From 98cf25a4c0d4b9fa03944c92a8d366621250985e Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 1 Jul 2025 16:33:14 +0200 Subject: [PATCH] Rebasing to OpenSSL 3.5.1 Resolves: RHEL-90350 Resolves: RHEL-95613 Resolves: RHEL-97796 Resolves: RHEL-99353 Resolves: RHEL-100168 --- .gitignore | 1 + 0001-RH-Aarch64-and-ppc64le-use-lib64.patch | 6 +- ...-config-file-to-use-for-rpm-installs.patch | 10 +-- 0003-RH-Do-not-install-html-docs.patch | 8 +- ...a-fix-md-option-help-text.patch-DROP.patch | 6 +- ...ture-verification-with-bad-digests-R.patch | 6 +- ...or-PROFILE-SYSTEM-system-default-cip.patch | 22 +++--- ...RH-Add-FIPS_mode-compatibility-macro.patch | 6 +- ...rnel-FIPS-mode-flag-support-FIXSTYLE.patch | 10 +-- ...k-curve-definitions-RENAMED-SQUASHED.patch | 12 +-- 0010-RH-Disable-explicit-ec-curves.patch | 10 +-- 0011-RH-skipped-tests-EC-curves.patch | 6 +- 0012-RH-skip-quic-pairwise.patch | 12 +-- 0013-RH-version-aliasing.patch | 6 +- ...wo-symbols-for-OPENSSL_str-n-casecmp.patch | 6 +- 0015-RH-TMP-KTLS-test-skip.patch | 8 +- ...H-Allow-disabling-of-SHA1-signatures.patch | 31 ++++---- ...d-Hat-s-FIPS-module-name-and-version.patch | 10 +-- 0018-FIPS-disable-fipsinstall.patch | 10 +-- 0019-FIPS-Force-fips-provider-on.patch | 8 +- ...TEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch | 6 +- ...CHECK-Add-script-to-hmac-ify-fips.so.patch | 6 +- ...HECK-Execute-KATS-before-HMAC-REVIEW.patch | 6 +- 0023-FIPS-RSA-encrypt-limits-REVIEW.patch | 6 +- 0024-FIPS-RSA-PCTs.patch | 6 +- 0025-FIPS-RSA-encapsulate-limits.patch | 6 +- ...S-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch | 6 +- 0027-FIPS-RSA-size-mode-restrictions.patch | 6 +- ...Mark-x931-as-not-approved-by-default.patch | 6 +- ...emove-X9.31-padding-signatures-tests.patch | 6 +- ...EWORK-FIPS-Use-OAEP-in-KATs-support-.patch | 6 +- ...PS-Deny-SHA-1-signature-verification.patch | 6 +- ...PS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch | 22 +----- ...S-RAND-Forbid-truncated-hashes-SHA-3.patch | 6 +- ...S-PBKDF2-Set-minimum-password-length.patch | 6 +- 0035-FIPS-DH-PCT.patch | 6 +- ...H-Disable-FIPS-186-4-type-parameters.patch | 8 +- ...FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch | 12 +-- ...FIPS-CMS-Set-default-padding-to-OAEP.patch | 6 +- 0039-FIPS-PKCS12-PBMAC1-defaults.patch | 6 +- ...PS-Fix-encoder-decoder-negative-test.patch | 6 +- 0041-FIPS-EC-DH-DSA-PCTs.patch | 6 +- 0042-FIPS-EC-disable-weak-curves.patch | 6 +- 0043-FIPS-NO-DSA-Support.patch | 12 +-- 0044-FIPS-NO-DES-support.patch | 14 ++-- 0045-FIPS-NO-Kmac.patch | 12 +-- ...e-tests-due-to-our-versioning-change.patch | 6 +- 0046-FIPS-NO-PQ-ML-SLH-DSA.patch | 33 --------- ....patch => 0047-Current-Rebase-status.patch | 6 +- ...h => 0048-FIPS-KDF-key-lenght-errors.patch | 6 +- ...49-FIPS-fix-disallowed-digests-tests.patch | 6 +- ...-Make-openssl-speed-run-in-FIPS-mode.patch | 8 +- ...port-upstream-27483-for-PKCS11-needs.patch | 6 +- ...052-Red-Hat-9-FIPS-indicator-defines.patch | 6 +- ...0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch | 16 ++-- ...ypto-disable-OSSL_PARAM_REAL-on-UEFI.patch | 58 --------------- 0055-hashfunc-add-stddef.h-include.patch | 36 --------- 0056-rio-add-RIO_POLL_METHOD_NONE.patch | 73 ------------------- ...the-addreject-option-adding-trust-in.patch | 62 ---------------- openssl.spec | 33 +++++---- sources | 2 +- 61 files changed, 240 insertions(+), 511 deletions(-) rename 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch => 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch (96%) delete mode 100644 0046-FIPS-NO-PQ-ML-SLH-DSA.patch rename 0048-Current-Rebase-status.patch => 0047-Current-Rebase-status.patch (96%) rename 0049-FIPS-KDF-key-lenght-errors.patch => 0048-FIPS-KDF-key-lenght-errors.patch (98%) rename 0050-FIPS-fix-disallowed-digests-tests.patch => 0049-FIPS-fix-disallowed-digests-tests.patch (93%) rename 0051-Make-openssl-speed-run-in-FIPS-mode.patch => 0050-Make-openssl-speed-run-in-FIPS-mode.patch (94%) rename 0052-Backport-upstream-27483-for-PKCS11-needs.patch => 0051-Backport-upstream-27483-for-PKCS11-needs.patch (97%) rename 0053-Red-Hat-9-FIPS-indicator-defines.patch => 0052-Red-Hat-9-FIPS-indicator-defines.patch (98%) rename 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch => 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch (96%) delete mode 100644 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch delete mode 100644 0055-hashfunc-add-stddef.h-include.patch delete mode 100644 0056-rio-add-RIO_POLL_METHOD_NONE.patch delete mode 100644 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch diff --git a/.gitignore b/.gitignore index 3f8b238..d67099f 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.2.1.tar.gz /openssl-3.2.2.tar.gz /openssl-3.5.0.tar.gz +/openssl-3.5.1.tar.gz diff --git a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch index f9c715c..1331ab0 100644 --- a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch +++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch @@ -1,7 +1,7 @@ -From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001 +From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:14 +0100 -Subject: [PATCH 01/58] RH: Aarch64 and ppc64le use lib64 +Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64 Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch Patch-id: 1 @@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644 "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32" ], -- -2.49.0 +2.50.0 diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch index d9c7035..bfcf061 100644 --- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch +++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch @@ -1,7 +1,7 @@ -From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001 +From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 6 Mar 2025 08:40:29 -0500 -Subject: [PATCH 02/58] Add a separate config file to use for rpm installs +Subject: [PATCH 02/53] Add a separate config file to use for rpm installs In RHEL/Fedora systems we want to use a slightly different set of defaults, but we do not want to change the standard config file @@ -44,7 +44,7 @@ index e24ea0c595..39fa468320 100644 If no providers are activated explicitly, the default one is activated implicitly. diff --git a/rh-openssl.cnf b/rh-openssl.cnf new file mode 100644 -index 0000000000..20f5962541 +index 0000000000..fe2346eb2b --- /dev/null +++ b/rh-openssl.cnf @@ -0,0 +1,403 @@ @@ -66,7 +66,7 @@ index 0000000000..20f5962541 +# Use this in order to automatically load providers. +openssl_conf = openssl_init + -+# Comment out the next line to ignore configuration errors ++# Ignore configuration errors +config_diagnostics = 0 + +# Extra OBJECT IDENTIFIER info: @@ -452,5 +452,5 @@ index 0000000000..20f5962541 +cmd = rr +oldcert = $insta::certout # insta.cert.pem -- -2.49.0 +2.50.0 diff --git a/0003-RH-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch index 1589d8e..8c2edce 100644 --- a/0003-RH-Do-not-install-html-docs.patch +++ b/0003-RH-Do-not-install-html-docs.patch @@ -1,7 +1,7 @@ -From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001 +From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:14 +0100 -Subject: [PATCH 03/58] RH: Do not install html docs +Subject: [PATCH 03/53] RH: Do not install html docs Patch-name: 0003-Do-not-install-html-docs.patch Patch-id: 3 @@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index e85763ccf8..8a829be037 100644 +index a6f666957e..b1d8b00755 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta @@ -26,5 +26,5 @@ index e85763ccf8..8a829be037 100644 uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" -- -2.49.0 +2.50.0 diff --git a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch index 9b8b563..2486532 100644 --- a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch +++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch @@ -1,7 +1,7 @@ -From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001 +From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:14 +0100 -Subject: [PATCH 04/58] RH: apps ca fix md option help text.patch - DROP? +Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP? Patch-name: 0005-apps-ca-fix-md-option-help-text.patch Patch-id: 5 @@ -26,5 +26,5 @@ index 6d1d1c0a6e..a7553ba609 