diff --git a/.gitignore b/.gitignore index 8e6940c..c47bf28 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.7-hobbled.tar.gz /openssl-3.0.7.tar.gz /openssl-3.2.1.tar.gz +/openssl-3.2.2.tar.gz diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch index 6738304..0bf3b2d 100644 --- a/0033-FIPS-embed-hmac.patch +++ b/0033-FIPS-embed-hmac.patch @@ -383,8 +383,8 @@ index 18d9f3d204..71780d8caa 100644 --- a/test/recipes/90-test_sslapi.t +++ b/test/recipes/90-test_sslapi.t @@ -17,7 +17,7 @@ setup("test_sslapi"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); + setup("test_sslapi"); + } -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch index 93ee1e0..17ff63e 100644 --- a/0078-KDF-Add-FIPS-indicators.patch +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -120,7 +120,7 @@ index dfa7786bde..f01e40ff5a 100644 switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: -@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void { KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; @@ -129,13 +129,20 @@ index dfa7786bde..f01e40ff5a 100644 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { size_t sz = kdf_hkdf_size(ctx); -- if (sz == 0) + any_valid = 1; -+ -+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) -+ return 0; -+ } -+ + if (sz == 0) + return 0; + return OSSL_PARAM_set_size_t(p, sz); + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; + if (ctx->info == NULL || ctx->info_len == 0) { + p->return_size = 0; + return 1; + } + return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); + } +- return -2; +#ifdef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) + != NULL) { @@ -189,10 +196,8 @@ index dfa7786bde..f01e40ff5a 100644 + } + } + if (!OSSL_PARAM_set_int(p, fips_indicator)) - return 0; -- return OSSL_PARAM_set_size_t(p, sz); - } -- return -2; ++ return 0; ++ } +#endif /* defined(FIPS_MODULE) */ + + if (!any_valid) @@ -203,9 +208,9 @@ index dfa7786bde..f01e40ff5a 100644 static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, @@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), +#ifdef FIPS_MODULE + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), +#endif /* defined(FIPS_MODULE) */ diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch index 3c52277..dd40e11 100644 --- a/0117-ignore-unknown-sigalgorithms-groups.patch +++ b/0117-ignore-unknown-sigalgorithms-groups.patch @@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644 + } if (garg->gidcnt == garg->gidmax) { uint16_t *tmp = - OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); + OPENSSL_realloc(garg->gid_arr, @@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) gid = tls1_group_name2id(garg->ctx, etmp); @@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644 return 0; if (len > (int)(sizeof(etmp) - 1)) @@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) - break; + break; + } } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) -- return 0; -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } } else { *p = 0; - p++; @@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) return 0; get_sigorhash(&sig_alg, &hash_alg, etmp); @@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644 } return 1; @@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) - sig.sigalgcnt = 0; + } if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) return 0; + if (sig.sigalgcnt == 0) { diff --git a/0118-no-crl-memleak.patch b/0118-no-crl-memleak.patch deleted file mode 100644 index ee7e745..0000000 --- a/0118-no-crl-memleak.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Tue, 27 Feb 2024 15:22:58 +0100 -Subject: [PATCH 48/49] 0118-no-crl-memleak.patch - -Patch-name: 0118-no-crl-memleak.patch -Patch-id: 118 -Patch-status: | - # https://github.com/openssl/openssl/issues/23770 ---- - crypto/x509/by_file.c | 2 ++ - test/recipes/60-test_x509_load_cert_file.t | 3 ++- - test/x509_load_cert_file_test.c | 8 +++++++- - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c -index 5073c137a2..85923804ac 100644 ---- a/crypto/x509/by_file.c -+++ b/crypto/x509/by_file.c -@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) - goto err; - } - count++; -+ X509_CRL_free(x); -+ x = NULL; - } - } else if (type == X509_FILETYPE_ASN1) { - x = d2i_X509_CRL_bio(in, NULL); -diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t -index 75aeac362c..e329d7675c 100644 ---- a/test/recipes/60-test_x509_load_cert_file.t -+++ b/test/recipes/60-test_x509_load_cert_file.t -@@ -12,4 +12,5 @@ setup("test_load_cert_file"); - - plan tests => 1; - --ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")]))); -+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"), -+ srctop_file("test", "certs", "cyrillic_crl.pem")]))); -diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c -index 4a736071ae..c07d329915 100644 ---- a/test/x509_load_cert_file_test.c -+++ b/test/x509_load_cert_file_test.c -@@ -12,6 +12,7 @@ - #include "testutil.h" - - static const char *chain; -+static const char *crl; - - static int test_load_cert_file(void) - { -@@ -27,12 +28,15 @@ static int test_load_cert_file(void) - && TEST_int_eq(sk_X509_num(certs), 4)) - ret = 1; - -+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM))) -+ ret = 0; -+ - OSSL_STACK_OF_X509_free(certs); - X509_STORE_free(store); - return ret; - } - --OPT_TEST_DECLARE_USAGE("cert.pem...