From 6b623cae3cf84424113f3c16aa36b2f62d2d0675 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 14 Jul 2025 12:04:17 -0400 Subject: [PATCH] Add a openssl-fips-provider package This allows it to be replaced by fips-provider-next which is built as an alternative fips provider. Adds a Suggests to still prefer the openssl's own packge by default. Resolves: RHEL-105298 Signed-off-by: Simo Sorce --- openssl.spec | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/openssl.spec b/openssl.spec index 3611229..b5b0046 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -125,8 +125,9 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Requires: crypto-policies >= 20250404-3 -%if ( %{defined rhel} && (! %{defined centos}) ) +%if %{defined rhel} Requires: openssl-fips-provider +Suggests: openssl-fips-provider %endif %description libs @@ -154,6 +155,17 @@ OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. +%if %{defined centos} +%package fips-provider +Summary: The FIPS Provider module +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} + +%description fips-provider +OpenSSL is a toolkit for supporting cryptography. The openssl-fips-provider +package provides the fips.so provider, a cryptography provider that follows +FIPS requirements and provides FIPS approved algorithms. +%endif + %prep %autosetup -S git -n %{name}-%{version} @@ -407,7 +419,7 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} -%attr(0755,root,root) %{_libdir}/ossl-modules +%attr(0755,root,root) %{_libdir}/ossl-modules/legacy.so %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el @@ -431,9 +443,22 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts +%if %{defined centos} +%files fips-provider +%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so +%endif + %ldconfig_scriptlets libs %changelog +* Thu Jul 24 2025 Simo Sorce - 1:3.5.1-2 +- Move fips.so to a seprate subpackage + Reverts FIPS self test for SLH-DSA + Add Suggests to try to prefer the openssl-fips-provider package + over the fips-provider-next package by default + Revolves: RHEL-102408 + Related: RHEL-80811 + * Tue Jul 01 2025 Dmitry Belyavskiy - 1:3.5.1-1 - Rebasing to OpenSSL 3.5.1 Resolves: RHEL-90350