100644 {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, -- -2.49.0 +2.50.0 diff --git a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch index 7b98fd5..b52e60b 100644 --- a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch +++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch @@ -1,7 +1,7 @@ -From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001 +From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:14 +0100 -Subject: [PATCH 05/58] RH: Disable signature verification with bad digests - +Subject: [PATCH 05/53] RH: Disable signature verification with bad digests - REVIEW Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch @@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644 const EVP_MD *type = NULL; -- -2.49.0 +2.50.0 diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch index fa24115..99505a3 100644 --- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch +++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch @@ -1,7 +1,7 @@ -From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001 +From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:14 +0100 -Subject: [PATCH 06/58] RH: Add support for PROFILE SYSTEM system default +Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default cipher Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -20,7 +20,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 7 files changed, 105 insertions(+), 14 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 8a829be037..ba1266659a 100644 +index b1d8b00755..91fd703afa 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man @@ -43,7 +43,7 @@ index 8a829be037..ba1266659a 100644 @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} diff --git a/Configure b/Configure -index 15054f9403..7945d6b750 100755 +index 499585438a..e1b908fe13 100755 --- a/Configure +++ b/Configure @@ -27,7 +27,7 @@ use OpenSSL::config; @@ -66,7 +66,7 @@ index 15054f9403..7945d6b750 100755 # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -408,6 +412,7 @@ $config{prefix}=""; +@@ -409,6 +413,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -74,7 +74,7 @@ index 15054f9403..7945d6b750 100755 my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -1104,6 +1109,10 @@ while (@argvcopy) +@@ -1105,6 +1110,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } @@ -106,7 +106,7 @@ index 69195bcdcb..a6e0ede570 100644 "High" encryption cipher suites. This currently means those with key lengths diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index b342079968..0b2232b01c 100644 +index 383c5bc411..d1b00e8454 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -209,6 +209,11 @@ extern "C" { @@ -281,10 +281,10 @@ index 6127cb7a4b..19420d6c6a 100644 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 4c7b62e142..7af3f29cd8 100644 +index 9696a4c55f..4bd3318407 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) +@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -293,7 +293,7 @@ index 4c7b62e142..7af3f29cd8 100644 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, +@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -317,5 +317,5 @@ index c46e431b00..19d05e860b 100644 ADD_TEST(test_default_cipherlist_clear); ADD_TEST(test_stdname_cipherlist); -- -2.49.0 +2.50.0 diff --git a/0007-RH-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch index 508a756..0be56b9 100644 --- a/0007-RH-Add-FIPS_mode-compatibility-macro.patch +++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch @@ -1,7 +1,7 @@ -From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001 +From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 07/58] RH: Add FIPS_mode compatibility macro +Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch Patch-id: 8 @@ -79,5 +79,5 @@ index 18f8cc8740..6864b1a3c1 100644 return 1; } -- -2.49.0 +2.50.0 diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch index c4768a5..06bdbce 100644 --- a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch +++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch @@ -1,7 +1,7 @@ -From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001 +From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 08/58] RH: Add Kernel FIPS mode flag support - FIXSTYLE +Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch-id: 9 @@ -74,10 +74,10 @@ index f15bc3d755..614c8a2c88 100644 goto err; diff --git a/include/internal/provider.h b/include/internal/provider.h -index 6909a1919c..9d2e355251 100644 +index 7d94346155..c0f1d00da9 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h -@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, +@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -88,5 +88,5 @@ index 6909a1919c..9d2e355251 100644 } # endif -- -2.49.0 +2.50.0 diff --git a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch index 80ec2c4..ba1900c 100644 --- a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch +++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch @@ -1,7 +1,7 @@ -From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001 +From 68174cf923fbaaa95469e433c29992cd63f24f99 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 09/58] RH: Drop weak curve definitions - RENAMED/SQUASHED +Subject: [PATCH 09/53] RH: Drop weak curve definitions - RENAMED/SQUASHED Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 @@ -28,7 +28,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 8 files changed, 10 insertions(+), 1157 deletions(-) diff --git a/apps/speed.c b/apps/speed.c -index f52f2c839d..1edf9b8485 100644 +index 6c1eb59e91..3307a9cb46 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ @@ -1161,7 +1161,7 @@ index 63fe319025..06b5c0aac5 100644 {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" diff --git a/test/ectest.c b/test/ectest.c -index 70df89ee2f..0ddbba3b98 100644 +index e1cb59d58d..b852381924 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -175,184 +175,26 @@ static int prime_field_tests(void) @@ -1356,7 +1356,7 @@ index 70df89ee2f..0ddbba3b98 100644 "FFFFFFFF000000000000000000000001")) || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" -@@ -3128,7 +2970,7 @@ int setup_tests(void) +@@ -3130,7 +2972,7 @@ int setup_tests(void) ADD_TEST(parameter_test); ADD_TEST(ossl_parameter_test); @@ -1425,5 +1425,5 @@ index e6a2c9eb59..861c01e177 100644 Ctrl = key-check:0 +Result = KEYGEN_GENERATE_ERROR -- -2.49.0 +2.50.0 diff --git a/0010-RH-Disable-explicit-ec-curves.patch b/0010-RH-Disable-explicit-ec-curves.patch index af0fcdc..a39a9df 100644 --- a/0010-RH-Disable-explicit-ec-curves.patch +++ b/0010-RH-Disable-explicit-ec-curves.patch @@ -1,7 +1,7 @@ -From 27fc7dc53e31b3dcd7ff3df40db1060d7a72f126 Mon Sep 17 00:00:00 2001 +From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 10/58] RH: Disable explicit ec curves +Subject: [PATCH 10/53] RH: Disable explicit ec curves Patch-name: 0012-Disable-explicit-ec.patch Patch-id: 12 @@ -80,7 +80,7 @@ index b55677fb1f..1df40018ac 100644 EC_GROUP_free(group); group = named_group; diff --git a/test/ectest.c b/test/ectest.c -index 0ddbba3b98..f736d13feb 100644 +index b852381924..6eac5de4fa 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, @@ -134,7 +134,7 @@ index 0ddbba3b98..f736d13feb 100644 /* Both sides should expect the same shared secret */ if (!TEST_mem_eq(buf1, sslen, buf2, t)) goto err; -@@ -2892,7 +2894,7 @@ static int custom_params_test(int id) +@@ -2893,7 +2895,7 @@ static int custom_params_test(int id) /* compare with previous result */ || !TEST_mem_eq(buf1, t, buf2, sslen)) goto err; @@ -240,5 +240,5 @@ index 54b143bead..06ec905be0 100644 -----BEGIN PRIVATE KEY----- MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K -- -2.49.0 +2.50.0 diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch index 39ac428..d879679 100644 --- a/0011-RH-skipped-tests-EC-curves.patch +++ b/0011-RH-skipped-tests-EC-curves.patch @@ -1,7 +1,7 @@ -From 2c8e302b4a2f9c4eeec718d2a9d5cef655c28153 Mon Sep 17 00:00:00 2001 +From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 11/58] RH: skipped tests EC curves +Subject: [PATCH 11/53] RH: skipped tests EC curves Patch-name: 0013-skipped-tests-EC-curves.patch Patch-id: 13 @@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644 my @basic_cmd = ("cmp_vfy_test", data_file("server.crt"), data_file("client.crt"), -- -2.49.0 +2.50.0 diff --git a/0012-RH-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch index ae9b19e..3906238 100644 --- a/0012-RH-skip-quic-pairwise.patch +++ b/0012-RH-skip-quic-pairwise.patch @@ -1,7 +1,7 @@ -From e87e9fbc6bcf90d43f6e09f7de46f1805e3e6674 Mon Sep 17 00:00:00 2001 +From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 7 Mar 2024 17:37:09 +0100 -Subject: [PATCH 12/58] RH: skip quic pairwise +Subject: [PATCH 12/53] RH: skip quic pairwise Patch-name: 0115-skip-quic-pairwise.patch Patch-id: 115 @@ -14,10 +14,10 @@ Patch-status: | 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/test/quicapitest.c b/test/quicapitest.c -index 38dd42c184..b2e18522ab 100644 +index b98a940553..3d946ae93c 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c -@@ -2761,7 +2761,9 @@ int setup_tests(void) +@@ -2937,7 +2937,9 @@ int setup_tests(void) ADD_TEST(test_cipher_find); ADD_TEST(test_version); #if defined(DO_SSL_TRACE_TEST) @@ -41,7 +41,7 @@ index 222b1886ae..7e2f65cccb 100644 note "Duplicates:"; note join('\n', @duplicates); diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t -index a101a26fb1..43e5396766 100644 +index eaf0dbbb42..21864ad319 100644 --- a/test/recipes/30-test_pairwise_fail.t +++ b/test/recipes/30-test_pairwise_fail.t @@ -9,7 +9,7 @@ @@ -82,5 +82,5 @@ index a101a26fb1..43e5396766 100644 "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), "fips provider dsa keygen pairwise failure test"); -- -2.49.0 +2.50.0 diff --git a/0013-RH-version-aliasing.patch b/0013-RH-version-aliasing.patch index 595ad14..3ee4695 100644 --- a/0013-RH-version-aliasing.patch +++ b/0013-RH-version-aliasing.patch @@ -1,7 +1,7 @@ -From c63c81754bcf4bf3aeb4049fc5952368764fb303 Mon Sep 17 00:00:00 2001 +From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 13/58] RH: version aliasing +Subject: [PATCH 13/53] RH: version aliasing Patch-name: 0116-version-aliasing.patch Patch-id: 116 @@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644 BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION: BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION: -- -2.49.0 +2.50.0 diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch index 006fdbd..8937c02 100644 --- a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch +++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch @@ -1,7 +1,7 @@ -From eeaa8125102427cedfda9a1d5bd663956acd8d63 Mon Sep 17 00:00:00 2001 +From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 13 Feb 2025 16:09:09 -0500 -Subject: [PATCH 14/58] RH: Export two symbols for OPENSSL_str[n]casecmp +Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp We accidentally exported the symbols with the incorrect verison number in an early version of RHEL-9 so we need to keep the wrong symbols for @@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644 RAND_set0_public 5559 3_1_0 EXIST::FUNCTION: RAND_set0_private 5560 3_1_0 EXIST::FUNCTION: -- -2.49.0 +2.50.0 diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch index 645280f..58dfd80 100644 --- a/0015-RH-TMP-KTLS-test-skip.patch +++ b/0015-RH-TMP-KTLS-test-skip.patch @@ -1,7 +1,7 @@ -From 601c308871191a17620ade34a9edcb8afe969c8d Mon Sep 17 00:00:00 2001 +From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 13 Feb 2025 18:11:19 -0500 -Subject: [PATCH 15/58] RH: TMP KTLS test skip +Subject: [PATCH 15/53] RH: TMP KTLS test skip From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9 --- @@ -9,7 +9,7 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c -index 38d58e9387..39118a9162 100644 +index b83dd6c552..250a439137 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth, @@ -26,5 +26,5 @@ index 38d58e9387..39118a9162 100644 static int ping_pong_query(SSL *clientssl, SSL *serverssl) -- -2.49.0 +2.50.0 diff --git a/0016-RH-Allow-disabling-of-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch index 52ed1bd..fedd85d 100644 --- a/0016-RH-Allow-disabling-of-SHA1-signatures.patch +++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch @@ -1,7 +1,7 @@ -From 84c7c05d38e96d003df43527e4e6abc6dbae2683 Mon Sep 17 00:00:00 2001 +From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 