rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Redefine sslarch for x86_64_v2 arch

Browse Source
This commit is contained in:
Eduard Abdullin 2025-07-02 02:37:33 +00:00 committed by root
commit ed94729646
61 changed files with 241 additions and 512 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -63,3 +63,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.2.1.tar.gz
/openssl-3.2.2.tar.gz
/openssl-3.5.0.tar.gz
/openssl-3.5.1.tar.gz

6
0001-RH-Aarch64-and-ppc64le-use-lib64.patch
View File

@ -1,7 +1,7 @@
From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001
From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 01/58] RH: Aarch64 and ppc64le use lib64
Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
2.49.0
2.50.0

10
0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
View File

@ -1,7 +1,7 @@
From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001
From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
Subject: [PATCH 02/58] Add a separate config file to use for rpm installs
Subject: [PATCH 02/53] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
@ -44,7 +44,7 @@ index e24ea0c595..39fa468320 100644
If no providers are activated explicitly, the default one is activated implicitly.
diff --git a/rh-openssl.cnf b/rh-openssl.cnf
new file mode 100644
index 0000000000..20f5962541
index 0000000000..fe2346eb2b
--- /dev/null
+++ b/rh-openssl.cnf
@@ -0,0 +1,403 @@
@ -66,7 +66,7 @@ index 0000000000..20f5962541
+# Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+# Ignore configuration errors
+config_diagnostics = 0
+
+# Extra OBJECT IDENTIFIER info:
@ -452,5 +452,5 @@ index 0000000000..20f5962541
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
2.49.0
2.50.0

8
0003-RH-Do-not-install-html-docs.patch
View File

@ -1,7 +1,7 @@
From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001
From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 03/58] RH: Do not install html docs
Subject: [PATCH 03/53] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index e85763ccf8..8a829be037 100644
index a6f666957e..b1d8b00755 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
@ -26,5 +26,5 @@ index e85763ccf8..8a829be037 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
2.49.0
2.50.0

6
0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
View File

@ -1,7 +1,7 @@
From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001
From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 04/58] RH: apps ca fix md option help text.patch - DROP?
Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
@ -26,5 +26,5 @@ index 6d1d1c0a6e..a7553ba609 100644
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
--
2.49.0
2.50.0

6
0005-RH-Disable-signature-verification-with-bad-digests-R.patch
View File

@ -1,7 +1,7 @@
From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 05/58] RH: Disable signature verification with bad digests -
Subject: [PATCH 05/53] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644
const EVP_MD *type = NULL;
--
2.49.0
2.50.0

22
0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
View File

@ -1,7 +1,7 @@
From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001
From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 06/58] RH: Add support for PROFILE SYSTEM system default
Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -20,7 +20,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
7 files changed, 105 insertions(+), 14 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 8a829be037..ba1266659a 100644
index b1d8b00755..91fd703afa 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
@ -43,7 +43,7 @@ index 8a829be037..ba1266659a 100644
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff --git a/Configure b/Configure
index 15054f9403..7945d6b750 100755
index 499585438a..e1b908fe13 100755
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
@ -66,7 +66,7 @@ index 15054f9403..7945d6b750 100755
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -408,6 +412,7 @@ $config{prefix}="";
@@ -409,6 +413,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@ -74,7 +74,7 @@ index 15054f9403..7945d6b750 100755
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -1104,6 +1109,10 @@ while (@argvcopy)
@@ -1105,6 +1110,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
@ -106,7 +106,7 @@ index 69195bcdcb..a6e0ede570 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index b342079968..0b2232b01c 100644
index 383c5bc411..d1b00e8454 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
@ -281,10 +281,10 @@ index 6127cb7a4b..19420d6c6a 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4c7b62e142..7af3f29cd8 100644
index 9696a4c55f..4bd3318407 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -293,7 +293,7 @@ index 4c7b62e142..7af3f29cd8 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -317,5 +317,5 @@ index c46e431b00..19d05e860b 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
2.49.0
2.50.0

6
0007-RH-Add-FIPS_mode-compatibility-macro.patch
View File

@ -1,7 +1,7 @@
From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001
From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 07/58] RH: Add FIPS_mode compatibility macro
Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
@ -79,5 +79,5 @@ index 18f8cc8740..6864b1a3c1 100644
return 1;
}
--
2.49.0
2.50.0

10
0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
View File

@ -1,7 +1,7 @@
From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001
From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 08/58] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
@ -74,10 +74,10 @@ index f15bc3d755..614c8a2c88 100644
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 6909a1919c..9d2e355251 100644
index 7d94346155..c0f1d00da9 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
@ -88,5 +88,5 @@ index 6909a1919c..9d2e355251 100644
}
# endif
--
2.49.0
2.50.0

