From 78a467efccb7390945642ae69ded62cb7090e42e Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 18 Jan 2022 18:30:10 +0100 Subject: [PATCH] Rebase to upstream version 3.0.1 Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl Resolves: rhbz#2038910, rhbz#2035148 Signed-off-by: Sahana Prasad --- .gitignore | 1 + ...PROFILE-SYSTEM-system-default-cipher.patch | 8 - 0009-Add-Kernel-FIPS-mode-flag-support.patch | 10 +- 0030-tmp-Fix-rng-seed-double-free.patch | 18 - 0032-Force-fips.patch | 258 +++++++------- 0034.fipsinstall_disable.patch | 326 +++++++++--------- 0100-coverity.patch | 12 - openssl.spec | 13 +- sources | 2 +- 9 files changed, 316 insertions(+), 332 deletions(-) delete mode 100644 0030-tmp-Fix-rng-seed-double-free.patch delete mode 100644 0100-coverity.patch diff --git a/.gitignore b/.gitignore index 7cdad35..a662a8e 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1j-hobbled.tar.xz /openssl-1.1.1k-hobbled.tar.xz /openssl-3.0.0-hobbled.tar.xz +/openssl-3.0.1-hobbled.tar.xz diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index a32c9e8..9917fcf 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - - if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { - sk_SSL_CIPHER_free(cipherstack); -+ OPENSSL_free(co_list); - return NULL; - } - } @@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, *cipher_list = cipherstack; diff --git a/0009-Add-Kernel-FIPS-mode-flag-support.patch b/0009-Add-Kernel-FIPS-mode-flag-support.patch index 73bd7f9..01bd840 100644 --- a/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ b/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -56,12 +56,12 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) && context_init(&default_context_int); } -diff -up openssl-3.0.0/include/internal/provider.h.embed-fips openssl-3.0.0/include/internal/provider.h ---- openssl-3.0.0/include/internal/provider.h.embed-fips 2021-11-12 12:18:36.215333452 +0100 -+++ openssl-3.0.0/include/internal/provider.h 2021-11-12 12:22:41.298409269 +0100 -@@ -109,6 +109,9 @@ int ossl_provider_init_as_child(OSSL_LIB - const OSSL_CORE_HANDLE *handle, +diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h +--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 ++++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 +@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); +/* FIPS flag access */ +int ossl_get_kernel_fips_flag(void); diff --git a/0030-tmp-Fix-rng-seed-double-free.patch b/0030-tmp-Fix-rng-seed-double-free.patch deleted file mode 100644 index 35658eb..0000000 --- a/0030-tmp-Fix-rng-seed-double-free.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c -index 173c99ce1732..7a4b780bb469 100644 ---- a/providers/implementations/rands/seed_src.c -+++ b/providers/implementations/rands/seed_src.c -@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - return 0; - } -- *pout = p; - if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, -- adin, adin_len) != 0) -+ adin, adin_len) != 0) { -+ *pout = p; - return bytes_needed; -+ } - OPENSSL_secure_clear_free(p, bytes_needed); - return 0; - } diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index 84687e4..9f83fcd 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -1,139 +1,145 @@ -diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/provider_conf.c ---- openssl-3.0.0/crypto/provider_conf.c.fips-force 2021-11-12 14:21:01.878339467 +0100 -+++ openssl-3.0.0/crypto/provider_conf.c 2021-11-12 16:13:19.301542866 +0100 -@@ -136,13 +136,73 @@ static int prov_already_activated(const +#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite +#(partial) of the function provider_conf_load() under the 'if (activate) section. +#If there is any change to this section, after deleting it in provider_conf_load() +#ensure that you also add those changes to the provider_conf_activate() function. +#additionally please add this check for cnf explicitly as shown below. +#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' +diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c +--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE 2022-01-18 15:36:00.956141345 +0100 ++++ openssl-3.0.1/crypto/provider_conf.c 2022-01-18 15:42:36.345172203 +0100 +@@ -136,58 +136,18 @@ static int prov_already_activated(const return 0; } - -+static int provider_conf_activate(OSSL_LIB_CTX *libctx, PROVIDER_CONF_GLOBAL *pcgbl, -+ const char *name, const char *value, const char *path, + +-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, +- const char *value, const CONF *cnf) ++static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, ++ const char *value, const char *path, + int soft, const CONF *cnf) -+{ -+ int ok = 0; + { +- int i; +- STACK_OF(CONF_VALUE) *ecmds; +- int soft = 0; +- OSSL_PROVIDER *prov = NULL, *actual = NULL; +- const char *path = NULL; +- long activate = 0; + int ok = 0; +- +- name = skip_dot(name); +- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); +- /* Value is a section containing PROVIDER commands */ +- ecmds = NCONF_get_section(cnf, value); +- +- if (!ecmds) { +- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, +- "section=%s not found", value); +- return 0; +- } +- +- /* Find the needed data first */ +- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { +- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); +- const char *confname = skip_dot(ecmd->name); +- const char *confvalue = ecmd->value; +- +- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", +- confname, confvalue); +- +- /* First handle some special pseudo confs */ +- +- /* Override provider name to use */ +- if (strcmp(confname, "identity") == 0) +- name = confvalue; +- else if (strcmp(confname, "soft_load") == 0) +- soft = 1; +- /* Load a dynamic PROVIDER */ +- else if (strcmp(confname, "module") == 0) +- path = confvalue; +- else if (strcmp(confname, "activate") == 0) +- activate = 1; +- } +- +- if (activate) { +- PROVIDER_CONF_GLOBAL *pcgbl +- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, +- &provider_conf_ossl_ctx_method); + OSSL_PROVIDER *prov = NULL, *actual = NULL; -+ -+ if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) { -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ if (!prov_already_activated(name, pcgbl->activated_providers)) { -+ /* -+ * There is an attempt to activate a provider, so we should disable -+ * loading of fallbacks. Otherwise a misconfiguration could mean the -+ * intended provider does not get loaded. Subsequent fetches could -+ * then fallback to the default provider - which may be the wrong -+ * thing. -+ */ -+ if (!ossl_provider_disable_fallback_loading(libctx)) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ prov = ossl_provider_find(libctx, name, 1); -+ if (prov == NULL) -+ prov = ossl_provider_new(libctx, name, NULL, 1); -+ if (prov == NULL) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ if (soft) -+ ERR_clear_error(); -+ return 0; -+ } -+ -+ if (path != NULL) -+ ossl_provider_set_module_path(prov, path); -+ -+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; -+ -+ if (ok) { -+ if (!ossl_provider_activate(prov, 1, 0)) { -+ ok = 0; -+ } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -+ ossl_provider_deactivate(prov); -+ ok = 0; -+ } else { -+ if (pcgbl->activated_providers == NULL) -+ pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -+ sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual); -+ ok = 1; -+ } -+ } -+ if (!ok) -+ ossl_provider_free(prov); -+ } -+ CRYPTO_THREAD_unlock(pcgbl->lock); ++ PROVIDER_CONF_GLOBAL *pcgbl ++ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, ++ &provider_conf_ossl_ctx_method); + + if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { +- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); ++ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!prov_already_activated(name, pcgbl->activated_providers)) { +@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C + ossl_provider_free(prov); + } + CRYPTO_THREAD_unlock(pcgbl->lock); + return ok; +} + ++static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, ++ const char *value, const CONF *cnf) ++{ ++ int i; ++ STACK_OF(CONF_VALUE) *ecmds; ++ int soft = 0; ++ const char *path = NULL; ++ long activate = 0; ++ int ok = 0; + ++ name = skip_dot(name); ++ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); ++ /* Value is a section containing PROVIDER commands */ ++ ecmds = NCONF_get_section(cnf, value); + - static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, - const char *value, const CONF *cnf) - { - int i; - STACK_OF(CONF_VALUE) *ecmds; - int soft = 0; -- OSSL_PROVIDER *prov = NULL, *actual = NULL; - const char *path = NULL; - long activate = 0; - int ok = 0; -@@ -185,55 +245,7 @@ static int provider_conf_load(OSSL_LIB_C - } - - if (activate) { -- if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) { -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- if (!prov_already_activated(name, pcgbl->activated_providers)) { -- /* -- * There is an attempt to activate a provider, so we should disable -- * loading of fallbacks. Otherwise a misconfiguration could mean the -- * intended provider does not get loaded. Subsequent fetches could -- * then fallback to the default provider - which may be the wrong -- * thing. -- */ -- if (!ossl_provider_disable_fallback_loading(libctx)) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- prov = ossl_provider_find(libctx, name, 1); -- if (prov == NULL) -- prov = ossl_provider_new(libctx, name, NULL, 1); -- if (prov == NULL) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- if (soft) -- ERR_clear_error(); -- return 0; -- } -- -- if (path != NULL) -- ossl_provider_set_module_path(prov, path); -- -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -- -- if (ok) { -- if (!ossl_provider_activate(prov, 1, 0)) { -- ok = 0; -- } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -- ossl_provider_deactivate(prov); -- ok = 0; -- } else { -- if (pcgbl->activated_providers == NULL) -- pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -- sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual); -- ok = 1; -- } -- } -- if (!ok) -- ossl_provider_free(prov); -- } -- CRYPTO_THREAD_unlock(pcgbl->lock); -+ ok = provider_conf_activate(libctx, pcgbl, name, value, path, soft, cnf); ++ if (!ecmds) { ++ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, ++ "section=%s not found", value); ++ return 0; ++ } ++ ++ /* Find the needed data first */ ++ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { ++ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); ++ const char *confname = skip_dot(ecmd->name); ++ const char *confvalue = ecmd->value; ++ ++ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", ++ confname, confvalue); ++ ++ /* First handle some special pseudo confs */ ++ ++ /* Override provider name to use */ ++ if (strcmp(confname, "identity") == 0) ++ name = confvalue; ++ else if (strcmp(confname, "soft_load") == 0) ++ soft = 1; ++ /* Load a dynamic PROVIDER */ ++ else if (strcmp(confname, "module") == 0) ++ path = confvalue; ++ else if (strcmp(confname, "activate") == 0) ++ activate = 1; ++ } ++ ++ if (activate) { ++ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); } else { OSSL_PROVIDER_INFO entry; -@@ -294,6 +306,19 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU return 0; } @@ -142,9 +148,9 @@ diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/pr + PROVIDER_CONF_GLOBAL *pcgbl + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, + &provider_conf_ossl_ctx_method); -+ if (provider_conf_activate(libctx, pcgbl, "fips", NULL, NULL, 0, NULL) != 1) ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; -+ if (provider_conf_activate(libctx, pcgbl, "base", NULL, NULL, 0, NULL) != 1) ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) + return 0; diff --git a/0034.fipsinstall_disable.patch b/0034.fipsinstall_disable.patch index b0e0c4b..c4f9efd 100644 --- a/0034.fipsinstall_disable.patch +++ b/0034.fipsinstall_disable.patch @@ -11,10 +11,160 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in ---- openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx 2021-11-22 13:19:55.192959061 +0100 -+++ openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in 2021-11-22 13:20:56.978491104 +0100 -@@ -8,224 +8,10 @@ openssl-fipsinstall - perform FIPS confi +diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod +--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 ++++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 +@@ -158,10 +158,6 @@ Engine (loadable module) information and + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 ++++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 +@@ -573,7 +573,6 @@ configuration files using that syntax wi + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod +--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 ++++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 COPYRIGHT + +diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod +--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 ++++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 +@@ -388,7 +388,6 @@ A simple self test callback is shown bel + + =head1 SEE ALSO + +-L, + L, + L, + L, +diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in +--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100 ++++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100 +@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi =head1 SYNOPSIS B @@ -37,7 +187,7 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc -[B<-config> I] =head1 DESCRIPTION - +- -This command is used to generate a FIPS module configuration file. -This configuration file can be used each time a FIPS module is loaded -in order to pass data to the FIPS module self tests. The FIPS module always @@ -207,6 +357,18 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc - -=back - +-=head1 NOTES +- +-Self tests results are logged by default if the options B<-quiet> and B<-noout> +-are not specified, or if either of the options B<-corrupt_desc> or +-B<-corrupt_type> are used. +-If the base configuration file is set up to autoload the fips module, then the +-fips module will be loaded and self tested BEFORE the fipsinstall application +-has a chance to set up its own self test callback. As a result of this the self +-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +-For normal usage the base configuration file should use the default provider +-when generating the fips configuration file. +- -=head1 EXAMPLES - -Calculate the mac of a FIPS module F and run a FIPS self test @@ -236,157 +398,9 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc -L, -L, -L -+This command is disabled. Please consult Red Hat Enterprise Linux documentation to learn how to correctly enable FIPS mode on Red Hat Enterprise Linux. ++This command is disabled. ++Please consult Red Hat Enterprise Linux documentation to learn how to correctly ++enable FIPS mode on Red Hat Enterprise =head1 COPYRIGHT -diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod ---- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 -+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 -@@ -158,10 +158,6 @@ Engine (loadable module) information and - - Error Number to Error String Conversion. - --=item B -- --FIPS configuration installation. -- - =item B - - Generation of DSA Private Key from Parameters. Superseded by -diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 -+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 -@@ -573,7 +573,6 @@ configuration files using that syntax wi - =head1 SEE ALSO - - L, L, L, --L, - L, - L, - L, -diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod ---- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 -+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration - - =head1 DESCRIPTION - --A separate configuration file, using the OpenSSL L syntax, --is used to hold information about the FIPS module. This includes a digest --of the shared library file, and status about the self-testing. --This data is used automatically by the module itself for two --purposes: -- --=over 4 -- --=item - Run the startup FIPS self-test known answer tests (KATS). -- --This is normally done once, at installation time, but may also be set up to --run each time the module is used. -- --=item - Verify the module's checksum. -- --This is done each time the module is used. -- --=back -- --This file is generated by the L program, and --used internally by the FIPS module during its initialization. -- --The following options are supported. They should all appear in a section --whose name is identified by the B option in the B --section, as described in L. -- --=over 4 -- --=item B -- --If present, the module is activated. The value assigned to this name is not --significant. -- --=item B -- --A version number for the fips install process. Should be 1. -- --=item B -- --The FIPS module normally enters an internal error mode if any self test fails. --Once this error mode is active, no services or cryptographic algorithms are --accessible from this point on. --Continuous tests are a subset of the self tests (e.g., a key pair test during key --generation, or the CRNG output test). --Setting this value to C<0> allows the error mode to not be triggered if any --continuous test fails. The default value of C<1> will trigger the error mode. --Regardless of the value, the operation (e.g., key generation) that called the --continuous test will return an error code if its continuous test fails. The --operation may then be retried if the error mode has not been triggered. -- --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- --=item B -- --The calculated MAC of the FIPS provider file. -- --=item B -- --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. -- --=item B -- --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. -- --=back -- --For example: -- -- [fips_sect] -- activate = 1 -- install-version = 1 -- conditional-errors = 1 -- security-checks = 1 -- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC -- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C -- install-status = INSTALL_SELF_TEST_KATS_RUN -- --=head1 NOTES -- --When using the FIPS provider, it is recommended that the --B option is enabled to prevent accidental use of --non-FIPS validated algorithms via broken or mistaken configuration. --See L. -- --=head1 SEE ALSO -- --L --L -+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is -+automatically loaded when the system is boots in FIPS mode, or when the -+environment variable B is set. See the documentation -+for more information. - - =head1 COPYRIGHT - -diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod ---- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 -+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 -@@ -388,7 +388,6 @@ A simple self test callback is shown bel - - =head1 SEE ALSO - --L, - L, - L, - L, diff --git a/0100-coverity.patch b/0100-coverity.patch deleted file mode 100644 index d81d531..0000000 --- a/0100-coverity.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c ---- openssl-3.0.0/apps/s_client.c.coverity 2021-10-07 16:59:37.938432118 +0200 -+++ openssl-3.0.0/apps/s_client.c 2021-10-07 17:00:52.994075755 +0200 -@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv) - #endif - OPENSSL_free(connectstr); - OPENSSL_free(bindstr); -+ OPENSSL_free(bindhost); -+ OPENSSL_free(bindport); - OPENSSL_free(host); - OPENSSL_free(port); - OPENSSL_free(thost); diff --git a/openssl.spec b/openssl.spec index dac2042..771a027 100644 --- a/openssl.spec +++ b/openssl.spec @@ -14,8 +14,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.0 -Release: 7%{?dist} +Version: 3.0.1 +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -55,8 +55,6 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch11: 0011-Remove-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch -# Tmp: Upstream #16636 -Patch30: 0030-tmp-Fix-rng-seed-double-free.patch # Tmp: test name change Patch31: 0031-tmp-Fix-test-names.patch # We load FIPS provider and set FIPS properties implicitly @@ -71,8 +69,6 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch Patch45: 0045-FIPS-services-minimize.patch # Enable SHA1 HMAC in FIPS mode Patch46: 0046-FIPS-permitsha1-hmac.patch -# Tmp: coverity -Patch100: 0100-coverity.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -400,6 +396,11 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Jan 18 2022 Sahana Prasad - 1:3.0.1-1 +- Rebase to upstream version 3.0.1 +- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl +- Resolves: rhbz#2038910, rhbz#2035148 + * Mon Jan 17 2022 Dmitry Belyavskiy - 1:3.0.0-7 - Remove algorithms we don't plan to certify from fips module - Remove native fipsmodule.cnf diff --git a/sources b/sources index 4173974..adeef22 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27 +SHA512 (openssl-3.0.1-hobbled.tar.xz) = 8819d02a6961c2398d0fb4003f25a322f752254b5c3440cd3e9456df5c56dadbc8a1aa6f821f176941293d67771304b3a565b3b8ce7a3ac0b7ad221da97c4dfe