From 79196c588d2b616f67e74add6241dae4af0effc5 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 17 Jul 2025 09:43:10 -0400
Subject: [PATCH] Add custom define to disable symbol versioning in downstream
 patched code

  Also add stricter Suggests for openssl-fips-provider
  Resolves: RHEL-104236

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 ...-define-to-disable-symver-attributes.patch | 66 +++++++++++++++++++
 openssl.spec                                  | 12 +++-
 2 files changed, 75 insertions(+), 3 deletions(-)
 create mode 100644 0055-Add-a-define-to-disable-symver-attributes.patch

diff --git a/0055-Add-a-define-to-disable-symver-attributes.patch b/0055-Add-a-define-to-disable-symver-attributes.patch
new file mode 100644
index 0000000..483c151
--- /dev/null
+++ b/0055-Add-a-define-to-disable-symver-attributes.patch
@@ -0,0 +1,66 @@
+From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 17 Jul 2025 09:40:34 -0400
+Subject: [PATCH] Add a define to disable symver attributes
+
+Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
+compatibility symver attributes.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/evp/digest.c  | 2 +-
+ crypto/evp/evp_enc.c | 2 +-
+ crypto/o_str.c       | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 8ee9db73dd..7ed4933934 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+ 
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 619cf4f385..9192898d39 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+ 
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 86442a939e..8c33e4dd63 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+ #endif
+@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+ #endif
+-- 
+2.50.1
+
diff --git a/openssl.spec b/openssl.spec
index 7e38653..841945f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -95,6 +95,7 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
 Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
 %endif
 Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
+Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 
 #The patches that are different for RHEL9 and 10 start here
 Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@@ -128,7 +129,7 @@ Requires: ca-certificates >= 2008-5
 Requires: crypto-policies >= 20180730
 %if %{defined rhel}
 Requires: openssl-fips-provider
-Suggests: openssl-fips-provider
+Suggests: openssl-fips-provider >= 3.0.7-6
 %endif
 
 %description libs
@@ -448,7 +449,12 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
-* Wed Jul 16 2024 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
+* Thu Jul 17 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
+- Add custom define to disable symbol versioning in downstream patched code
+  Also add stricter Suggests for openssl-fips-provider
+  Resolves: RHEL-104236
+
+* Wed Jul 16 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
 - Move fips.so to a seprate subpackage
   Reverts FIPS self test for SLH-DSA
   Add Suggests to try to prefer the openssl-fips-provider package