12
0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
View File

@ -1,7 +1,7 @@
From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001
From 68174cf923fbaaa95469e433c29992cd63f24f99 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 09/58] RH: Drop weak curve definitions - RENAMED/SQUASHED
Subject: [PATCH 09/53] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
@ -28,7 +28,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
8 files changed, 10 insertions(+), 1157 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index f52f2c839d..1edf9b8485 100644
index 6c1eb59e91..3307a9cb46 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
@ -1161,7 +1161,7 @@ index 63fe319025..06b5c0aac5 100644
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/ectest.c b/test/ectest.c
index 70df89ee2f..0ddbba3b98 100644
index e1cb59d58d..b852381924 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -175,184 +175,26 @@ static int prime_field_tests(void)
@ -1356,7 +1356,7 @@ index 70df89ee2f..0ddbba3b98 100644
"FFFFFFFF000000000000000000000001"))
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
@@ -3128,7 +2970,7 @@ int setup_tests(void)
@@ -3130,7 +2972,7 @@ int setup_tests(void)
ADD_TEST(parameter_test);
ADD_TEST(ossl_parameter_test);
@ -1425,5 +1425,5 @@ index e6a2c9eb59..861c01e177 100644
Ctrl = key-check:0
+Result = KEYGEN_GENERATE_ERROR
--
2.49.0
2.50.0

10
0010-RH-Disable-explicit-ec-curves.patch
View File

@ -1,7 +1,7 @@
From 27fc7dc53e31b3dcd7ff3df40db1060d7a72f126 Mon Sep 17 00:00:00 2001
From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 10/58] RH: Disable explicit ec curves
Subject: [PATCH 10/53] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@ -80,7 +80,7 @@ index b55677fb1f..1df40018ac 100644
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
index 0ddbba3b98..f736d13feb 100644
index b852381924..6eac5de4fa 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@ -134,7 +134,7 @@ index 0ddbba3b98..f736d13feb 100644
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
@@ -2892,7 +2894,7 @@ static int custom_params_test(int id)
@@ -2893,7 +2895,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
@ -240,5 +240,5 @@ index 54b143bead..06ec905be0 100644
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
2.49.0
2.50.0

6
0011-RH-skipped-tests-EC-curves.patch
View File

@ -1,7 +1,7 @@
From 2c8e302b4a2f9c4eeec718d2a9d5cef655c28153 Mon Sep 17 00:00:00 2001
From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 11/58] RH: skipped tests EC curves
Subject: [PATCH 11/53] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.49.0
2.50.0

12
0012-RH-skip-quic-pairwise.patch
View File

@ -1,7 +1,7 @@
From e87e9fbc6bcf90d43f6e09f7de46f1805e3e6674 Mon Sep 17 00:00:00 2001
From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
Subject: [PATCH 12/58] RH: skip quic pairwise
Subject: [PATCH 12/53] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 38dd42c184..b2e18522ab 100644
index b98a940553..3d946ae93c 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -2761,7 +2761,9 @@ int setup_tests(void)
@@ -2937,7 +2937,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@ -41,7 +41,7 @@ index 222b1886ae..7e2f65cccb 100644
note "Duplicates:";
note join('\n', @duplicates);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index a101a26fb1..43e5396766 100644
index eaf0dbbb42..21864ad319 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
@ -82,5 +82,5 @@ index a101a26fb1..43e5396766 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
2.49.0
2.50.0

6
0013-RH-version-aliasing.patch
View File

@ -1,7 +1,7 @@
From c63c81754bcf4bf3aeb4049fc5952368764fb303 Mon Sep 17 00:00:00 2001
From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 13/58] RH: version aliasing
Subject: [PATCH 13/53] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
2.49.0
2.50.0

6
0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
View File

@ -1,7 +1,7 @@
From eeaa8125102427cedfda9a1d5bd663956acd8d63 Mon Sep 17 00:00:00 2001
From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
Subject: [PATCH 14/58] RH: Export two symbols for OPENSSL_str[n]casecmp
Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
2.49.0
2.50.0

8
0015-RH-TMP-KTLS-test-skip.patch
View File

@ -1,7 +1,7 @@
From 601c308871191a17620ade34a9edcb8afe969c8d Mon Sep 17 00:00:00 2001
From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
Subject: [PATCH 15/58] RH: TMP KTLS test skip
Subject: [PATCH 15/53] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
@ -9,7 +9,7 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 38d58e9387..39118a9162 100644
index b83dd6c552..250a439137 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
@ -26,5 +26,5 @@ index 38d58e9387..39118a9162 100644
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
2.49.0
2.50.0