\n") -+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n") - - int setup_tests(void) - { -@@ -45,6 +49,8 @@ int setup_tests(void) - if (chain == NULL) - return 0; - -+ crl = test_get_argument(1); -+ - ADD_TEST(test_load_cert_file); - return 1; - } --- -2.44.0 - diff --git a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch b/0119-provider-sigalgs-in-signaturealgorithms-conf.patch deleted file mode 100644 index c363223..0000000 --- a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch +++ /dev/null @@ -1,170 +0,0 @@ -From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 8 Mar 2024 11:18:12 +0100 -Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch - -Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch -Patch-id: 119 -Patch-status: | - # https://github.com/openssl/openssl/issues/22779 ---- - ssl/s3_lib.c | 8 ++++---- - ssl/ssl_lib.c | 2 +- - ssl/ssl_local.h | 2 +- - ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++----------- - 4 files changed, 40 insertions(+), 17 deletions(-) - -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index e8ec98c221..48a1aa0e61 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) - return tls1_set_sigalgs(sc->cert, parg, larg, 0); - - case SSL_CTRL_SET_SIGALGS_LIST: -- return tls1_set_sigalgs_list(sc->cert, parg, 0); -+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0); - - case SSL_CTRL_SET_CLIENT_SIGALGS: - return tls1_set_sigalgs(sc->cert, parg, larg, 1); - - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(sc->cert, parg, 1); -+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1); - - case SSL_CTRL_GET_CLIENT_CERT_TYPES: - { -@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) - return tls1_set_sigalgs(ctx->cert, parg, larg, 0); - - case SSL_CTRL_SET_SIGALGS_LIST: -- return tls1_set_sigalgs_list(ctx->cert, parg, 0); -+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0); - - case SSL_CTRL_SET_CLIENT_SIGALGS: - return tls1_set_sigalgs(ctx->cert, parg, larg, 1); - - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(ctx->cert, parg, 1); -+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1); - - case SSL_CTRL_SET_CLIENT_CERT_TYPES: - return ssl3_set_req_cert_type(ctx->cert, parg, larg); -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 1329841aaf..4d95ab71cd 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) - return tls1_set_groups_list(ctx, NULL, NULL, parg); - case SSL_CTRL_SET_SIGALGS_LIST: - case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: -- return tls1_set_sigalgs_list(NULL, parg, 0); -+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0); - default: - return 0; - } -diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h -index 0d3acfbe66..a73b2c4770 100644 ---- a/ssl/ssl_local.h -+++ b/ssl/ssl_local.h -@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s); - - void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op); - --__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); -+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client); - __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, - int client); - __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fe680449c5..87f2ae7000 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) - - /* now populate ctx->ssl_cert_info */ - if (ctx->sigalg_list_len > 0) { -+ OPENSSL_free(ctx->ssl_cert_info); - ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); - if (ctx->ssl_cert_info == NULL) - return 0; -@@ -2889,6 +2890,7 @@ typedef struct { - size_t sigalgcnt; - /* TLSEXT_SIGALG_XXX values */ - uint16_t sigalgs[TLS_MAX_SIGALGCNT]; -+ SSL_CTX *ctx; - } sig_cb_st; - - static void get_sigorhash(int *psig, int *phash, const char *str) -@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str) - static int sig_cb(const char *elem, int len, void *arg) - { - sig_cb_st *sarg = arg; -- size_t i; -+ size_t i = 0; -+ int load_success = 0; - const SIGALG_LOOKUP *s; - char etmp[TLS_MAX_SIGSTRING_LEN], *p; - int sig_alg = NID_undef, hash_alg = NID_undef; -@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg) - * in the table. - */ - if (p == NULL) { -- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); -- i++, s++) { -- if (s->name != NULL && strcmp(etmp, s->name) == 0) { -- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; -- break; -- } -+ /* Load provider sigalgs */ -+ if (sarg->ctx) { -+ load_success = ssl_load_sigalgs(sarg->ctx); - } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -- /* Ignore unknown algorithms if ignore_unknown */ -- return ignore_unknown; -+ if (load_success) { -+ /* Check if a provider supports the sigalg */ -+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) { -+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL -+ && strcmp(etmp, -+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) { -+ sarg->sigalgs[sarg->sigalgcnt++] = -+ sarg->ctx->sigalg_list[i].code_point; -+ break; -+ } -+ } - } -+ /* Check the built-in sigalgs */ -+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) { -+ for (i = 0, s = sigalg_lookup_tbl; -+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { -+ if (s->name != NULL && strcmp(etmp, s->name) == 0) { -+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; -+ break; -+ } -+ } -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } -+ } - } else { - *p = 0; - p++; -@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg) - * Set supported signature algorithms based on a colon separated list of the - * form sig+hash e.g. RSA+SHA512:DSA+SHA512 - */ --int tls1_set_sigalgs_list(CERT *c, const char *str, int client) -+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) - { - sig_cb_st sig; - sig.sigalgcnt = 0; -+ sig.ctx = ctx; - if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) - return 0; - if (sig.sigalgcnt == 0) { --- -2.44.0 - diff --git a/openssl.spec b/openssl.spec index 41fbc00..995e513 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.2.1 -Release: 2%{?dist} +Version: 3.2.2 +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -152,10 +152,6 @@ Patch115: 0115-skip-quic-pairwise.patch Patch116: 0116-version-aliasing.patch # https://github.com/openssl/openssl/issues/23050 Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch -# https://github.com/openssl/openssl/issues/23770 -Patch118: 0118-no-crl-memleak.patch -# https://github.com/openssl/openssl/issues/22779 -Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch @@ -500,6 +496,14 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 +- Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, + and Minerva attack. + Resolves: RHEL-32148 + Resolves: RHEL-36792 + Resolves: RHEL-38514 + Resolves: RHEL-39111 + * Thu May 23 2024 Dmitry Belyavskiy - 1:3.2.1-2 - Update RNG changing for FIPS purpose Resolves: RHEL-35380 diff --git a/sources b/sources index 21d66d1..6d3dc96 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f +SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d