Redefine sslarch for x86_64_v2 arch

This commit is contained in:
Eduard Abdullin 2025-09-02 02:52:35 +00:00 committed by root
commit ea394def22
3 changed files with 344 additions and 4 deletions

View File

@ -0,0 +1,176 @@
From 0db63fff91327d06502027441104665f462be922 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
Date: Mon, 11 Aug 2025 12:02:03 +0200
Subject: [PATCH 1/2] apps/speed.c: Disable testing of composite signature
algorithms
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Creating public key context from name would always fail
for composite signature algorithms (such as RSA-SHA256)
because the public key algorithm name (e.g., RSA) does
not match the name of the composite algorithm.
Relates to #27855.
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
---
apps/speed.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 2c3ec37d1239e..a6d239c8cda81 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2281,9 +2281,11 @@ int speed_main(int argc, char **argv)
}
#endif /* OPENSSL_NO_DSA */
/* skipping these algs as tested elsewhere - and b/o setup is a pain */
- else if (strcmp(sig_name, "ED25519") &&
- strcmp(sig_name, "ED448") &&
- strcmp(sig_name, "ECDSA") &&
+ else if (strncmp(sig_name, "RSA", 3) &&
+ strncmp(sig_name, "DSA", 3) &&
+ strncmp(sig_name, "ED25519", 7) &&
+ strncmp(sig_name, "ED448", 5) &&
+ strncmp(sig_name, "ECDSA", 5) &&
strcmp(sig_name, "HMAC") &&
strcmp(sig_name, "SIPHASH") &&
strcmp(sig_name, "POLY1305") &&
From 30d98de47c63ca84df41ee57f9d230b2f56bf9ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
Date: Mon, 11 Aug 2025 12:19:59 +0200
Subject: [PATCH 2/2] apps/speed.c: Support more signature algorithms
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
before reporting an error.
Fixes #27108.
Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
---
apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 53 insertions(+), 16 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index a6d239c8cda81..059183ddc77d3 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -4254,6 +4254,7 @@ int speed_main(int argc, char **argv)
EVP_PKEY_CTX *sig_gen_ctx = NULL;
EVP_PKEY_CTX *sig_sign_ctx = NULL;
EVP_PKEY_CTX *sig_verify_ctx = NULL;
+ EVP_SIGNATURE *alg = NULL;
unsigned char md[SHA256_DIGEST_LENGTH];
unsigned char *sig;
char sfx[MAX_ALGNAME_SUFFIX];
@@ -4314,21 +4315,48 @@ int speed_main(int argc, char **argv)
sig_name);
goto sig_err_break;
}
+
+ /*
+ * Try explicitly fetching the signature algoritm implementation to
+ * use in case the algorithm does not support EVP_PKEY_sign_init
+ */
+ ERR_set_mark();
+ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
+ ERR_pop_to_mark();
+
/* Now prepare signature data structs */
sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
pkey,
app_get0_propq());
- if (sig_sign_ctx == NULL
- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
- || (use_params == 1
- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
- RSA_PKCS1_PADDING) <= 0))
- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
- md, md_len) <= 0) {
- BIO_printf(bio_err,
- "Error while initializing signing data structs for %s.\n",
- sig_name);
- goto sig_err_break;
+ if (sig_sign_ctx == NULL) {
+ BIO_printf(bio_err,
+ "Error while initializing signing ctx for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
+ ERR_set_mark();
+ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
+ && (alg == NULL
+ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
+ ERR_clear_last_mark();
+ BIO_printf(bio_err,
+ "Error while initializing signing data structs for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
+ ERR_pop_to_mark();
+ if (use_params == 1 &&
+ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
+ BIO_printf(bio_err,
+ "Error while initializing padding for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
+ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
+ BIO_printf(bio_err,
+ "Error while obtaining signature bufffer length for %s.\n",
+ sig_name);
+ goto sig_err_break;
}
sig = app_malloc(sig_len = max_sig_len, "signature buffer");
if (sig == NULL) {
@@ -4344,16 +4372,23 @@ int speed_main(int argc, char **argv)
sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
pkey,
app_get0_propq());
- if (sig_verify_ctx == NULL
- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
- || (use_params == 1
- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
- RSA_PKCS1_PADDING) <= 0))) {
+ if (sig_verify_ctx == NULL) {
+ BIO_printf(bio_err,
+ "Error while initializing verify ctx for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
+ ERR_set_mark();
+ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
+ && (alg == NULL
+ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
+ ERR_clear_last_mark();
BIO_printf(bio_err,
"Error while initializing verify data structs for %s.\n",
sig_name);
goto sig_err_break;
}
+ ERR_pop_to_mark();
if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
goto sig_err_break;
@@ -4369,12 +4404,14 @@ int speed_main(int argc, char **argv)
loopargs[i].sig_act_sig_len[testnum] = sig_len;
loopargs[i].sig_sig[testnum] = sig;
EVP_PKEY_free(pkey);
+ EVP_SIGNATURE_free(alg);
pkey = NULL;
continue;
sig_err_break:
dofail();
EVP_PKEY_free(pkey);
+ EVP_SIGNATURE_free(alg);
op_count = 1;
sig_checks = 0;
break;