31
0016-RH-Allow-disabling-of-SHA1-signatures.patch
View File

@ -1,7 +1,7 @@
From 84c7c05d38e96d003df43527e4e6abc6dbae2683 Mon Sep 17 00:00:00 2001
From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
Subject: [PATCH 16/58] RH: Allow disabling of SHA1 signatures
Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@ -11,7 +11,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 70 +++++++++++++++++++
crypto/evp/evp_cnf.c | 13 ++++
crypto/evp/m_sigver.c | 13 ++++
crypto/evp/m_sigver.c | 14 ++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 ++++
include/crypto/context.h | 8 +++
@ -25,7 +25,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
providers/implementations/signature/rsa_sig.c | 14 +++-
ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
16 files changed, 182 insertions(+), 7 deletions(-)
16 files changed, 183 insertions(+), 7 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 614c8a2c88..323615e300 100644
@ -172,7 +172,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 2d1839fedb..6e4685ecc0 100644
index d5df497da7..53044238a1 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
@ -183,10 +183,11 @@ index 2d1839fedb..6e4685ecc0 100644
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
desc = signature->description != NULL ? signature->description : "";
+
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@ -201,9 +202,9 @@ index 2d1839fedb..6e4685ecc0 100644
+
if (ver) {
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED,
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 665cafbc21..84fb95d4ca 100644
index 08c0d6a7b2..b936ad4447 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@ -214,7 +215,7 @@ index 665cafbc21..84fb95d4ca 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
@ -435,7 +436,7 @@ index e75b90840b..645304b951 100644
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8d0c2647b7..f6117a1fc5 100644
index 2f71f95438..bea5cab253 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -21,6 +21,7 @@
@ -446,7 +447,7 @@ index 8d0c2647b7..f6117a1fc5 100644
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
@ -454,7 +455,7 @@ index 8d0c2647b7..f6117a1fc5 100644
if (ctx == NULL)
goto err;
@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
@ -462,7 +463,7 @@ index 8d0c2647b7..f6117a1fc5 100644
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
@ -485,5 +486,5 @@ index d377d542db..c2c55129ae 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
2.49.0
2.50.0

10
0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
View File

@ -1,7 +1,7 @@
From 16fdb39036e7e8438c5b97359818cd9bc472196f Mon Sep 17 00:00:00 2001
From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
Subject: [PATCH 17/58] FIPS: Red Hat's FIPS module name and version
Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 373cd1c2e4..aa1ab85470 100644
index 4b9a057462..1e90f363af 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
@ -30,5 +30,5 @@ index 373cd1c2e4..aa1ab85470 100644
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
2.49.0
2.50.0

10
0018-FIPS-disable-fipsinstall.patch
View File

@ -1,7 +1,7 @@
From f40c27149fd5bb1864d069b3d116ffd88cca5f2f Mon Sep 17 00:00:00 2001
From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 18/58] FIPS: disable fipsinstall
Subject: [PATCH 18/53] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
@ -800,10 +800,10 @@ index a25ced3383..15748c5756 100644
=head1 COPYRIGHT
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 20d35fada8..f8f219d647 100644
index 571a1e99e0..1e384a4ff3 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -575,7 +575,6 @@ want to operate in a FIPS approved manner. The algorithms are:
@@ -588,7 +588,6 @@ process.
=head1 SEE ALSO
@ -866,5 +866,5 @@ index 1f9110ef60..7e80637bd5
# Compatible options for pedantic FIPS compliance
--
2.49.0
2.50.0

8
0019-FIPS-Force-fips-provider-on.patch
View File

@ -1,7 +1,7 @@
From ad031aa2b8ec4042b0081f4179b8a05131bd52df Mon Sep 17 00:00:00 2001
From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 19/58] FIPS: Force fips provider on
Subject: [PATCH 19/53] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index 5ec50f97e4..a2a9786e1c 100644
index 9649517dd2..1e5053cbce 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
@ -75,5 +75,5 @@ index 5ec50f97e4..a2a9786e1c 100644
}
--
2.49.0
2.50.0

6
0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
View File

@ -1,7 +1,7 @@
From ee1a3977388a9ec10aa4998beb67d8e3b4bfdd9e Mon Sep 17 00:00:00 2001
From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/58] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe
+[fips_sect]
+activate = 1
--
2.49.0
2.50.0

6
0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
View File

@ -1,7 +1,7 @@
From c202200bda962300ebc7d19e62ea0df734488c0c Mon Sep 17 00:00:00 2001
From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
Subject: [PATCH 21/58] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
@ -28,5 +28,5 @@ index 0000000000..54ae60b07f
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
2.49.0
2.50.0

6
0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
View File

@ -1,7 +1,7 @@
From d0ad196c07d223cbb1dd2419b1ec0b0e4458febb Mon Sep 17 00:00:00 2001
From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 22/58] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
@ -45,5 +45,5 @@ index 8b17b8ca94..0f5074936f 100644
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
2.49.0
2.50.0

6
0023-FIPS-RSA-encrypt-limits-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 19617bb4a510d73e5080d026d22b06b637a6ad1a Mon Sep 17 00:00:00 2001
From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 23/58] FIPS: RSA: encrypt limits - REVIEW
Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4
}
next if $protocol eq "-tls1_3";
--
2.49.0
2.50.0

