rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Add custom define to disable symbol versioning in downstream patched code

Browse Source 
Also add stricter Suggests for openssl-fips-provider
  Resolves: RHEL-104236

Signed-off-by: Simo Sorce <simo@redhat.com>
This commit is contained in:
Simo Sorce 2025-07-17 09:43:10 -04:00
parent 4e910fb1a7
commit 79196c588d
2 changed files with 75 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
0055-Add-a-define-to-disable-symver-attributes.patch Normal file
View File

@ -0,0 +1,66 @@
From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 17 Jul 2025 09:40:34 -0400
Subject: [PATCH] Add a define to disable symver attributes
Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
compatibility symver attributes.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
crypto/evp/digest.c | 2 +-
crypto/evp/evp_enc.c | 2 +-
crypto/o_str.c | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 8ee9db73dd..7ed4933934 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
}
EVP_MD_CTX
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 619cf4f385..9192898d39 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 86442a939e..8c33e4dd63 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
}
int
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
#endif
@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
}
int
-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
#endif
--
2.50.1

12
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.5.1 Version: 3.5.1
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
Source0: openssl-%{version}.tar.gz Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh Source1: fips-hmacify.sh
@ -95,6 +95,7 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif %endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
#The patches that are different for RHEL9 and 10 start here #The patches that are different for RHEL9 and 10 start here
Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@ -128,7 +129,7 @@ Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730 Requires: crypto-policies >= 20180730
%if %{defined rhel} %if %{defined rhel}
Requires: openssl-fips-provider Requires: openssl-fips-provider
Suggests: openssl-fips-provider Suggests: openssl-fips-provider >= 3.0.7-6
%endif %endif
%description libs %description libs
@ -448,7 +449,12 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jul 16 2024 Simo Sorce <simo@redhat.com> - 1:3.5.1-2 * Thu Jul 17 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
- Add custom define to disable symbol versioning in downstream patched code
Also add stricter Suggests for openssl-fips-provider
Resolves: RHEL-104236
* Wed Jul 16 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
- Move fips.so to a seprate subpackage - Move fips.so to a seprate subpackage
Reverts FIPS self test for SLH-DSA Reverts FIPS self test for SLH-DSA
Add Suggests to try to prefer the openssl-fips-provider package Add Suggests to try to prefer the openssl-fips-provider package