Redefine sslarch for x86_64_v2 arch
This commit is contained in:
Eduard Abdullin
root
commit
74b93665b4
@ -0,0 +1,62 @@
|
||||
From 2b18a8b0c5b315083c49664101a103572d5592b6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Tue, 20 May 2025 16:34:10 +0200
|
||||
Subject: [PATCH 58/59] apps/x509.c: Fix the -addreject option adding trust
|
||||
instead of rejection
|
||||
|
||||
Fixes CVE-2025-4575
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/27672)
|
||||
---
|
||||
apps/x509.c | 2 +-
|
||||
test/recipes/25-test_x509.t | 12 +++++++++++-
|
||||
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/apps/x509.c b/apps/x509.c
|
||||
index fdae8f383a..0c340c15b3 100644
|
||||
--- a/apps/x509.c
|
||||
+++ b/apps/x509.c
|
||||
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
|
||||
prog, opt_arg());
|
||||
goto opthelp;
|
||||
}
|
||||
- if (!sk_ASN1_OBJECT_push(trust, objtmp))
|
||||
+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
|
||||
goto end;
|
||||
trustout = 1;
|
||||
break;
|
||||
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
|
||||
index 09b61708ff..dfa0a428f5 100644
|
||||
--- a/test/recipes/25-test_x509.t
|
||||
+++ b/test/recipes/25-test_x509.t
|
||||
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||
|
||||
setup("test_x509");
|
||||
|
||||
-plan tests => 134;
|
||||
+plan tests => 138;
|
||||
|
||||
# Prevent MSys2 filename munging for arguments that look like file paths but
|
||||
# aren't
|
||||
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
|
||||
&& run(app(["openssl", "verify", "-no_check_time",
|
||||
"-trusted", $ca, "-partial_chain", $caout])));
|
||||
|
||||
+# test trust decoration
|
||||
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
|
||||
+ "-out", "ca-trusted.pem"])));
|
||||
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
|
||||
+ 1, 'trusted use - E-mail Protection');
|
||||
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
|
||||
+ "-out", "ca-rejected.pem"])));
|
||||
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
|
||||
+ 1, 'rejected use - E-mail Protection');
|
||||
+
|
||||
subtest 'x509 -- x.509 v1 certificate' => sub {
|
||||
tconversion( -type => 'x509', -prefix => 'x509v1',
|
||||
-in => srctop_file("test", "testx509.pem") );
|
||||
--
|
||||
2.49.0
|
||||
|
||||
50
0059-Fixup-permit-SHA1-as-MGF1-digest.patch
Normal file
50
0059-Fixup-permit-SHA1-as-MGF1-digest.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From f23d51fb9c5cdc4ac271846ab322390bfd844760 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Thu, 22 May 2025 10:13:23 +0200
|
||||
Subject: [PATCH 59/59] Fixup - permit SHA1 as MGF1 digest
|
||||
|
||||
---
|
||||
providers/implementations/signature/rsa_sig.c | 3 +--
|
||||
test/recipes/30-test_evp_data/evppkey_rsa.txt | 4 ++--
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index ac3888a1b9..014b17fe49 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -476,9 +476,8 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
- /* The default for mgf1 is SHA1 - so check if we allow SHA1 */
|
||||
+ /* The default for mgf1 is SHA1 - so allow SHA1 */
|
||||
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
|
||||
- || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0
|
||||
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
|
||||
if (mdnid <= 0)
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
|
||||
index 103556c750..6ae973eaac 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
|
||||
@@ -279,7 +279,7 @@ Input="0123456789ABCDEF0123456789ABCDEF"
|
||||
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
-# Wrong MGF1 digest - In RHEL FIPS errors as set ctx before verify
|
||||
+# Wrong MGF1 digest
|
||||
Availablein = fips
|
||||
Verify = RSA-2048
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
@@ -288,7 +288,7 @@ Ctrl = digest:sha256
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input="0123456789ABCDEF0123456789ABCDEF"
|
||||
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
|
||||
-Result = PKEY_CTRL_ERROR
|
||||
+Result = VERIFY_ERROR
|
||||
|
||||
# Verify using default parameters
|
||||
Availablein = default
|
||||
--
|
||||
2.49.0
|
||||
|
||||
39
0060-Fixup-no-dup-versions-for-UEFI.patch
Normal file
39
0060-Fixup-no-dup-versions-for-UEFI.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 8f95c832f03005c903a6a990cee49346c556be0f Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Thu, 22 May 2025 13:22:12 +0200
|
||||
Subject: [PATCH 60/60] Fixup - no dup versions for UEFI
|
||||
|
||||
---
|
||||
crypto/evp/digest.c | 2 +-
|
||||
crypto/evp/evp_enc.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||
index 3c80b9dfe1..8ee9db73dd 100644
|
||||
--- a/crypto/evp/digest.c
|
||||
+++ b/crypto/evp/digest.c
|
||||
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
|
||||
}
|
||||
|
||||
EVP_MD_CTX
|
||||
-#if !defined(FIPS_MODULE)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||
#endif
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index 7c51786515..619cf4f385 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||
}
|
||||
|
||||
EVP_CIPHER_CTX
|
||||
-#if !defined(FIPS_MODULE)
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||
#endif
|
||||
--
|
||||
2.49.0
|
||||
|
||||
14
openssl.spec
14
openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.5.0
|
||||
Release: 3%{?dist}.alma.1
|
||||
Release: 4%{?dist}.alma.1
|
||||
Epoch: 1
|
||||
Source0: openssl-%{version}.tar.gz
|
||||
Source1: fips-hmacify.sh
|
||||
@ -97,7 +97,9 @@ Patch0054: 0054-Red-Hat-9-FIPS-indicator-defines.patch
|
||||
Patch0055: 0055-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
|
||||
Patch0056: 0056-hashfunc-add-stddef.h-include.patch
|
||||
Patch0057: 0057-rio-add-RIO_POLL_METHOD_NONE.patch
|
||||
|
||||
Patch0058: 0058-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
|
||||
Patch0059: 0059-Fixup-permit-SHA1-as-MGF1-digest.patch
|
||||
Patch0060: 0060-Fixup-no-dup-versions-for-UEFI.patch
|
||||
|
||||
License: Apache-2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -439,9 +441,15 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu May 15 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-3.alma.1
|
||||
* Fri May 23 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-4.alma.1
|
||||
- Redefine sslarch for x86_64_v2 arch
|
||||
|
||||
* Thu May 22 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-4
|
||||
- Fix regressions caused by rebase to OpenSSL 3.5
|
||||
Related: RHEL-80811
|
||||
- Fix UEFI builds on double function definitions
|
||||
Resolves: RHEL-93168
|
||||
|
||||
* Wed May 14 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-3
|
||||
- Fix `openssl speed` running in FIPS mode
|
||||
Resolves: RHEL-88908
|
||||
|
||||
Loading…
Reference in New Issue
Block a user