6
0024-FIPS-RSA-PCTs.patch
View File

@ -1,7 +1,7 @@
From 7cb38d617ceb819a58ac14b266787ad3d71f6206 Mon Sep 17 00:00:00 2001
From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
Subject: [PATCH 24/58] FIPS: RSA: PCTs
Subject: [PATCH 24/53] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -153,5 +153,5 @@ index 645304b951..3d5af1046a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.49.0
2.50.0

6
0025-FIPS-RSA-encapsulate-limits.patch
View File

@ -1,7 +1,7 @@
From 158637448165abbde8d4b0c24bf4344744b79adc Mon Sep 17 00:00:00 2001
From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 25/58] FIPS: RSA: encapsulate limits
Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
2.49.0
2.50.0

6
0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
View File

@ -1,7 +1,7 @@
From 9595ceef9fe9a45fca1f970706077712dbb9287f Mon Sep 17 00:00:00 2001
From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 26/58] FIPS: RSA: Disallow SHAKE in OAEP and PSS
Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644
if (hLen <= 0)
goto err;
--
2.49.0
2.50.0

6
0027-FIPS-RSA-size-mode-restrictions.patch
View File

@ -1,7 +1,7 @@
From 47cf5bdab3a46ecffd3100330781e6c297e83d66 Mon Sep 17 00:00:00 2001
From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
Subject: [PATCH 27/58] FIPS: RSA: size/mode restrictions
Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
2.49.0
2.50.0

6
0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
View File

@ -1,7 +1,7 @@
From ae1fcbd1129fc53d4ac72148696efd126e574453 Mon Sep 17 00:00:00 2001
From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
Subject: [PATCH 28/58] FIPS: RSA: Mark x931 as not approved by default
Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
2.49.0
2.50.0

6
0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
View File

@ -1,7 +1,7 @@
From 4ce72cfe8d1e0b37e882766b449af109d9e7c3f8 Mon Sep 17 00:00:00 2001
From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 29/58] FIPS: RSA: Remove X9.31 padding signatures tests
Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644
"pss",
4096,
--
2.49.0
2.50.0

6
0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
View File

@ -1,7 +1,7 @@
From 3a9f2ccf8120cbf5b854a403926dce2d772f5f78 Mon Sep 17 00:00:00 2001
From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
Subject: [PATCH 30/58] FIPS: RSA: NEEDS-REWORK:
Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
@ -383,5 +383,5 @@ index 0000000000..2833a383c1
+--
+
--
2.49.0
2.50.0

6
0031-FIPS-Deny-SHA-1-signature-verification.patch
View File

@ -1,7 +1,7 @@
From 9b198c3634fd3871dd535389e7b7c2379f6934fb Mon Sep 17 00:00:00 2001
From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 31/58] FIPS: Deny SHA-1 signature verification
Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@ -704,5 +704,5 @@ index 568a1ddba4..6332aaec4b 100755
SKIP: {
skip "No IPv4 available on this machine", 4
--
2.49.0
2.50.0

22
0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 39c7eb2e82b9df4ffe58d8e05fbdb9115dde50cc Mon Sep 17 00:00:00 2001
From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 32/58] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
@ -14,9 +14,8 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/drbg.c | 11 ++-
providers/implementations/rands/drbg_local.h | 2 +-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
4 files changed, 23 insertions(+), 67 deletions(-)
3 files changed, 22 insertions(+), 66 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index 2985c7f2d8..3202a28226 100644
@ -68,19 +67,6 @@ index 4925a3b400..1cdb67b22c 100644
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
index e591e0b3d1..c7cafba1ea 100644
--- a/providers/implementations/rands/drbg_local.h
+++ b/providers/implementations/rands/drbg_local.h
@@ -39,7 +39,7 @@
*
* The value is in bytes.
*/
-#define CRNGT_BUFSIZ 16
+#define CRNGT_BUFSIZ 32
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index c3a5d8b3bf..b7b34a9345 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
@ -168,5 +154,5 @@ index c3a5d8b3bf..b7b34a9345 100644
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
2.49.0
2.50.0

6
0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
View File

@ -1,7 +1,7 @@
From 92c90300747de60df2e805b9fe78fa016f5fd49e Mon Sep 17 00:00:00 2001
From d2369dfc75e2b121650bc51f5ac3e0e7c9b75a29 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 33/58] FIPS: RAND: Forbid truncated hashes & SHA-3
Subject: [PATCH 33/53] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
2.49.0
2.50.0

6
0034-FIPS-PBKDF2-Set-minimum-password-length.patch
View File

@ -1,7 +1,7 @@
From 5d5521b81a6714c88438e4f1fb0cf30096a0b0b6 Mon Sep 17 00:00:00 2001
From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 34/58] FIPS: PBKDF2: Set minimum password length
Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -117,5 +117,5 @@ index b383314064..68f9355b7d 100644
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
2.49.0
2.50.0

6
0035-FIPS-DH-PCT.patch
View File

@ -1,7 +1,7 @@
From 1f54210f4e4de1f2143d02f6d0b56cc388b617cd Mon Sep 17 00:00:00 2001
From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
Subject: [PATCH 35/58] FIPS: DH: PCT
Subject: [PATCH 35/53] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -69,5 +69,5 @@ index 7132b9b68e..189bfc3e8b 100644
ok = 1;
err:
--
2.49.0
2.50.0

