Slightly rearranged the patches we have
This commit is contained in:
parent
e52367af47
commit
5c67b5adc3
@ -1,28 +0,0 @@
|
|||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index e95d2657f46c..7af0eab3fce0 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
|
||||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create a session based on SHA-256 */
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
TLS_client_method(),
|
|
||||||
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
|
||||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create a session based on SHA-256 */
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
TLS_client_method(),
|
|
@ -1,7 +1,7 @@
|
|||||||
From 538665f6c210f876bf2733afe63460b36f2c9929 Mon Sep 17 00:00:00 2001
|
From ed02a8b9e767224dc7512a4a176e4aae045b3573 Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||||
Subject: [PATCH 17/35] 0033-FIPS-embed-hmac.patch
|
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
|
||||||
|
|
||||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
Patch-name: 0033-FIPS-embed-hmac.patch
|
||||||
Patch-id: 33
|
Patch-id: 33
|
||||||
@ -9,7 +9,7 @@ Patch-status: |
|
|||||||
# Embed HMAC into the fips.so
|
# Embed HMAC into the fips.so
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||||
---
|
---
|
||||||
providers/fips/self_test.c | 69 ++++++++++++++++++++++++---
|
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
|
||||||
test/fipsmodule.cnf | 2 +
|
test/fipsmodule.cnf | 2 +
|
||||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
||||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
||||||
@ -17,11 +17,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|||||||
test/recipes/30-test_defltfips.t | 2 +-
|
test/recipes/30-test_defltfips.t | 2 +-
|
||||||
test/recipes/80-test_ssl_new.t | 2 +-
|
test/recipes/80-test_ssl_new.t | 2 +-
|
||||||
test/recipes/90-test_sslapi.t | 2 +-
|
test/recipes/90-test_sslapi.t | 2 +-
|
||||||
8 files changed, 70 insertions(+), 13 deletions(-)
|
8 files changed, 71 insertions(+), 13 deletions(-)
|
||||||
create mode 100644 test/fipsmodule.cnf
|
create mode 100644 test/fipsmodule.cnf
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||||
index 10804d9f59..ef56002854 100644
|
index 10804d9f59..5e418a2c11 100644
|
||||||
--- a/providers/fips/self_test.c
|
--- a/providers/fips/self_test.c
|
||||||
+++ b/providers/fips/self_test.c
|
+++ b/providers/fips/self_test.c
|
||||||
@@ -231,11 +231,27 @@ err:
|
@@ -231,11 +231,27 @@ err:
|
||||||
@ -121,7 +121,15 @@ index 10804d9f59..ef56002854 100644
|
|||||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
@@ -349,8 +405,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
@@ -283,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||||
|
goto err;
|
||||||
|
ret = 1;
|
||||||
|
err:
|
||||||
|
+ OPENSSL_cleanse(out, sizeof(out));
|
||||||
|
OSSL_SELF_TEST_onend(ev, ret);
|
||||||
|
EVP_MAC_CTX_free(ctx);
|
||||||
|
EVP_MAC_free(mac);
|
||||||
|
@@ -349,8 +406,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
CRYPTO_THREAD_unlock(fips_state_lock);
|
CRYPTO_THREAD_unlock(fips_state_lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -131,7 +139,7 @@ index 10804d9f59..ef56002854 100644
|
|||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@@ -359,8 +414,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
@@ -359,8 +415,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
if (ev == NULL)
|
if (ev == NULL)
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
@ -143,7 +151,7 @@ index 10804d9f59..ef56002854 100644
|
|||||||
if (module_checksum == NULL) {
|
if (module_checksum == NULL) {
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||||
goto end;
|
goto end;
|
||||||
@@ -434,7 +490,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
@@ -434,7 +491,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
end:
|
end:
|
||||||
EVP_RAND_free(testrand);
|
EVP_RAND_free(testrand);
|
||||||
OSSL_SELF_TEST_free(ev);
|
OSSL_SELF_TEST_free(ev);
|
||||||
|
@ -6,8 +6,6 @@ Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
|
|||||||
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
|
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
|
||||||
Patch-id: 58
|
Patch-id: 58
|
||||||
Patch-status: |
|
Patch-status: |
|
||||||
# https://github.com/openssl/openssl/pull/18175
|
|
||||||
# Patch57: 0057-strcasecmp-fix.patch
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||||
---
|
---
|
||||||
|
@ -1,26 +0,0 @@
|
|||||||
From 3e24e76dfaf7367e0790c22aa1e740f3b68d91a3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Mon, 21 Aug 2023 16:08:39 +0200
|
|
||||||
Subject: [PATCH 44/48] 0109-fips-Zeroize-out-in-fips-selftest.patch
|
|
||||||
|
|
||||||
Patch-name: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
|
||||||
Patch-id: 109
|
|
||||||
---
|
|
||||||
providers/fips/self_test.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
|
||||||
