From 3ae0078fd957a3220717083a84c8685b9f096214 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 23 May 2024 16:02:16 +0200 Subject: [PATCH] Rebase to OpenSSL 3.2.2. Related: RHEL-31762 --- .gitignore | 1 + 0033-FIPS-embed-hmac.patch | 540 +++++++----------- 0076-FIPS-140-3-DRBG.patch | 81 +++ ...atch => 0078-KDF-Add-FIPS-indicators.patch | 163 ++++-- ...-ignore-unknown-sigalgorithms-groups.patch | 20 +- 0118-no-crl-memleak.patch | 80 --- ...-sigalgs-in-signaturealgorithms-conf.patch | 170 ------ openssl.spec | 16 +- sources | 2 +- 9 files changed, 421 insertions(+), 652 deletions(-) rename 0078-Add-FIPS-indicator-parameter-to-HKDF.patch => 0078-KDF-Add-FIPS-indicators.patch (86%) delete mode 100644 0118-no-crl-memleak.patch delete mode 100644 0119-provider-sigalgs-in-signaturealgorithms-conf.patch diff --git a/.gitignore b/.gitignore index 91919c1..31ec31d 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.1.1.tar.gz /openssl-3.1.4.tar.gz /openssl-3.2.1.tar.gz +/openssl-3.2.2.tar.gz diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch index bdbeeed..0bf3b2d 100644 --- a/0033-FIPS-embed-hmac.patch +++ b/0033-FIPS-embed-hmac.patch @@ -1,30 +1,32 @@ -From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Thu, 19 Oct 2023 13:12:40 +0200 -Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch Patch-name: 0033-FIPS-embed-hmac.patch Patch-id: 33 Patch-status: | # # Embed HMAC into the fips.so -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- - test/fipsmodule.cnf | 2 + - test/recipes/00-prep_fipsmodule_cnf.t | 2 +- - test/recipes/01-test_fipsmodule_cnf.t | 2 +- - test/recipes/03-test_fipsinstall.t | 2 +- - test/recipes/30-test_defltfips.t | 2 +- - test/recipes/80-test_ssl_new.t | 2 +- - test/recipes/90-test_sslapi.t | 2 +- - 8 files changed, 71 insertions(+), 13 deletions(-) + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) create mode 100644 test/fipsmodule.cnf diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index b8dc9817b2..e3a629018a 100644 +index b8dc9817b2..28f536d13c 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c -@@ -230,11 +230,27 @@ err: +@@ -230,11 +230,133 @@ err: return ok; } @@ -40,6 +42,7 @@ index b8dc9817b2..e3a629018a 100644 * the result matches the expected value. * Return 1 if verified, or 0 if it fails. */ ++ +#ifndef __USE_GNU +#define __USE_GNU +#include @@ -49,220 +52,6 @@ index b8dc9817b2..e3a629018a 100644 +#endif +#include + - static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, - unsigned char *expected, size_t expected_len, - OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - EVP_MAC *mac = NULL; - EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[2], *p = params; -+ Dl_info info; -+ void *extra_info = NULL; -+ struct link_map *lm = NULL; -+ unsigned long paddr; -+ unsigned long off = 0; - - if (!integrity_self_test(ev, libctx)) - goto err; - - OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); - -+ if (!dladdr1 ((const void *)fips_hmac_container, -+ &info, &extra_info, RTLD_DL_LINKMAP)) -+ goto err; -+ lm = extra_info; -+ paddr = (unsigned long)fips_hmac_container - lm->l_addr; -+ - mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); - if (mac == NULL) - goto err; -@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) - goto err; - -- while (1) { -- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); -+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ if (off + INTEGRITY_BUF_SIZE > paddr) { -+ int delta = paddr - off; -+ status = read_ex_cb(bio, buf, delta, &bytes_read); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ -+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); -+ memset(buf, 0, HMAC_LEN); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ while (bytes_read > 0) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); - if (status != 1) - break; - if (!EVP_MAC_update(ctx, buf, bytes_read)) - goto err; -+ off += bytes_read; - } -+ - if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) - goto err; - -@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - goto err; - ret = 1; - err: -+ OPENSSL_cleanse(out, sizeof(out)); - OSSL_SELF_TEST_onend(ev, ret); - EVP_MAC_CTX_free(ctx); - EVP_MAC_free(mac); -@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - return 0; - } - -- if (st == NULL -- || st->module_checksum_data == NULL) { -+ if (st == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); - goto end; - } -@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - if (ev == NULL) - goto end; - -- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, -- &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); -+ - if (module_checksum == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); - goto end; -@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - end: - EVP_RAND_free(testrand); - OSSL_SELF_TEST_free(ev); -- OPENSSL_free(module_checksum); - OPENSSL_free(indicator_checksum); - - if (st != NULL) { -diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf -new file mode 100644 -index 0000000000..f05d0dedbe ---- /dev/null -+++ b/test/fipsmodule.cnf -@@ -0,0 +1,2 @@ -+[fips_sect] -+activate = 1 -diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t -index 4e3a6d85e8..e8255ba974 100644 ---- a/test/recipes/00-prep_fipsmodule_cnf.t -+++ b/test/recipes/00-prep_fipsmodule_cnf.t -@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "FIPS module config file only supported in a fips build" - if $no_check; - -diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t -index ce594817d5..00cebacff8 100644 ---- a/test/recipes/01-test_fipsmodule_cnf.t -+++ b/test/recipes/01-test_fipsmodule_cnf.t -@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "Test only supported in a fips build" - if $no_check; - plan tests => 1; -diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t -index b8b136d110..8242f4ebc3 100644 ---- a/test/recipes/03-test_fipsinstall.t -+++ b/test/recipes/03-test_fipsinstall.t -@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --plan skip_all => "Test only supported in a fips build" if disabled("fips"); -+plan skip_all => "Test only supported in a fips build" if 1; - - # Compatible options for pedantic FIPS compliance - my @pedantic_okay = -diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index c8f145405b..56a2ec5dc4 100644 ---- a/test/recipes/30-test_defltfips.t -+++ b/test/recipes/30-test_defltfips.t -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "Configuration loading is turned off" - if disabled("autoload-config"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - plan tests => - ($no_fips ? 1 : 5); -diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t -index 0c6d6402d9..e45f9cb560 100644 ---- a/test/recipes/80-test_ssl_new.t -+++ b/test/recipes/80-test_ssl_new.t -@@ -27,7 +27,7 @@ setup("test_ssl_new"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); - -diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t -index 9e9e32b51e..1a1a7159b5 100644 ---- a/test/recipes/90-test_sslapi.t -+++ b/test/recipes/90-test_sslapi.t -@@ -17,7 +17,7 @@ setup("test_sslapi"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - my $fipsmodcfg_filename = "fipsmodule.cnf"; - my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); - --- -2.41.0 - -diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c ---- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:36:27.970983419 +0100 -+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:39:19.788685051 +0100 -@@ -242,6 +242,7 @@ static const unsigned char __attribute__ - * the result matches the expected value. - * Return 1 if verified, or 0 if it fails. - */ -+ - #ifndef __USE_GNU - #define __USE_GNU - #include -@@ -251,6 +252,111 @@ static const unsigned char __attribute__ - #endif - #include - +static int verify_integrity_rodata(OSSL_CORE_BIO *bio, + OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + unsigned char *expected, size_t expected_len, @@ -371,10 +160,111 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c ---- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:40:54.926627242 +0100 -+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:45:58.939636676 +0100 -@@ -527,14 +527,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; + + if (!integrity_self_test(ev, libctx)) + goto err; + + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ + mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + if (mac == NULL) + goto err; +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) + goto err; + +- while (1) { +- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } ++ ++ if (off + INTEGRITY_BUF_SIZE > paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ memset(buf, 0, HMAC_LEN); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) + goto err; + +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); /* Always check the integrity of the fips module */ @@ -407,92 +297,100 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr /* This will be NULL during installation - so the self test KATS will run */ if (st->indicator_data != NULL) { /* -diff -up openssl-3.2.0/providers/fips/self_test.c.fips-self openssl-3.2.0/providers/fips/self_test.c ---- openssl-3.2.0/providers/fips/self_test.c.fips-self 2024-02-06 12:20:56.963719115 +0100 -+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-06 