From e331fc1326c2b7ab9fefaf8fcbf2bf7d58243199 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Thu, 26 Oct 2023 12:29:21 +0200 Subject: [PATCH] Rebase to upstream version 3.1.4 Signed-off-by: Sahana Prasad --- .gitignore | 1 + 0003-Do-not-install-html-docs.patch | 22 ++++++++------- 0033-FIPS-embed-hmac.patch | 34 ++++++++++++------------ 0047-FIPS-early-KATS.patch | 20 +++++++------- 0079-RSA-PKCS15-implicit-rejection.patch | 32 +++++++++++----------- openssl.spec | 10 +++++-- sources | 2 +- 7 files changed, 66 insertions(+), 55 deletions(-) diff --git a/.gitignore b/.gitignore index c518dfe..f10a7f7 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.8-hobbled.tar.gz /openssl-3.0.8.tar.gz /openssl-3.1.1.tar.gz +/openssl-3.1.4.tar.gz diff --git a/0003-Do-not-install-html-docs.patch b/0003-Do-not-install-html-docs.patch index 66d62e0..c31e09b 100644 --- a/0003-Do-not-install-html-docs.patch +++ b/0003-Do-not-install-html-docs.patch @@ -1,18 +1,22 @@ -From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:05:55 +0200 -Subject: Do not install html docs +From a3e7963320ba44e96a60b389fccb8e1cccc30674 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:39 +0200 +Subject: [PATCH 03/46] 0003-Do-not-install-html-docs.patch -(was openssl-1.1.1-no-html.patch) +Patch-name: 0003-Do-not-install-html-docs.patch +Patch-id: 3 +Patch-status: | + # # Do not install html docs +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 342e46d24d..9f369edf0e 100644 +index a48fae5fb8..56b42926e7 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime +@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev @@ -20,7 +24,7 @@ index 342e46d24d..9f369edf0e 100644 +install_docs: install_man_docs uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) + $(RM) -r "$(DESTDIR)$(DOCDIR)" -- -2.26.2 +2.41.0 diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch index adab1f1..3894422 100644 --- a/0033-FIPS-embed-hmac.patch +++ b/0033-FIPS-embed-hmac.patch @@ -1,13 +1,13 @@ -From ed02a8b9e767224dc7512a4a176e4aae045b3573 Mon Sep 17 00:00:00 2001 +From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 +Date: Thu, 19 Oct 2023 13:12:40 +0200 Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch Patch-name: 0033-FIPS-embed-hmac.patch Patch-id: 33 Patch-status: | - # Embed HMAC into the fips.so -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Embed HMAC into the fips.so +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 --- providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- test/fipsmodule.cnf | 2 + @@ -21,10 +21,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd create mode 100644 test/fipsmodule.cnf diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index 10804d9f59..5e418a2c11 100644 +index b8dc9817b2..e3a629018a 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c -@@ -231,11 +231,27 @@ err: +@@ -230,11 +230,27 @@ err: return ok; } @@ -52,7 +52,7 @@ index 10804d9f59..5e418a2c11 100644 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -248,12 +264,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; @@ -76,7 +76,7 @@ index 10804d9f59..5e418a2c11 100644 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); if (mac == NULL) goto err; -@@ -267,13 +294,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; @@ -121,7 +121,7 @@ index 10804d9f59..5e418a2c11 100644 if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) goto err; -@@ -283,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex goto err; ret = 1; err: @@ -129,8 +129,8 @@ index 10804d9f59..5e418a2c11 100644 OSSL_SELF_TEST_onend(ev, ret); EVP_MAC_CTX_free(ctx); EVP_MAC_free(mac); -@@ -349,8 +406,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - CRYPTO_THREAD_unlock(fips_state_lock); +@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; } - if (st == NULL @@ -139,7 +139,7 @@ index 10804d9f59..5e418a2c11 100644 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; } -@@ -359,8 +415,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; @@ -151,7 +151,7 @@ index 10804d9f59..5e418a2c11 100644 if (module_checksum == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); goto end; -@@ -434,7 +491,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) end: EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); @@ -207,12 +207,12 @@ index b8b136d110..8242f4ebc3 100644 # Compatible options for pedantic FIPS compliance my @pedantic_okay = diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index 426bd660d1..6dc514936b 100644 +index c8f145405b..56a2ec5dc4 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t -@@ -21,7 +21,7 @@ BEGIN { - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); diff --git a/0047-FIPS-early-KATS.patch b/0047-FIPS-early-KATS.patch index 2656115..06dda9a 100644 --- a/0047-FIPS-early-KATS.patch +++ b/0047-FIPS-early-KATS.patch @@ -1,22 +1,22 @@ -From 0242c0317b7c7874148c456aaab1e8eeb156d7c1 Mon Sep 17 00:00:00 2001 +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 22/35] 0047-FIPS-early-KATS.patch +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch Patch-name: 0047-FIPS-early-KATS.patch Patch-id: 47 Patch-status: | - # Execute KATS before HMAC verification -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 --- providers/fips/self_test.