diff --git a/0056-Speed-test-signatures-without-errors.patch b/0056-Speed-test-signatures-without-errors.patch new file mode 100644 index 0000000..ac65c4e --- /dev/null +++ b/0056-Speed-test-signatures-without-errors.patch @@ -0,0 +1,176 @@ +From 0db63fff91327d06502027441104665f462be922 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= +Date: Mon, 11 Aug 2025 12:02:03 +0200 +Subject: [PATCH 1/2] apps/speed.c: Disable testing of composite signature + algorithms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Creating public key context from name would always fail +for composite signature algorithms (such as RSA-SHA256) +because the public key algorithm name (e.g., RSA) does +not match the name of the composite algorithm. + +Relates to #27855. + +Signed-off-by: Pavol Žáčik +--- + apps/speed.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index 2c3ec37d1239e..a6d239c8cda81 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -2281,9 +2281,11 @@ int speed_main(int argc, char **argv) + } + #endif /* OPENSSL_NO_DSA */ + /* skipping these algs as tested elsewhere - and b/o setup is a pain */ +- else if (strcmp(sig_name, "ED25519") && +- strcmp(sig_name, "ED448") && +- strcmp(sig_name, "ECDSA") && ++ else if (strncmp(sig_name, "RSA", 3) && ++ strncmp(sig_name, "DSA", 3) && ++ strncmp(sig_name, "ED25519", 7) && ++ strncmp(sig_name, "ED448", 5) && ++ strncmp(sig_name, "ECDSA", 5) && + strcmp(sig_name, "HMAC") && + strcmp(sig_name, "SIPHASH") && + strcmp(sig_name, "POLY1305") && + +From 30d98de47c63ca84df41ee57f9d230b2f56bf9ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= +Date: Mon, 11 Aug 2025 12:19:59 +0200 +Subject: [PATCH 2/2] apps/speed.c: Support more signature algorithms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some signature algorithms (e.g., ML-DSA-65) cannot be initialized +via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init +before reporting an error. + +Fixes #27108. + +Signed-off-by: Pavol Žáčik +--- + apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 53 insertions(+), 16 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index a6d239c8cda81..059183ddc77d3 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -4254,6 +4254,7 @@ int speed_main(int argc, char **argv) + EVP_PKEY_CTX *sig_gen_ctx = NULL; + EVP_PKEY_CTX *sig_sign_ctx = NULL; + EVP_PKEY_CTX *sig_verify_ctx = NULL; ++ EVP_SIGNATURE *alg = NULL; + unsigned char md[SHA256_DIGEST_LENGTH]; + unsigned char *sig; + char sfx[MAX_ALGNAME_SUFFIX]; +@@ -4314,21 +4315,48 @@ int speed_main(int argc, char **argv) + sig_name); + goto sig_err_break; + } ++ ++ /* ++ * Try explicitly fetching the signature algoritm implementation to ++ * use in case the algorithm does not support EVP_PKEY_sign_init ++ */ ++ ERR_set_mark(); ++ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq()); ++ ERR_pop_to_mark(); ++ + /* Now prepare signature data structs */ + sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), + pkey, + app_get0_propq()); +- if (sig_sign_ctx == NULL +- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0 +- || (use_params == 1 +- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, +- RSA_PKCS1_PADDING) <= 0)) +- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, +- md, md_len) <= 0) { +- BIO_printf(bio_err, +- "Error while initializing signing data structs for %s.\n", +- sig_name); +- goto sig_err_break; ++ if (sig_sign_ctx == NULL) { ++ BIO_printf(bio_err, ++ "Error while initializing signing ctx for %s.\n", ++ sig_name); ++ goto sig_err_break; ++ } ++ ERR_set_mark(); ++ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0 ++ && (alg == NULL ++ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) { ++ ERR_clear_last_mark(); ++ BIO_printf(bio_err, ++ "Error while initializing signing data structs for %s.\n", ++ sig_name); ++ goto sig_err_break; ++ } ++ ERR_pop_to_mark(); ++ if (use_params == 1 && ++ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) { ++ BIO_printf(bio_err, ++ "Error while initializing padding for %s.\n", ++ sig_name); ++ goto sig_err_break; ++ } ++ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) { ++ BIO_printf(bio_err, ++ "Error while obtaining signature bufffer length for %s.\n", ++ sig_name); ++ goto sig_err_break; + } + sig = app_malloc(sig_len = max_sig_len, "signature buffer"); + if (sig == NULL) { +@@ -4344,16 +4372,23 @@ int speed_main(int argc, char **argv) + sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), + pkey, + app_get0_propq()); +- if (sig_verify_ctx == NULL +- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0 +- || (use_params == 1 +- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx, +- RSA_PKCS1_PADDING) <= 0))) { ++ if (sig_verify_ctx == NULL) { ++ BIO_printf(bio_err, ++ "Error while initializing verify ctx for %s.