12:22:23.705604045 +0100 -@@ -517,8 +517,13 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - if (ev == NULL) - goto end; +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + end: + EVP_RAND_free(testrand); + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); + OPENSSL_free(indicator_checksum); + + if (st != NULL) { +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +index 4e3a6d85e8..e8255ba974 100644 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "FIPS module config file only supported in a fips build" + if $no_check; + +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +index ce594817d5..00cebacff8 100644 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "Test only supported in a fips build" + if $no_check; + plan tests => 1; +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +index b8b136d110..8242f4ebc3 100644 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-plan skip_all => "Test only supported in a fips build" if disabled("fips"); ++plan skip_all => "Test only supported in a fips build" if 1; + + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t +index c8f145405b..56a2ec5dc4 100644 +--- a/test/recipes/30-test_defltfips.t ++++ b/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 195b85ea8c..92d48dbf7d 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t +index 18d9f3d204..71780d8caa 100644 +--- a/test/recipes/90-test_sslapi.t ++++ b/test/recipes/90-test_sslapi.t +@@ -17,7 +17,7 @@ setup("test_sslapi"); + setup("test_sslapi"); + } + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); + +-- +2.44.0 -- module_checksum = fips_hmac_container; -- checksum_len = sizeof(fips_hmac_container); -+ if (st->module_checksum_data == NULL) { -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); -+ } else { -+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, -+ &checksum_len); -+ } - - if (module_checksum == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); -diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c ---- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200 -+++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200 -@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI - EVP_MAC *mac = NULL; - EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[2], *p = params; -- Dl_info info; -- void *extra_info = NULL; -- struct link_map *lm = NULL; -- unsigned long paddr; -- unsigned long off = 0; - - if (!integrity_self_test(ev, libctx)) - goto err; - - OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); - -- if (!dladdr1 ((const void *)fips_hmac_container, -- &info, &extra_info, RTLD_DL_LINKMAP)) -- goto err; -- lm = extra_info; -- paddr = (unsigned long)fips_hmac_container - lm->l_addr; -- - mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); - if (mac == NULL) - goto err; -@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI - if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) - goto err; - -- while ((off + INTEGRITY_BUF_SIZE) <= paddr) { -- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -- if (status != 1) -- break; -- if (!EVP_MAC_update(ctx, buf, bytes_read)) -- goto err; -- off += bytes_read; -- } -- -- if (off + INTEGRITY_BUF_SIZE > paddr) { -- int delta = paddr - off; -- status = read_ex_cb(bio, buf, delta, &bytes_read); -- if (status != 1) -- goto err; -- if (!EVP_MAC_update(ctx, buf, bytes_read)) -- goto err; -- off += bytes_read; -- -- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); -- memset(buf, 0, HMAC_LEN); -- if (status != 1) -- goto err; -- if (!EVP_MAC_update(ctx, buf, bytes_read)) -- goto err; -- off += bytes_read; -- } -- -- while (bytes_read > 0) { -- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ while (1) { -+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); - if (status != 1) - break; - if (!EVP_MAC_update(ctx, buf, bytes_read)) - goto err; -- off += bytes_read; - } - - if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch index 7376d02..23084f0 100644 --- a/0076-FIPS-140-3-DRBG.patch +++ b/0076-FIPS-140-3-DRBG.patch @@ -217,6 +217,14 @@ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 14999540ab..b05b84717b 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c +@@ -11,6 +11,7 @@ + #define OPENSSL_SUPPRESS_DEPRECATED + + #include ++#include + #include + #include + #include "internal/cryptlib.h" @@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) return ret; } @@ -234,3 +242,76 @@ index 14999540ab..b05b84717b 100644 PRIMARY_RESEED_INTERVAL, PRIMARY_RESEED_TIME_INTERVAL, 1); /* +@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_ + if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->public, rand); + } +@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB + if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->private, rand); + } +diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c +--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200 ++++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200 +@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s + reseed_when = time(NULL); + + /* Generate random output from the public and private DRBG */ +- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0; ++ before_reseed = 0; + if (!TEST_int_eq(rand_bytes((unsigned char*)public_random, + RANDOM_SIZE), expect_success) + || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random, +@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s + */ + + /* Test whether reseeding succeeded as expected */ +- if (!TEST_int_eq(state(primary), expected_state) +- || !TEST_int_eq(state(public), expected_state) ++ if (/*!TEST_int_eq(state(primary), expected_state) ++ ||*/ !TEST_int_eq(state(public), expected_state) + || !TEST_int_eq(state(private), expected_state)) + return 0; + +@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s + if (expect_public_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(public), public_reseed) +- || !TEST_uint_ge(reseed_counter(public), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(public), ++ reseed_counter(primary))*/) + return 0; + } + + if (expect_private_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(private), private_reseed) +- || !TEST_uint_ge(reseed_counter(private), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(private), ++ reseed_counter(primary))*/) + return 0; + } + +@@ -577,8 +577,8 @@ static int test_rand_reseed(void) + if (!TEST_ptr_ne(public, private) + || !TEST_ptr_ne(public, primary) + || !TEST_ptr_ne(private, primary) +- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) +- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))) ++ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) ++ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/) + return 0; + + /* Disable CRNG testing for the primary DRBG */ diff --git a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/0078-KDF-Add-FIPS-indicators.patch similarity index 86% rename from 0078-Add-FIPS-indicator-parameter-to-HKDF.patch rename to 0078-KDF-Add-FIPS-indicators.patch index f2bb087..17ff63e 100644 --- a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -1,13 +1,45 @@ -From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:29 +0200 -Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators -Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch -Patch-id: 78 -Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 --- include/crypto/evp.h | 7 ++ include/openssl/kdf.h | 4 + @@ -17,10 +49,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + 9 files changed, 487 insertions(+), 22 deletions(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index dbbdcccbda..aa07153441 100644 +index e70d8e9e84..76fb990de4 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -219,6 +219,13 @@ struct evp_mac_st { @@ -53,10 +86,10 @@ index 0983230a48..86171635ea 100644 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index 5304baa6c9..f9c77f4236 100644 +index dfa7786bde..f01e40ff5a 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c -@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; @@ -64,7 +97,7 @@ index 5304baa6c9..f9c77f4236 100644 static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; -@@ -86,6 +87,10 @@ typedef struct { +@@ -85,6 +86,10 @@ typedef struct { size_t data_len; unsigned char *info; size_t info_len; @@ -75,7 +108,7 @@ index 5304baa6c9..f9c77f4236 100644 } KDF_HKDF; static void *kdf_hkdf_new(void *provctx) -@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -87,7 +120,7 @@ index 5304baa6c9..f9c77f4236 100644 switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: -@@ -363,15 +373,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void { KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; @@ -96,15 +129,20 @@ index 5304baa6c9..f9c77f4236 100644 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { size_t sz = kdf_hkdf_size(ctx); -- if (sz == 0) + any_valid = 1; -+ -+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + if (sz == 0) return 0; -- return OSSL_PARAM_set_size_t(p, sz); + return OSSL_PARAM_set_size_t(p, sz); + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; + if (ctx->info == NULL || ctx->info_len == 0) { + p->return_size = 0; + return 1; + } + return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); } - return -2; -+ +#ifdef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) + != NULL) { @@ -169,17 +207,17 @@ index 5304baa6c9..f9c77f4236 100644 } static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -379,6 +452,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), +#ifdef FIPS_MODULE + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), +#endif /* defined(FIPS_MODULE) */ OSSL_PARAM_END }; return known_gettable_ctx_params; -@@ -709,6 +785,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, return ret; } @@ -197,7 +235,7 @@ index 5304baa6c9..f9c77f4236 100644 static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { -@@ -724,6 +811,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -209,7 +247,7 @@ index 5304baa6c9..f9c77f4236 100644 switch (ctx->mode) { default: return 0; -@@ -801,7 +893,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, } const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { @@ -219,7 +257,7 @@ index 5304baa6c9..f9c77f4236 100644 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index aa3df15bc7..3f82710061 100644 +index a542f84dfa..6b6dfb94ac 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -59,6 +59,9 @@ typedef struct { @@ -232,7 +270,7 @@ index aa3df15bc7..3f82710061 100644 /* Names are lowercased versions of those found in SP800-108. */ int r; unsigned char *ki; -@@ -72,6 +75,9 @@ typedef struct { +@@ -73,6 +76,9 @@ typedef struct { int use_l; int is_kmac; int use_separator; @@ -242,7 +280,7 @@ index aa3df15bc7..3f82710061 100644 } KBKDF; /* Definitions needed for typechecking. */ -@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx) +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) void *provctx = ctx->provctx; EVP_MAC_CTX_free(ctx->ctx_init); @@ -250,7 +288,7 @@ index aa3df15bc7..3f82710061 100644 OPENSSL_clear_free(ctx->context, ctx->context_len); OPENSSL_clear_free(ctx->label, ctx->label_len); OPENSSL_clear_free(ctx->ki, ctx->ki_len); -@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, goto done; } @@ -262,7 +300,7 @@ index aa3df15bc7..3f82710061 100644 h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); if (h == 0) goto done; -@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -272,7 +310,7 @@ index aa3df15bc7..3f82710061 100644 p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); if (p != NULL && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { -@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -356,10 +394,10 @@ index aa3df15bc7..3f82710061 100644 } diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c -index 1afac4e477..389b82b714 100644 +index c592ba72f1..4a52b38266 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c -@@ -49,6 +49,9 @@ typedef struct { +@@ -48,6 +48,9 @@ typedef struct { char type; /* X */ unsigned char *session_id; size_t session_id_len; @@ -369,7 +407,7 @@ index 1afac4e477..389b82b714 100644 } KDF_SSHKDF; static void *kdf_sshkdf_new(void *provctx) -@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); return 0; } @@ -382,7 +420,7 @@ index 1afac4e477..389b82b714 100644 return SSHKDF(md, ctx->key, ctx->key_len, ctx->xcghash, ctx->xcghash_len, ctx->session_id, ctx->session_id_len, -@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -453,7 +491,7 @@ index 1afac4e477..389b82b714 100644 } static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -464,10 +502,10 @@ index 1afac4e477..389b82b714 100644 }; return known_gettable_ctx_params; diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c -index ecb98de6fd..98fcc583d8 100644 +index eb54972e1c..23865cd70f 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c -@@ -63,6 +63,10 @@ typedef struct { +@@ -64,6 +64,10 @@ typedef struct { size_t salt_len; size_t out_len; /* optional KMAC parameter */ int is_kmac; @@ -486,7 +524,7 @@ index ecb98de6fd..98fcc583d8 100644 static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; -@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx) +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) return ctx; } @@ -503,7 +541,7 @@ index ecb98de6fd..98fcc583d8 100644 static void sskdf_reset(void *vctx) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; -@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, } md = ossl_prov_digest_md(&ctx->digest); @@ -515,7 +553,7 @@ index ecb98de6fd..98fcc583d8 100644 if (ctx->macctx != NULL) { /* H(x) = KMAC or H(x) = HMAC */ int ret; -@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -527,7 +565,7 @@ index ecb98de6fd..98fcc583d8 100644 return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, ctx->info, ctx->info_len, 1, key, keylen); } -@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; OSSL_PARAM *p; @@ -605,7 +643,7 @@ index ecb98de6fd..98fcc583d8 100644 } static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -615,7 +653,7 @@ index ecb98de6fd..98fcc583d8 100644 OSSL_PARAM_END }; return known_gettable_ctx_params; -@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { }; const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { @@ -625,10 +663,10 @@ index ecb98de6fd..98fcc583d8 100644 { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index 54124ad4cb..25a6c79a2e 100644 +index a4d64b9352..f6782a6ca2 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c -@@ -104,6 +104,13 @@ typedef struct { +@@ -93,6 +93,13 @@ typedef struct { /* Buffer of concatenated seed data */ unsigned char seed[TLS1_PRF_MAXBUF]; size_t seedlen; @@ -642,7 +680,7 @@ index 54124ad4cb..25a6c79a2e 100644 } TLS1_PRF; static void *kdf_tls1_prf_new(void *provctx) -@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) EVP_MAC_CTX_free(ctx->P_sha1); OPENSSL_clear_free(ctx->sec, ctx->seclen); OPENSSL_cleanse(ctx->seed, ctx->seedlen); @@ -650,7 +688,7 @@ index 54124ad4cb..25a6c79a2e 100644 memset(ctx, 0, sizeof(*ctx)); ctx->provctx = provctx; } -@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } @@ -661,7 +699,7 @@ index 54124ad4cb..25a6c79a2e 100644 /* * The seed buffer is prepended with a label. -@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -671,7 +709,7 @@ index 54124ad4cb..25a6c79a2e 100644 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { OPENSSL_clear_free(ctx->sec, ctx->seclen); ctx->sec = NULL; -@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -735,7 +773,7 @@ index 54124ad4cb..25a6c79a2e 100644 } static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( -@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -746,7 +784,7 @@ index 54124ad4cb..25a6c79a2e 100644 }; return known_gettable_ctx_params; diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c -index 4c274fe27a..5ce23c8eb9 100644 +index b1bc6f7e1b..8173fc2cc7 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -13,11 +13,13 @@ @@ -763,7 +801,7 @@ index 4c274fe27a..5ce23c8eb9 100644 #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -49,6 +51,9 @@ typedef struct { +@@ -47,6 +50,9 @@ typedef struct { const unsigned char *cek_oid; size_t cek_oid_len; int use_keybits; @@ -773,7 +811,7 @@ index 4c274fe27a..5ce23c8eb9 100644 } KDF_X942; /* -@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); return 0; } @@ -784,7 +822,7 @@ index 4c274fe27a..5ce23c8eb9 100644 ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, der, der_len, ctr, key, keylen); OPENSSL_free(der); -@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { KDF_X942 *ctx = (KDF_X942 *)vctx; OSSL_PARAM *p; @@ -846,7 +884,7 @@ index 4c274fe27a..5ce23c8eb9 100644 } static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -856,12 +894,10 @@ index 4c274fe27a..5ce23c8eb9 100644 OSSL_PARAM_END }; return known_gettable_ctx_params; --- -2.41.0 - -diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm ---- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch 2024-01-02 12:11:36.633033731 +0100 -+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:12:54.022901822 +0100 +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm @@ -183,6 +183,7 @@ my %params = ( 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", @@ -870,3 +906,6 @@ diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch ope 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", 'KDF_PARAM_THREADS' => "threads", # uint32_t +-- +2.39.2 + diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch index 3c52277..dd40e11 100644 --- a/0117-ignore-unknown-sigalgorithms-groups.patch +++ b/0117-ignore-unknown-sigalgorithms-groups.patch @@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644 + } if (garg->gidcnt == garg->gidmax) { uint16_t *tmp = - OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); + OPENSSL_realloc(garg->gid_arr, @@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) gid = tls1_group_name2id(garg->ctx, etmp); @@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644 return 0; if (len > (int)(sizeof(etmp) - 1)) @@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) - break; + break; + } } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) -- return 0; -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } } else { *p = 0; - p++; @@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) return 0; get_sigorhash(&sig_alg, &hash_alg, etmp); @@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644 } return 1; @@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) - sig.sigalgcnt = 0; + } if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; + if (sig.sigalgcnt == 0) { diff --git a/0118-no-crl-memleak.patch b/0118-no-crl-memleak.patch deleted file mode 100644 index ee7e745..0000000 --- a/0118-no-crl-memleak.