8
0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
View File

@ -1,7 +1,7 @@
From 863cb10f0add28b1d82ec3042d2e7b418169b48a Mon Sep 17 00:00:00 2001
From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 36/58] FIPS: DH: Disable FIPS 186-4 type parameters
Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@ -156,7 +156,7 @@ index 189bfc3e8b..023d628502 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index c11ada9826..e279e9d60d 100644
index 3b75a537b3..6ea7a423d5 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
@ -326,5 +326,5 @@ index 6332aaec4b..4d8c900c00 100755
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.49.0
2.50.0

12
0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
View File

@ -1,7 +1,7 @@
From 900d90fa1e34bfbbfcc91face57680c0424f2014 Mon Sep 17 00:00:00 2001
From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 37/58] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
@ -25,7 +25,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
9 files changed, 46 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index e2c1e69847..009b683b27 100644
index 9338ffc01d..911ea21a68 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
@ -63,7 +63,7 @@ index 15748c5756..34cbfbb2ad 100644
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0b2232b01c..99b2ad4eb3 100644
index d1b00e8454..b815f25dae 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
@ -175,7 +175,7 @@ index 50944328cb..edb2e81273 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 39118a9162..9522478ad2 100644
index 250a439137..acc4751095 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
@ -188,5 +188,5 @@ index 39118a9162..9522478ad2 100644
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
2.49.0
2.50.0

6
0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
View File

@ -1,7 +1,7 @@
From a227572868569ba87b9aef722a8d981ad5feb11b Mon Sep 17 00:00:00 2001
From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
Subject: [PATCH 38/58] FIPS: CMS: Set default padding to OAEP
Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
2.49.0
2.50.0

6
0039-FIPS-PKCS12-PBMAC1-defaults.patch
View File

@ -1,7 +1,7 @@
From 6ca4910fa964f135e5a18b31502bddef3aef1304 Mon Sep 17 00:00:00 2001
From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
Subject: [PATCH 39/58] FIPS: PKCS12: PBMAC1 defaults
Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
@ -31,5 +31,5 @@ index 9964faf21a..59439a8cc0 100644
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
--
2.49.0
2.50.0

6
0040-FIPS-Fix-encoder-decoder-negative-test.patch
View File

@ -1,7 +1,7 @@
From fe12acbd953da37dd25e8abca64582c9bdeadf3c Mon Sep 17 00:00:00 2001
From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
Subject: [PATCH 40/58] FIPS: Fix encoder/decoder negative test
Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
2.49.0
2.50.0

6
0041-FIPS-EC-DH-DSA-PCTs.patch
View File

@ -1,7 +1,7 @@
From a4fc741bd6e43b301121f01ef7c823a589faad39 Mon Sep 17 00:00:00 2001
From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
Subject: [PATCH 41/58] FIPS: EC: DH/DSA PCTs
Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -176,5 +176,5 @@ index 4e46eaf9bc..4d7c25728a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
2.49.0
2.50.0

6
0042-FIPS-EC-disable-weak-curves.patch
View File

@ -1,7 +1,7 @@
From c3f3de074f9140dd8f5833f7fe3e751ac0838323 Mon Sep 17 00:00:00 2001
From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
Subject: [PATCH 42/58] FIPS: EC: disable weak curves
Subject: [PATCH 42/53] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
2.49.0
2.50.0

12
0043-FIPS-NO-DSA-Support.patch
View File

@ -1,7 +1,7 @@
From d923f8b4531718ede24814722a0c0f0f912dca7c Mon Sep 17 00:00:00 2001
From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
Subject: [PATCH 43/58] FIPS: NO DSA Support
Subject: [PATCH 43/53] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -18,10 +18,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index aa1ab85470..7999744b5a 100644
index 1e90f363af..84d8e897cc 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -430,7 +430,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
};
static const OSSL_ALGORITHM fips_signature[] = {
@ -31,7 +31,7 @@ index aa1ab85470..7999744b5a 100644
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
@@ -560,8 +561,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@ -396,5 +396,5 @@ index ece29485f4..756f90c1bd 100644
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
2.49.0
2.50.0

14
0044-FIPS-NO-DES-support.patch
View File

@ -1,7 +1,7 @@
From ca860bb5c16d9a96afb32e025b54db76e5f8cfd3 Mon Sep 17 00:00:00 2001
From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
Subject: [PATCH 44/58] FIPS: NO DES support
Subject: [PATCH 44/53] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -14,10 +14,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
6 files changed, 14 insertions(+), 23 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7999744b5a..30f0c8ca14 100644
index 84d8e897cc..4b394c3e39 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
@ -80,7 +80,7 @@ index 2838f343bd..19dd2c6c63 100644
return 1;
}
diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
index 1947e21f74..119b75d9ce 100644
index 6c74b65cef..8bcb78cd2d 100644
--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@@ -14,7 +14,7 @@
@ -132,7 +132,7 @@ index 1947e21f74..119b75d9ce 100644
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
# Test that DES3 ECB mode encryption is not FIPS approved
-Availablein = fipss
-Availablein = fips
-FIPSversion = >=3.4.0
+Availablein = none
Cipher = DES-EDE3-ECB
@ -170,5 +170,5 @@ index 756f90c1bd..ac833d2a2f 100644
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
2.49.0
2.50.0