index 062d9df84a..64107d054b 100644
|
|
||||||
--- a/providers/fips/self_test.c
|
|
||||||
+++ b/providers/fips/self_test.c
|
|
||||||
@@ -339,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
goto err;
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
+ OPENSSL_cleanse(out, sizeof(out));
|
|
||||||
OSSL_SELF_TEST_onend(ev, ret);
|
|
||||||
EVP_MAC_CTX_free(ctx);
|
|
||||||
EVP_MAC_free(mac);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
25
openssl.spec
25
openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.1.1
|
Version: 3.1.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Source: openssl-%{version}.tar.gz
|
Source: openssl-%{version}.tar.gz
|
||||||
Source2: Makefile.certificate
|
Source2: Makefile.certificate
|
||||||
@ -71,8 +71,6 @@ Patch12: 0012-Disable-explicit-ec.patch
|
|||||||
Patch13: 0013-skipped-tests-EC-curves.patch
|
Patch13: 0013-skipped-tests-EC-curves.patch
|
||||||
# # Instructions to load legacy provider in openssl.cnf
|
# # Instructions to load legacy provider in openssl.cnf
|
||||||
Patch24: 0024-load-legacy-prov.patch
|
Patch24: 0024-load-legacy-prov.patch
|
||||||
# # Tmp: test name change
|
|
||||||
Patch31: 0031-tmp-Fix-test-names.patch
|
|
||||||
# # We load FIPS provider and set FIPS properties implicitly
|
# # We load FIPS provider and set FIPS properties implicitly
|
||||||
Patch32: 0032-Force-fips.patch
|
Patch32: 0032-Force-fips.patch
|
||||||
# # Embed HMAC into the fips.so
|
# # Embed HMAC into the fips.so
|
||||||
@ -95,8 +93,6 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
|||||||
# # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
# # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
||||||
# # so the patch should persist
|
# # so the patch should persist
|
||||||
Patch56: 0056-strcasecmp.patch
|
Patch56: 0056-strcasecmp.patch
|
||||||
# # https://github.com/openssl/openssl/pull/18175
|
|
||||||
# # Patch57: 0057-strcasecmp-fix.patch
|
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||||
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
||||||
@ -105,7 +101,7 @@ Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
|
|||||||
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||||
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
||||||
# [PATCH 30/48]
|
# [PATCH 29/46]
|
||||||
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||||
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||||
@ -122,13 +118,13 @@ Patch79: 0079-RSA-PKCS15-implicit-rejection.patch
|
|||||||
# # We believe that some changes present in CentOS are not necessary
|
# # We believe that some changes present in CentOS are not necessary
|
||||||
# # because ustream has a check for FIPS version
|
# # because ustream has a check for FIPS version
|
||||||
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
|
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
|
||||||
# [PATCH 37/48]
|
# [PATCH 36/46]
|
||||||
# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
||||||
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
||||||
# [PATCH 38/48]
|
# [PATCH 37/46]
|
||||||
# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
||||||
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
||||||
# [PATCH 39/48]
|
# [PATCH 38/46]
|
||||||
# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
||||||
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
||||||
# 0085-FIPS-RSA-disable-shake.patch
|
# 0085-FIPS-RSA-disable-shake.patch
|
||||||
@ -137,15 +133,13 @@ Patch85: 0085-FIPS-RSA-disable-shake.patch
|
|||||||
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
||||||
# 0091-FIPS-RSA-encapsulate.patch
|
# 0091-FIPS-RSA-encapsulate.patch
|
||||||
Patch91: 0091-FIPS-RSA-encapsulate.patch
|
Patch91: 0091-FIPS-RSA-encapsulate.patch
|
||||||
# [PATCH 43/48]
|
# [PATCH 42/46]
|
||||||
# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
||||||
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
||||||
# 0109-fips-Zeroize-out-in-fips-selftest.patch
|
# [PATCH 43/46]
|
||||||
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
|
||||||
# [PATCH 45/48]
|
|
||||||
# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||||
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||||
# [PATCH 46/48]
|
# [PATCH 44/46]
|
||||||
# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||||
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||||
# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
||||||
@ -484,6 +478,9 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 31 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-4
|
||||||
|
- Drop duplicated patch and do some contamination
|
||||||
|
|
||||||
* Tue Aug 22 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-3
|
* Tue Aug 22 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-3
|
||||||
- Integrate FIPS patches from CentOS
|
- Integrate FIPS patches from CentOS
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user