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Tue, 27 Feb 2024 15:22:58 +0100 -Subject: [PATCH 48/49] 0118-no-crl-memleak.patch - -Patch-name: 0118-no-crl-memleak.patch -Patch-id: 118 -Patch-status: | - # https://github.com/openssl/openssl/issues/23770 ---- - crypto/x509/by_file.c | 2 ++ - test/recipes/60-test_x509_load_cert_file.t | 3 ++- - test/x509_load_cert_file_test.c | 8 +++++++- - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c -index 5073c137a2..85923804ac 100644 ---- a/crypto/x509/by_file.c -+++ b/crypto/x509/by_file.c -@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) - goto err; - } - count++; -+ X509_CRL_free(x); -+ x = NULL; - } - } else if (type == X509_FILETYPE_ASN1) { - x = d2i_X509_CRL_bio(in, NULL); -diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t -index 75aeac362c..e329d7675c 100644 ---- a/test/recipes/60-test_x509_load_cert_file.t -+++ b/test/recipes/60-test_x509_load_cert_file.t -@@ -12,4 +12,5 @@ setup("test_load_cert_file"); - - plan tests => 1; - --ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")]))); -+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"), -+ srctop_file("test", "certs", "cyrillic_crl.pem")]))); -diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c -index 4a736071ae..c07d329915 100644 ---- a/test/x509_load_cert_file_test.c -+++ b/test/x509_load_cert_file_test.c -@@ -12,6 +12,7 @@ - #include "testutil.h" - - static const char *chain; -+static const char *crl; - - static int test_load_cert_file(void) - { -@@ -27,12 +28,15 @@ static int test_load_cert_file(void) - && TEST_int_eq(sk_X509_num(certs), 4)) - ret = 1; - -+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM))) -+ ret = 0; -+ - OSSL_STACK_OF_X509_free(certs); - X509_STORE_free(store); - return ret; - } - --OPT_TEST_DECLARE_USAGE("cert.pem...\n") -+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n") - - int setup_tests(void) - { -@@ -45,6 +49,8 @@ int setup_tests(void) - if (chain == NULL) - return 0; - -+ crl = test_get_argument(1); -+ - ADD_TEST(test_load_cert_file); - return 1; - } --- -2.44.0 - diff --git a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch b/0119-provider-sigalgs-in-signaturealgorithms-conf.patch deleted file mode 100644 index c363223..0000000 --- a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch +++ /dev/null @@ -1,170 +0,0 @@ -From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 8 Mar 2024 11:18:12 +0100 -Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch - -Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch -Patch-id: 119 -Patch-status: | - # https://github.com/openssl/openssl/issues/22779 ---- - ssl/s3_lib.c | 8 ++++---- - ssl/ssl_lib.c | 2 +- - ssl/ssl_local.h | 2 +- - ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++----------- - 4 files changed, 40 insertions(+), 17 deletions(-) - -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index e8ec98c221..48a1aa0e61 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) - return tls1_set_sigalgs(sc->cert, parg, larg, 0); - - case SSL_CTRL_SET_SIGALGS_LIST: -- return tls1_set_sigalgs_list(sc->cert, parg, 0); -+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0); - - case SSL_CTRL_SET_CLIENT_SIGALGS: - return tls1_set_sigalgs(sc->cert, parg, larg, 1); - - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(sc->cert, parg, 1); -+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1); - - case SSL_CTRL_GET_CLIENT_CERT_TYPES: - { -@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) - return tls1_set_sigalgs(ctx->cert, parg, larg, 0); - - case SSL_CTRL_SET_SIGALGS_LIST: -- return tls1_set_sigalgs_list(ctx->cert, parg, 0); -+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0); - - case SSL_CTRL_SET_CLIENT_SIGALGS: - return tls1_set_sigalgs(ctx->cert, parg, larg, 1); - - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(ctx->cert, parg, 1); -+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1); - - case SSL_CTRL_SET_CLIENT_CERT_TYPES: - return ssl3_set_req_cert_type(ctx->cert, parg, larg); -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 1329841aaf..4d95ab71cd 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) - return tls1_set_groups_list(ctx, NULL, NULL, parg); - case SSL_CTRL_SET_SIGALGS_LIST: - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(NULL, parg, 0); -+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0); - default: - return 0; - } -diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h -index 0d3acfbe66..a73b2c4770 100644 ---- a/ssl/ssl_local.h -+++ b/ssl/ssl_local.h -@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s); - - void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op); - --__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); -+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client); - __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, - int client); - __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fe680449c5..87f2ae7000 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) - - /* now populate ctx->ssl_cert_info */ - if (ctx->sigalg_list_len > 0) { -+ OPENSSL_free(ctx->ssl_cert_info); - ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); - if (ctx->ssl_cert_info == NULL) - return 0; -@@ -2889,6 +2890,7 @@ typedef struct { - size_t sigalgcnt; - /* TLSEXT_SIGALG_XXX values */ - uint16_t sigalgs[TLS_MAX_SIGALGCNT]; -+ SSL_CTX *ctx; - } sig_cb_st; - - static void get_sigorhash(int *psig, int *phash, const char *str) -@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str) - static int sig_cb(const char *elem, int len, void *arg) - { - sig_cb_st *sarg = arg; -- size_t i; -+ size_t i = 0; -+ int load_success = 0; - const SIGALG_LOOKUP *s; - char etmp[TLS_MAX_SIGSTRING_LEN], *p; - int sig_alg = NID_undef, hash_alg = NID_undef; -@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg) - * in the table. - */ - if (p == NULL) { -- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); -- i++, s++) { -- if (s->name != NULL && strcmp(etmp, s->name) == 0) { -- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; -- break; -- } -+ /* Load provider sigalgs */ -+ if (sarg->ctx) { -+ load_success = ssl_load_sigalgs(sarg->ctx); - } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -- /* Ignore unknown algorithms if ignore_unknown */ -- return ignore_unknown; -+ if (load_success) { -+ /* Check if a provider supports the sigalg */ -+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) { -+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL -+ && strcmp(etmp, -+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) { -+ sarg->sigalgs[sarg->sigalgcnt++] = -+ sarg->ctx->sigalg_list[i].code_point; -+ break; -+ } -+ } - } -+ /* Check the built-in sigalgs */ -+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) { -+ for (i = 0, s = sigalg_lookup_tbl; -+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { -+ if (s->name != NULL && strcmp(etmp, s->name) == 0) { -+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; -+ break; -+ } -+ } -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } -+ } - } else { - *p = 0; - p++; -@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg) - * Set supported signature algorithms based on a colon separated list of the - * form sig+hash e.g. RSA+SHA512:DSA+SHA512 - */ --int tls1_set_sigalgs_list(CERT *c, const char *str, int client) -+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) - { - sig_cb_st sig; - sig.sigalgcnt = 0; -+ sig.ctx = ctx; - if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) - return 0; - if (sig.sigalgcnt == 0) { --- -2.44.0 - diff --git a/openssl.spec b/openssl.spec index 4a372a4..3b3190b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.2.1 -Release: 4%{?dist} +Version: 3.2.2 +Release: 1%{?dist} Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -116,7 +116,7 @@ Patch76: 0076-FIPS-140-3-DRBG.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 Patch77: 0077-FIPS-140-3-zeroization.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +Patch78: 0078-KDF-Add-FIPS-indicators.patch # # We believe that some changes present in CentOS are not necessary # # because ustream has a check for FIPS version Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -156,11 +156,7 @@ Patch115: 0115-skip-quic-pairwise.patch Patch116: 0116-version-aliasing.patch # https://github.com/openssl/openssl/issues/23050 Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch -# https://github.com/openssl/openssl/issues/23770 -Patch118: 0118-no-crl-memleak.patch -# https://github.com/openssl/openssl/issues/22779 -Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch -# From CentOS 9 +# https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch License: Apache-2.0 @@ -507,6 +503,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 +- Rebase to OpenSSL 3.2.2. + Related: RHEL-31762 + * Mon Jun 03 2024 Sahana Prasad - 1:3.2.1-4 - Synchronize patches from c9s and Fedora - Resolves: RHEL-31762 diff --git a/sources b/sources index 21d66d1..6d3dc96 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f +SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d