12
0045-FIPS-NO-Kmac.patch
View File

@ -1,7 +1,7 @@
From 3928272f2d86188ef8796c7d18b1ec7d617cae97 Mon Sep 17 00:00:00 2001
From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
Subject: [PATCH 45/58] FIPS: NO Kmac
Subject: [PATCH 45/53] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -15,10 +15,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
7 files changed, 40 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 30f0c8ca14..00b7d1e2aa 100644
index 4b394c3e39..8f00dfa0ef 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
@ -32,7 +32,7 @@ index 30f0c8ca14..00b7d1e2aa 100644
{ NULL, NULL, NULL }
};
@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@ -422,5 +422,5 @@ index 831eecbac9..af92ceea98 100644
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
2.49.0
2.50.0

6
0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch → 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
View File

@ -1,7 +1,7 @@
From 50c0087bdd6c15e2c63c8324f35221fd45a10518 Mon Sep 17 00:00:00 2001
From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
Subject: [PATCH 47/58] FIPS: Fix some tests due to our versioning change
Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -102,5 +102,5 @@ index af47842fd8..21c75033e8 100644
my @tests_mldsa_tls_1_3 = (
--
2.49.0
2.50.0

33
0046-FIPS-NO-PQ-ML-SLH-DSA.patch
View File

@ -1,33 +0,0 @@
From a6dce07d8e44e79dc3db9538d269bbbc903a8e15 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:24:36 -0500
Subject: [PATCH 46/58] FIPS: NO PQ (ML/SLH-DSA)
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/self_test_data.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index f3059a8446..9659f10613 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -3037,6 +3037,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
#endif /* OPENSSL_NO_DSA */
#endif
+#if 0
#ifndef OPENSSL_NO_ML_DSA
{
OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
@@ -3081,6 +3082,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
slh_dsa_sig_params, slh_dsa_sig_params
},
#endif /* OPENSSL_NO_SLH_DSA */
+#endif
};
#if !defined(OPENSSL_NO_ML_DSA)
--
2.49.0

6
0048-Current-Rebase-status.patch → 0047-Current-Rebase-status.patch
View File

@ -1,7 +1,7 @@
From 3bc3a6514c078564ac8addbdf24172a5fb90f4d7 Mon Sep 17 00:00:00 2001
From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
Subject: [PATCH 48/58] Current Rebase status
Subject: [PATCH 47/53] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -102,5 +102,5 @@ index 2833a383c1..c8f6c992a8 100644
+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
+
--
2.49.0
2.50.0

6
0049-FIPS-KDF-key-lenght-errors.patch → 0048-FIPS-KDF-key-lenght-errors.patch
View File

@ -1,7 +1,7 @@
From 573cde99e796fbd76f9be7f6a553c681abbfb55a Mon Sep 17 00:00:00 2001
From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
Subject: [PATCH 49/58] FIPS: KDF key lenght errors
Subject: [PATCH 48/53] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -171,5 +171,5 @@ index 1fb2472001..93c07ede7c 100644
# Test that the key whose length is shorter than 112 bits is reported as
--
2.49.0
2.50.0

6
0050-FIPS-fix-disallowed-digests-tests.patch → 0049-FIPS-fix-disallowed-digests-tests.patch
View File

@ -1,7 +1,7 @@
From 48498bd445161f1d0fffb60bce8d9474acfe840b Mon Sep 17 00:00:00 2001
From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
Subject: [PATCH 50/58] FIPS: fix disallowed digests tests
Subject: [PATCH 49/53] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@ -47,5 +47,5 @@ index 6688c217aa..8347f773e6 100644
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
--
2.49.0
2.50.0

8
0051-Make-openssl-speed-run-in-FIPS-mode.patch → 0050-Make-openssl-speed-run-in-FIPS-mode.patch
View File

@ -1,14 +1,14 @@
From 0895e273cacec26a4bd027bef7ab07bae12d9741 Mon Sep 17 00:00:00 2001
From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
Subject: [PATCH 51/58] Make `openssl speed` run in FIPS mode
Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 1edf9b8485..d4e707074c 100644
index 3307a9cb46..ae2f166d24 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
@ -72,5 +72,5 @@ index 1edf9b8485..d4e707074c 100644
for (i = 0; i < loopargs_len; i++)
--
2.49.0
2.50.0

6
0052-Backport-upstream-27483-for-PKCS11-needs.patch → 0051-Backport-upstream-27483-for-PKCS11-needs.patch
View File