View File

@ -0,0 +1,153 @@
From b96746b02cff910f4cd3787fddc042f7e3fb4956 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
Date: Tue, 19 Aug 2025 14:26:07 +0200
Subject: [PATCH] Add targets to skip build of non-installable programs
These make it possible to split the build into two
parts, e.g., when tests should be built with different
compiler flags than installed software.
Also use these as dependecies where appropriate.
---
Configurations/descrip.mms.tmpl | 7 +++++--
Configurations/unix-Makefile.tmpl | 9 ++++++---
Configurations/windows-makefile.tmpl | 8 ++++++--
util/help.pl | 2 +-
4 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index db6a1b1799..bc7fc36b46 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -491,6 +491,8 @@ NODEBUG=@
{- dependmagic('build_libs'); -} : build_libs_nodep
{- dependmagic('build_modules'); -} : build_modules_nodep
{- dependmagic('build_programs'); -} : build_programs_nodep
+{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
+{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
build_generated_pods : $(GENERATED_PODS)
build_docs : build_html_docs
@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
build_libs_nodep : $(LIBS), $(SHLIBS)
build_modules_nodep : $(MODULES)
build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
+build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
# Kept around for backward compatibility
build_apps build_tests : build_programs
@@ -606,7 +609,7 @@ install_docs : install_html_docs
uninstall_docs : uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
-install_fips : build_sw $(INSTALL_FIPSMODULECONF)
+install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
@ WRITE SYS$OUTPUT "*** Installing FIPS module"
- CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
@install_shlibs) -}
@ {- output_on() if $disabled{shared}; "" -} !
-install_programs : check_INSTALLTOP install_runtime_libs build_programs
+install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
@ {- output_off() if $disabled{apps}; "" -} !
@ ! Install the main program
- CREATE/DIR ossl_installroot:[EXE.'arch']
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 70ac47b73c..98c11f7a0f 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -531,7 +531,9 @@ LANG=C
{- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
{- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
{- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
+{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
+{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
+{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
debuginfo: $(SHLIBS)
@@ -553,6 +555,7 @@ build_generated: $(GENERATED_MANDATORY)
build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
build_modules_nodep: $(MODULES)
build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
# Kept around for backward compatibility
build_apps build_tests: build_programs
@@ -671,7 +674,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
$(RM) -r "$(DESTDIR)$(DOCDIR)"
{- output_off() if $disabled{fips}; "" -}
-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
@@ -956,7 +959,7 @@ install_runtime_libs: build_libs
: {- output_on() if windowsdll(); "" -}; \
done
-install_programs: install_runtime_libs build_programs
+install_programs: install_runtime_libs build_inst_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
@$(ECHO) "*** Installing runtime programs"
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 894834cfb7..b5872124de 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
{- dependmagic('build_libs'); -}: build_libs_nodep
{- dependmagic('build_modules'); -}: build_modules_nodep
{- dependmagic('build_programs'); -}: build_programs_nodep
+{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
+{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
build_docs: build_html_docs
build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
@
build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
@
+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
+ @
# Kept around for backward compatibility
build_apps build_tests: build_programs
@@ -507,7 +511,7 @@ install_docs: install_html_docs
uninstall_docs: uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
"$(INSTALLTOP)\bin"
-install_programs: install_runtime_libs build_programs
+install_programs: install_runtime_libs build_inst_programs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing runtime programs"
@if not "$(INSTALL_PROGRAMS)"=="" \
diff --git a/util/help.pl b/util/help.pl
index a1614fe8a9..e88ff4bae1 100755
--- a/util/help.pl
+++ b/util/help.pl
@@ -14,7 +14,7 @@ while (<>) {
chomp; # strip record separator
@Fld = split($FS, $_, -1);
if (/^[a-zA-Z0-9_\-]+:.*?##/) {
- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
+ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
}
if (/^##@/) {
printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
--
2.50.1

View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.5.1 Version: 3.5.1
Release: 3%{?dist}.alma.1 Release: 4%{?dist}.alma.1
Epoch: 1 Epoch: 1
Source0: openssl-%{version}.tar.gz Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh Source1: fips-hmacify.sh
@ -97,6 +97,8 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif %endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
Patch0056: 0056-Speed-test-signatures-without-errors.patch
Patch0057: 0057-Targets-to-skip-build-of-non-installable-programs.patch
License: Apache-2.0 License: Apache-2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -267,7 +269,7 @@ export HASHBANGPERL=/usr/bin/perl
# Do not run this in a production package the FIPS symbols must be patched-in # Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update #util/mkdef.pl crypto update
make -s %{?_smp_mflags} all make -s %{?_smp_mflags} build_inst_sw
# Clean up the .pc files # Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do for i in libcrypto.pc libssl.pc openssl.pc ; do
@ -291,7 +293,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
%{SOURCE1} providers/fips.so %{SOURCE1} providers/fips.so
#run tests itself
# Disable LTO, build tests, and run them
%define _lto_cflags %{nil}
make -s %{?_smp_mflags} build_programs
make test HARNESS_JOBS=8 make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library # Add generation of HMAC checksum of the final stripped library
@ -456,9 +461,15 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Tue Jul 29 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-3.alma.1 * Tue Sep 02 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-4.alma.1
- Redefine sslarch for x86_64_v2 arch - Redefine sslarch for x86_64_v2 arch
* Thu Aug 28 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
- Make openssl speed test signatures without errors
Resolves: RHEL-95182
- Build tests in check and without LTO
Resolves: RHEL-111634
* Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3 * Thu Jul 24 2025 Simo Sorce <simo@redhat.com> - 1:3.5.1-3
- Add custom define to disable symbol versioning in downstream patched code - Add custom define to disable symbol versioning in downstream patched code
Also add stricter Suggests for openssl-fips-provider Also add stricter Suggests for openssl-fips-provider