e34fe9df 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
ASN1_BMPSTRING *fname = NULL;
ASN1_OCTET_STRING *lkid = NULL;
- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+ if (attrib->type != V_ASN1_BMPSTRING)
+ return 0;
fname = attrib->value.bmpstring;
+ }
- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+ if (attrib->type != V_ASN1_OCTET_STRING)
+ return 0;
lkid = attrib->value.octet_string;
+ }
switch (PKCS12_SAFEBAG_get_nid(bag)) {
case NID_keyBag:
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 02444d983c476..7798846b16ec1 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1229,6 +1229,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
ASN1_TYPE *astype;
if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
return NULL;
+ if (astype->type != V_ASN1_OCTET_STRING)
+ return NULL;
return astype->value.octet_string;
}

85
openssl.spec
View File

@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.1
Release: 7%{?dist}
Version: 3.5.5
Release: 2%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@ -97,20 +97,9 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
Patch0056: 0056-Fix-incorrect-check-of-unwrapped-key-size.patch
Patch0057: 0057-Do-not-make-key-share-choice-in-tls1_set_groups.patch
Patch0058: 0058-Fix-PPC-register-processing.patch
Patch0059: 0059-CVE-2025-11187.patch
Patch0060: 0060-CVE-2025-15467.patch
Patch0061: 0061-CVE-2025-15468.patch
Patch0062: 0062-CVE-2025-15469.patch
Patch0063: 0063-CVE-2025-66199.patch
Patch0064: 0064-CVE-2025-68160.patch
Patch0065: 0065-CVE-2025-69418.patch
Patch0066: 0066-CVE-2025-69420.patch
Patch0067: 0067-CVE-2025-69421.patch
Patch0068: 0068-CVE-2025-69419.patch
Patch0069: 0069-CVE-2026-22795.patch
Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
Patch0058: 0058-CVE-2026-31790.patch
License: Apache-2.0
URL: http://www.openssl.org/
@ -278,7 +267,7 @@ export HASHBANGPERL=/usr/bin/perl
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
make -s %{?_smp_mflags} all
make -s %{?_smp_mflags} build_inst_sw
# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
@ -302,7 +291,11 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
%{SOURCE1} providers/fips.so
#run tests itself
# Build tests with LTO disabled and run them
make -s %{?_smp_mflags} build_programs \
CFLAGS="%{build_cflags} -fno-lto" \
CXXFLAGS="%{build_cxxflags} -fno-lto"
make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library
@ -467,34 +460,40 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%ldconfig_scriptlets libs
%changelog
* Fri Jan 16 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-7
- Fix CVE-2025-11187 CVE-2025-15467 CVE-2025-15468 CVE-2025-15469
CVE-2025-66199 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420
CVE-2025-69421 CVE-2026-22795 CVE-2026-22796
Resolves: RHEL-142062
Resolves: RHEL-141985
Resolves: RHEL-142053
Resolves: RHEL-142049
Resolves: RHEL-142045
Resolves: RHEL-142041
Resolves: RHEL-142037
Resolves: RHEL-142033
Resolves: RHEL-142029
Resolves: RHEL-142008
Resolves: RHEL-142025
Resolves: RHEL-142021
* Thu Apr 09 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.5-2
- Fix CVE-2026-31790
Resolves: RHEL-161574
* Wed Jan 07 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-6
- Fix AES/GCM ppc64le encrypt/decrypt
Resolves: RHEL-139108
* Tue Jan 27 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.5-1
- Rebase to OpenSSL 3.5.5
Resolves: RHEL-122599
Resolves: RHEL-141987
Resolves: RHEL-142009
Resolves: RHEL-142022
Resolves: RHEL-142026
Resolves: RHEL-142030
Resolves: RHEL-142034
Resolves: RHEL-142038
Resolves: RHEL-142042
Resolves: RHEL-142046
Resolves: RHEL-142050
Resolves: RHEL-142054
* Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-5
- Do not make key share choice in tls1_set_groups()
Resolves: RHEL-130992
* Wed Oct 22 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
* Wed Oct 22 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-6
- Fix CVE-2025-9230
Resolves: RHEL-115885
Resolves: RHEL-115883
* Fri Sep 05 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-5
- Fix globally disabled LTO
Related: RHEL-111634
- Initialize reserved and unused memory in aes-s390x.pl
Resolves: RHEL-107479
* Thu Aug 28 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
- Make openssl speed test signatures without errors
Resolves: RHEL-95182
- Build tests in check and without LTO
Resolves: RHEL-111634
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
- Add custom define to disable symbol versioning in downstream patched code

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.5.1.tar.gz) = 0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3
SHA512 (openssl-3.5.5.tar.gz) = 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec