Add custom define to disable symbol versioning in downstream patched code

Also add stricter Suggests for openssl-fips-provider
  Resolves: RHEL-101548

Signed-off-by: Simo Sorce <simo@redhat.com>

0055-Add-a-define-to-disable-symver-attributes.patch

@@ -0,0 +1,66 @@
+From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 17 Jul 2025 09:40:34 -0400
+Subject: [PATCH] Add a define to disable symver attributes
+
+Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
+compatibility symver attributes.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/evp/digest.c  | 2 +-
+ crypto/evp/evp_enc.c | 2 +-
+ crypto/o_str.c       | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 8ee9db73dd..7ed4933934 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+ 
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 619cf4f385..9192898d39 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+ 
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 86442a939e..8c33e4dd63 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+ #endif
+@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+ #endif
+-- 
+2.50.1
+

openssl.spec

@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -96,6 +96,7 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
 Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
 %endif
 Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
+Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -451,6 +452,11 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
+- Add custom define to disable symbol versioning in downstream patched code
+  Also add stricter Suggests for openssl-fips-provider
+  Resolves: RHEL-101548
+
 * Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-2
 - Move fips.so to a seprate subpackage
   Reverts FIPS self test for SLH-DSA