@ -1,7 +1,7 @@
From 120558807e15d3cb2959020bacc928988e512a78 Mon Sep 17 00:00:00 2001
From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:34:39 +0200
Subject: [PATCH 52/58] Backport upstream #27483 for PKCS11 needs
Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
---
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
@ -142,5 +142,5 @@ index b81df9c8f8..e33bbbe003 100644
ADD_TEST(test_aes_raw_skey);
#ifndef OPENSSL_NO_DES
--
2.49.0
2.50.0

6
0053-Red-Hat-9-FIPS-indicator-defines.patch → 0052-Red-Hat-9-FIPS-indicator-defines.patch
View File

@ -1,7 +1,7 @@
From ee9a3d993eb82f98e4670adc9ccb015065b81555 Mon Sep 17 00:00:00 2001
From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 16:21:23 +0200
Subject: [PATCH 53/58] Red Hat 9 FIPS indicator defines
Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
---
include/openssl/evp.h | 15 +++++++++++++++
@ -125,5 +125,5 @@ index 059b489735..5a1864309d 100644
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
--
2.49.0
2.50.0

16
0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch → 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
View File

@ -1,7 +1,7 @@
From 26ad3b905a6d4b1fa50b304f21f67aa0d35265e9 Mon Sep 17 00:00:00 2001
From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 30 May 2025 16:17:37 +0200
Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode
Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
---
crypto/ml_kem/ml_kem.c | 11 ++--
@ -12,18 +12,18 @@ Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode
5 files changed, 103 insertions(+), 12 deletions(-)
diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
index ec75233435..8d0cc1a82c 100644
index 4474af0f87..6eca7dc29d 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1581,6 +1581,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
{
const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
ML_KEM_KEY *key;
+ char *adjusted_propq = NULL;
if (vinfo == NULL)
return NULL;
@@ -1588,15 +1589,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
if (vinfo == NULL) {
ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT,
@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
return NULL;
@ -298,5 +298,5 @@ index bea8783276..aeef0c8f84 100644
key->xinfo->algorithm_name,
key->xinfo->group_name);
--
2.49.0
2.50.0

58
0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
View File

@ -1,58 +0,0 @@
From 92e50723ae6aa29476b7ebb66d262f78677ee68d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 12:58:54 +0200
Subject: [PATCH 54/58] crypto: disable OSSL_PARAM_REAL on UEFI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Floating point types like double can't be used on UEFI.
Fix build on UEFI by disabling the OSSL_PARAM_REAL branch.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
crypto/params_from_text.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
index 7532d4d439..fb25400dc1 100644
--- a/crypto/params_from_text.c
+++ b/crypto/params_from_text.c
@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
BIGNUM *bn;
#ifndef OPENSSL_SYS_UEFI
double d;
+ int dok;
#endif
int ok = -1;
- int dok;
/*
* Iterate through each key in the array printing its key and value
@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
case OSSL_PARAM_OCTET_STRING:
ok = BIO_dump(bio, (char *)p->data, p->data_size);
break;
+#ifndef OPENSSL_SYS_UEFI
case OSSL_PARAM_REAL:
dok = 0;
-#ifndef OPENSSL_SYS_UEFI
dok = OSSL_PARAM_get_double(p, &d);
-#endif
if (dok == 1)
ok = BIO_printf(bio, "%f\n", d);
else
ok = BIO_printf(bio, "error getting value\n");
break;
+#endif
default:
ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n",
p->data_type, p->data_size);
--
2.49.0

36
0055-hashfunc-add-stddef.h-include.patch
View File

@ -1,36 +0,0 @@
From fb8649ec423277d50936a6a7848a1b6705e208cc Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 13:29:36 +0200
Subject: [PATCH 55/58] hashfunc: add stddef.h include
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
size_t is declared in stddef.h, so include the header file to
make sure it is available. Fixes build on UEFI.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
include/internal/hashfunc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h
index cabc7beed4..fae8a275fa 100644
--- a/include/internal/hashfunc.h
+++ b/include/internal/hashfunc.h
@@ -11,6 +11,7 @@
# define OPENSSL_HASHFUNC_H
# include <openssl/e_os2.h>
+# include <stddef.h>
/**
* Generalized fnv1a 64 bit hash function
*/
--
2.49.0

73
0056-rio-add-RIO_POLL_METHOD_NONE.patch
View File

@ -1,73 +0,0 @@
From 60699bc32870a3325a79234158740aac917b39a6 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 7 Apr 2025 14:06:28 +0200
Subject: [PATCH 56/58] rio: add RIO_POLL_METHOD_NONE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes build on UEFI.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27284)
---
ssl/rio/poll_builder.c | 4 +++-
ssl/rio/poll_builder.h | 4 +++-
ssl/rio/poll_method.h | 5 ++++-
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
index 007e360d87..3cfbe3b0ac 100644
--- a/ssl/rio/poll_builder.c
+++ b/ssl/rio/poll_builder.c
@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb)
{
-#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
+ return 0;
+#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
FD_ZERO(&rpb->rfd);
FD_ZERO(&rpb->wfd);
FD_ZERO(&rpb->efd);
diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h
index ffc9bbf9fc..985e4713b2 100644
--- a/ssl/rio/poll_builder.h
+++ b/ssl/rio/poll_builder.h
@@ -23,7 +23,9 @@
* FDs.
*/
typedef struct rio_poll_builder_st {
-# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
+ /* nothing */;
+# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
fd_set rfd, wfd, efd;
int hwm_fd;
# elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL
diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h
index 9a6de89270..d5af8663c2 100644
--- a/ssl/rio/poll_method.h
+++ b/ssl/rio/poll_method.h
@@ -14,9 +14,12 @@
# define RIO_POLL_METHOD_SELECT 1
# define RIO_POLL_METHOD_POLL 2
+# define RIO_POLL_METHOD_NONE 3
# ifndef RIO_POLL_METHOD
-# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
+# if defined(OPENSSL_SYS_UEFI)
+# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE
+# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
# define RIO_POLL_METHOD RIO_POLL_METHOD_POLL
# else
# define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT
--
2.49.0

62
0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
View File

@ -1,62 +0,0 @@
From d7ab338f85b55ed6aa6d0187123dbab8684551a5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 20 May 2025 16:34:10 +0200
Subject: [PATCH 57/58] apps/x509.c: Fix the -addreject option adding trust
instead of rejection
Fixes CVE-2025-4575
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)
---
apps/x509.c | 2 +-
test/recipes/25-test_x509.t | 12 +++++++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/apps/x509.c b/apps/x509.c
index fdae8f383a..0c340c15b3 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
prog, opt_arg());
goto opthelp;
}
- if (!sk_ASN1_OBJECT_push(trust, objtmp))
+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
goto end;
trustout = 1;
break;
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 09b61708ff..dfa0a428f5 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
-plan tests => 134;
+plan tests => 138;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
&& run(app(["openssl", "verify", "-no_check_time",
"-trusted", $ca, "-partial_chain", $caout])));
+# test trust decoration
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
+ "-out", "ca-trusted.pem"])));
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
+ 1, 'trusted use - E-mail Protection');
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
+ "-out", "ca-rejected.pem"])));
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
+ 1, 'rejected use - E-mail Protection');
+
subtest 'x509 -- x.509 v1 certificate' => sub {
tconversion( -type => 'x509', -prefix => 'x509v1',
-in => srctop_file("test", "testx509.pem") );
--
2.49.0

35
openssl.spec
View File

@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.0
Release: 8%{?dist}.alma.1
Version: 3.5.1
Release: 1%{?dist}.alma.1
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@ -85,20 +85,15 @@ Patch0042: 0042-FIPS-EC-disable-weak-curves.patch
Patch0043: 0043-FIPS-NO-DSA-Support.patch
Patch0044: 0044-FIPS-NO-DES-support.patch
Patch0045: 0045-FIPS-NO-Kmac.patch
Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch
Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0048: 0048-Current-Rebase-status.patch
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
Patch0052: 0052-Backport-upstream-27483-for-PKCS11-needs.patch
Patch0053: 0053-Red-Hat-9-FIPS-indicator-defines.patch
Patch0054: 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
Patch0055: 0055-hashfunc-add-stddef.h-include.patch
Patch0056: 0056-rio-add-RIO_POLL_METHOD_NONE.patch
Patch0057: 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
Patch0046: 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0047: 0047-Current-Rebase-status.patch
Patch0048: 0048-FIPS-KDF-key-lenght-errors.patch
Patch0049: 0049-FIPS-fix-disallowed-digests-tests.patch
Patch0050: 0050-Make-openssl-speed-run-in-FIPS-mode.patch
Patch0051: 0051-Backport-upstream-27483-for-PKCS11-needs.patch
Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
%if ( %{defined rhel} && (! %{defined centos}) )
Patch0058: 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
License: Apache-2.0
@ -441,9 +436,17 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%ldconfig_scriptlets libs
%changelog
* Fri Jun 06 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.0-8.alma.1
* Wed Jul 02 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.5.1-1.alma.1
- Redefine sslarch for x86_64_v2 arch
* Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1
- Rebasing to OpenSSL 3.5.1
Resolves: RHEL-90350
Resolves: RHEL-95613
Resolves: RHEL-97796
Resolves: RHEL-99353
Resolves: RHEL-100168
* Thu Jun 05 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-8
- rebuilt
Related: RHEL-80811

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.5.0.tar.gz) = 39cc80e2843a2ee30f3f5de25cd9d0f759ad8de71b0b39f5a679afaaa74f4eb58d285ae50e29e4a27b139b49343ac91d1f05478f96fb0c6b150f16d7b634676f
SHA512 (openssl-3.5.1.tar.gz) = 0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3