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index ef56002854..062d9df84a 100644 +index e3a629018a..3c09bd8638 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c -@@ -414,6 +414,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; @@ -33,7 +33,7 @@ index ef56002854..062d9df84a 100644 module_checksum = fips_hmac_container; checksum_len = sizeof(fips_hmac_container); -@@ -464,18 +474,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) } } @@ -50,8 +50,8 @@ index ef56002854..062d9df84a 100644 - } - /* Verify that the RNG has been restored properly */ - testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL); - if (testrand == NULL + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) -- 2.41.0 diff --git a/0079-RSA-PKCS15-implicit-rejection.patch b/0079-RSA-PKCS15-implicit-rejection.patch index 09701c8..c72f6e9 100644 --- a/0079-RSA-PKCS15-implicit-rejection.patch +++ b/0079-RSA-PKCS15-implicit-rejection.patch @@ -1,13 +1,13 @@ -From a0d7a92474123c1fb11e13491d2d37f6c43321b0 Mon Sep 17 00:00:00 2001 +From a4ca1cac6b38efe0de1d8afb506cea29f8c60aec Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:29 +0200 -Subject: [PATCH 35/48] 0079-RSA-PKCS15-implicit-rejection.patch +Date: Thu, 19 Oct 2023 13:12:41 +0200 +Subject: [PATCH 34/46] 0079-RSA-PKCS15-implicit-rejection.patch Patch-name: 0079-RSA-PKCS15-implicit-rejection.patch Patch-id: 79 Patch-status: | - # https://github.com/openssl/openssl/pull/13817 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # https://github.com/openssl/openssl/pull/13817 +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 --- crypto/cms/cms_env.c | 7 + crypto/evp/ctrl_params_translate.c | 6 + @@ -30,10 +30,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd 18 files changed, 962 insertions(+), 8 deletions(-) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c -index 3105d37726..58d44e1940 100644 +index 99cf1dcb39..730f638969 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c -@@ -571,6 +571,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, +@@ -590,6 +590,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, if (!ossl_cms_env_asn1_ctrl(ri, 1)) goto err; @@ -48,12 +48,12 @@ index 3105d37726..58d44e1940 100644 ktri->encryptedKey->data, ktri->encryptedKey->length) <= 0) diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index d6f8a10840..51f9a2da57 100644 +index 80947b0932..b10ba41e85 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c -@@ -2256,6 +2256,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { +@@ -2265,6 +2265,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, - OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, @@ -515,7 +515,7 @@ index 51507fc030..5cd2b26879 100644 * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 * padding from a decrypted RSA message in a TLS signature. The result is stored diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c -index 44c819a5c3..6556a9ad28 100644 +index 0bf5ac098a..81b031f81b 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -52,6 +52,8 @@ typedef struct { @@ -565,7 +565,7 @@ index 44c819a5c3..6556a9ad28 100644 } *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); ret = constant_time_select_int(constant_time_msb(ret), ret, 1); -@@ -587,6 +597,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) *(unsigned char **)p2 = rctx->oaep_label; return rctx->oaep_labellen; @@ -614,7 +614,7 @@ index b0054ead66..dd87829798 100644 =head1 RSA-PSS ALGORITHM diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in -index 186e49e5e4..eab34979de 100644 +index 0a32fd965b..4c462abc8c 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, @@ -762,10 +762,10 @@ index 949873d0ee..f267e5d9d1 100644 size_t tlen, const unsigned char *from, diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index b431b9f871..f185bc9342 100644 +index 6248dda659..300d1129a4 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h -@@ -296,6 +296,7 @@ extern "C" { +@@ -297,6 +297,7 @@ extern "C" { #define OSSL_PKEY_PARAM_DIST_ID "distid" #define OSSL_PKEY_PARAM_PUB_KEY "pub" #define OSSL_PKEY_PARAM_PRIV_KEY "priv" @@ -773,7 +773,7 @@ index b431b9f871..f185bc9342 100644 /* Diffie-Hellman/DSA Parameters */ #define OSSL_PKEY_PARAM_FFC_P "p" -@@ -472,6 +473,7 @@ extern "C" { +@@ -473,6 +474,7 @@ extern "C" { #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" diff --git a/openssl.spec b/openssl.spec index 4bda214..0ac4d64 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.1.1 -Release: 4%{?dist} +Version: 3.1.4 +Release: 1%{?dist} Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -478,6 +478,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Oct 26 2023 Sahana Prasad - 1:3.1.4-1 +- Rebase to upstream version 3.1.4 + +* Thu Oct 19 2023 Sahana Prasad - 1:3.1.3-1 +- Rebase to upstream version 3.1.3 + * Thu Aug 31 2023 Dmitry Belyavskiy - 1:3.1.1-4 - Drop duplicated patch and do some contamination diff --git a/sources b/sources index b60869c..1afcd8c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.1.1.tar.gz) = 8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9 +SHA512 (openssl-3.1.4.tar.gz) = 4cd204b934cf3250dad985438d7ffd98e17f5d79086b379a0022d92c66e340b0b3a0357aaf606004d7f50cfc4c8964ac34c45d7cb0735cfa68f4fec65bd9d18f