\n", ++ sig_name); ++ goto sig_err_break; ++ } ++ ERR_set_mark(); ++ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0 ++ && (alg == NULL ++ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) { ++ ERR_clear_last_mark(); + BIO_printf(bio_err, + "Error while initializing verify data structs for %s.\n", + sig_name); + goto sig_err_break; + } ++ ERR_pop_to_mark(); + if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) { + BIO_printf(bio_err, "Verify error for %s.\n", sig_name); + goto sig_err_break; +@@ -4369,12 +4404,14 @@ int speed_main(int argc, char **argv) + loopargs[i].sig_act_sig_len[testnum] = sig_len; + loopargs[i].sig_sig[testnum] = sig; + EVP_PKEY_free(pkey); ++ EVP_SIGNATURE_free(alg); + pkey = NULL; + continue; + + sig_err_break: + dofail(); + EVP_PKEY_free(pkey); ++ EVP_SIGNATURE_free(alg); + op_count = 1; + sig_checks = 0; + break; diff --git a/0057-Targets-to-skip-build-of-non-installable-programs.patch b/0057-Targets-to-skip-build-of-non-installable-programs.patch new file mode 100644 index 0000000..0634895 --- /dev/null +++ b/0057-Targets-to-skip-build-of-non-installable-programs.patch @@ -0,0 +1,153 @@ +From b96746b02cff910f4cd3787fddc042f7e3fb4956 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= +Date: Tue, 19 Aug 2025 14:26:07 +0200 +Subject: [PATCH] Add targets to skip build of non-installable programs + +These make it possible to split the build into two +parts, e.g., when tests should be built with different +compiler flags than installed software. + +Also use these as dependecies where appropriate. +--- + Configurations/descrip.mms.tmpl | 7 +++++-- + Configurations/unix-Makefile.tmpl | 9 ++++++--- + Configurations/windows-makefile.tmpl | 8 ++++++-- + util/help.pl | 2 +- + 4 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl +index db6a1b1799..bc7fc36b46 100644 +--- a/Configurations/descrip.mms.tmpl ++++ b/Configurations/descrip.mms.tmpl +@@ -491,6 +491,8 @@ NODEBUG=@ + {- dependmagic('build_libs'); -} : build_libs_nodep + {- dependmagic('build_modules'); -} : build_modules_nodep + {- dependmagic('build_programs'); -} : build_programs_nodep ++{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep ++{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep + + build_generated_pods : $(GENERATED_PODS) + build_docs : build_html_docs +@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY) + build_libs_nodep : $(LIBS), $(SHLIBS) + build_modules_nodep : $(MODULES) + build_programs_nodep : $(PROGRAMS), $(SCRIPTS) ++build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS) + + # Kept around for backward compatibility + build_apps build_tests : build_programs +@@ -606,7 +609,7 @@ install_docs : install_html_docs + uninstall_docs : uninstall_html_docs + + {- output_off() if $disabled{fips}; "" -} +-install_fips : build_sw $(INSTALL_FIPSMODULECONF) ++install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF) + @ WRITE SYS$OUTPUT "*** Installing FIPS module" + - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch'] + - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000] +@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs + @install_shlibs) -} + @ {- output_on() if $disabled{shared}; "" -} ! + +-install_programs : check_INSTALLTOP install_runtime_libs build_programs ++install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs + @ {- output_off() if $disabled{apps}; "" -} ! + @ ! Install the main program + - CREATE/DIR ossl_installroot:[EXE.'arch'] +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 70ac47b73c..98c11f7a0f 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -531,7 +531,9 @@ LANG=C + {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils + {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep + {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep +-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep ++{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep ++{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils ++{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep + + all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation + debuginfo: $(SHLIBS) +@@ -553,6 +555,7 @@ build_generated: $(GENERATED_MANDATORY) + build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -} + build_modules_nodep: $(MODULES) + build_programs_nodep: $(PROGRAMS) $(SCRIPTS) ++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS) + + # Kept around for backward compatibility + build_apps build_tests: build_programs +@@ -671,7 +674,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and + $(RM) -r "$(DESTDIR)$(DOCDIR)" + + {- output_off() if $disabled{fips}; "" -} +-install_fips: build_sw $(INSTALL_FIPSMODULECONF) ++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF) + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)" + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)" +@@ -956,7 +959,7 @@ install_runtime_libs: build_libs + : {- output_on() if windowsdll(); "" -}; \ + done + +-install_programs: install_runtime_libs build_programs ++install_programs: install_runtime_libs build_inst_programs + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)" + @$(ECHO) "*** Installing runtime programs" +diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl +index 894834cfb7..b5872124de 100644 +--- a/Configurations/windows-makefile.tmpl ++++ b/Configurations/windows-makefile.tmpl +@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -} + {- dependmagic('build_libs'); -}: build_libs_nodep + {- dependmagic('build_modules'); -}: build_modules_nodep + {- dependmagic('build_programs'); -}: build_programs_nodep ++{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils ++{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep + + build_docs: build_html_docs + build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7) +@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES) + @ + build_programs_nodep: $(PROGRAMS) $(SCRIPTS) + @ ++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS) ++ @ + + # Kept around for backward compatibility + build_apps build_tests: build_programs +@@ -507,7 +511,7 @@ install_docs: install_html_docs + uninstall_docs: uninstall_html_docs + + {- output_off() if $disabled{fips}; "" -} +-install_fips: build_sw $(INSTALL_FIPSMODULECONF) ++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF) + # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)" + @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)" +@@ -607,7 +611,7 @@ install_runtime_libs: build_libs + "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \ + "$(INSTALLTOP)\bin" + +-install_programs: install_runtime_libs build_programs ++install_programs: install_runtime_libs build_inst_programs + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime programs" + @if not "$(INSTALL_PROGRAMS)"=="" \ +diff --git a/util/help.pl b/util/help.pl +index a1614fe8a9..e88ff4bae1 100755 +--- a/util/help.pl ++++ b/util/help.pl +@@ -14,7 +14,7 @@ while (<>) { + chomp; # strip record separator + @Fld = split($FS, $_, -1); + if (/^[a-zA-Z0-9_\-]+:.*?##/) { +- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1] ++ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1] + } + if (/^##@/) { + printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1); +-- +2.50.1 + diff --git a/openssl.spec b/openssl.spec index 958510f..0603745 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.5.1 -Release: 3%{?dist}.alma.1 +Release: 4%{?dist}.alma.1 Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -97,6 +97,8 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch %endif Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch +Patch0056: 0056-Speed-test-signatures-without-errors.patch +Patch0057: 0057-Targets-to-skip-build-of-non-installable-programs.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -267,7 +269,7 @@ export HASHBANGPERL=/usr/bin/perl # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update -make -s %{?_smp_mflags} all +make -s %{?_smp_mflags} build_inst_sw # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do @@ -291,7 +293,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE %{SOURCE1} providers/fips.so -#run tests itself + +# Disable LTO, build tests, and run them +%define _lto_cflags %{nil} +make -s %{?_smp_mflags} build_programs make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library @@ -456,9 +461,15 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog -* Tue Jul 29 2025 Eduard Abdullin - 1:3.5.1-3.alma.1 +* Tue Sep 02 2025 Eduard Abdullin - 1:3.5.1-4.alma.1 - Redefine sslarch for x86_64_v2 arch +* Thu Aug 28 2025 Pavol Žáčik - 1:3.5.1-4 +- Make openssl speed test signatures without errors + Resolves: RHEL-95182 +- Build tests in check and without LTO + Resolves: RHEL-111634 + * Thu Jul 24 2025 Simo Sorce - 1:3.5.1-3 - Add custom define to disable symbol versioning in downstream patched code Also add stricter Suggests for openssl-fips-provider