Add a openssl-fips-provider package

This allows it to be replaced by fips-provider-next which is built as an alternative fips provider. Adds a Suggests to still prefer the openssl's own packge by default. Resolves: RHEL-105298 Signed-off-by: Simo Sorce <simo@redhat.com>
2025-07-14 12:04:17 -04:00 · 2025-07-14 12:04:17 -04:00 · 6b623cae3c
commit 6b623cae3c
parent e014d8a609
1 changed files with 28 additions and 3 deletions
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@ -125,8 +125,9 @@ protocols.
 Summary: A general purpose cryptography library with TLS implementation
 Requires: ca-certificates >= 2008-5
 Requires: crypto-policies >= 20250404-3
-%if ( %{defined rhel} && (! %{defined centos}) )
+%if %{defined rhel}
 Requires: openssl-fips-provider
+Suggests: openssl-fips-provider
 %endif

 %description libs
@ -154,6 +155,17 @@ OpenSSL is a toolkit for supporting cryptography. The openssl-perl
 package provides Perl scripts for converting certificates and keys
 from other formats to the formats used by the OpenSSL toolkit.

+%if %{defined centos}
+%package fips-provider
+Summary: The FIPS Provider module
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+
+%description fips-provider
+OpenSSL is a toolkit for supporting cryptography. The openssl-fips-provider
+package provides the fips.so provider, a cryptography provider that follows
+FIPS requirements and provides FIPS approved algorithms.
+%endif
+
 %prep
 %autosetup -S git -n %{name}-%{version}

@ -407,7 +419,7 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %attr(0755,root,root) %{_libdir}/libssl.so.%{version}
 %{_libdir}/libssl.so.%{soversion}
 %attr(0755,root,root) %{_libdir}/engines-%{soversion}
-%attr(0755,root,root) %{_libdir}/ossl-modules
+%attr(0755,root,root) %{_libdir}/ossl-modules/legacy.so

 %files devel
 %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
@ -431,9 +443,22 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %dir %{_sysconfdir}/pki/CA/crl
 %dir %{_sysconfdir}/pki/CA/newcerts

+%if %{defined centos}
+%files fips-provider
+%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
+%endif
+
 %ldconfig_scriptlets libs

 %changelog
+* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
+- Move fips.so to a seprate subpackage
+  Reverts FIPS self test for SLH-DSA
+  Add Suggests to try to prefer the openssl-fips-provider package
+  over the fips-provider-next package by default
+  Revolves: RHEL-102408
+  Related: RHEL-80811
+
 * Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1
 - Rebasing to OpenSSL 3.5.1
  Resolves: RHEL-90350