21 Aug 2023 13:07:07 +0200 -Subject: [PATCH 16/58] RH: Allow disabling of SHA1 signatures +Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch Patch-id: 49 @@ -11,7 +11,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd --- crypto/context.c | 70 +++++++++++++++++++ crypto/evp/evp_cnf.c | 13 ++++ - crypto/evp/m_sigver.c | 13 ++++ + crypto/evp/m_sigver.c | 14 ++++ crypto/evp/pmeth_lib.c | 15 ++++ doc/man5/config.pod | 13 ++++ include/crypto/context.h | 8 +++ @@ -25,7 +25,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd providers/implementations/signature/rsa_sig.c | 14 +++- ssl/t1_lib.c | 8 +++ util/libcrypto.num | 2 + - 16 files changed, 182 insertions(+), 7 deletions(-) + 16 files changed, 183 insertions(+), 7 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index 614c8a2c88..323615e300 100644 @@ -172,7 +172,7 @@ index 0e7fe64cf9..b9d3b6d226 100644 ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 2d1839fedb..6e4685ecc0 100644 +index d5df497da7..53044238a1 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -15,6 +15,7 @@ @@ -183,10 +183,11 @@ index 2d1839fedb..6e4685ecc0 100644 static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) { -@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - } +@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } + desc = signature->description != NULL ? signature->description : ""; ++ + if (ctx->reqdigest != NULL + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) @@ -201,9 +202,9 @@ index 2d1839fedb..6e4685ecc0 100644 + if (ver) { if (signature->digest_verify_init == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED, diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 665cafbc21..84fb95d4ca 100644 +index 08c0d6a7b2..b936ad4447 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -214,7 +215,7 @@ index 665cafbc21..84fb95d4ca 100644 #include "evp_local.h" #ifndef FIPS_MODULE -@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, return -2; } @@ -435,7 +436,7 @@ index e75b90840b..645304b951 100644 if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 8d0c2647b7..f6117a1fc5 100644 +index 2f71f95438..bea5cab253 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -21,6 +21,7 @@ @@ -446,7 +447,7 @@ index 8d0c2647b7..f6117a1fc5 100644 #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) +@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) EVP_PKEY *tmpkey = EVP_PKEY_new(); int istls; int ret = 0; @@ -454,7 +455,7 @@ index 8d0c2647b7..f6117a1fc5 100644 if (ctx == NULL) goto err; -@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) +@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); @@ -462,7 +463,7 @@ index 8d0c2647b7..f6117a1fc5 100644 /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { -@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) +@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) cache[i].available = 0; continue; } @@ -485,5 +486,5 @@ index d377d542db..c2c55129ae 100644 +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -- -2.49.0 +2.50.0 diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch index 18010e2..77ab57a 100644 --- a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch +++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch @@ -1,7 +1,7 @@ -From 16fdb39036e7e8438c5b97359818cd9bc472196f Mon Sep 17 00:00:00 2001 +From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:12:33 -0500 -Subject: [PATCH 17/58] FIPS: Red Hat's FIPS module name and version +Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version Signed-off-by: Simo Sorce --- @@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 373cd1c2e4..aa1ab85470 100644 +index 4b9a057462..1e90f363af 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) +@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) OSSL_LIB_CTX_FIPS_PROV_INDEX); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); @@ -30,5 +30,5 @@ index 373cd1c2e4..aa1ab85470 100644 p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) -- -2.49.0 +2.50.0 diff --git a/0018-FIPS-disable-fipsinstall.patch b/0018-FIPS-disable-fipsinstall.patch index 3079823..69d078f 100644 --- a/0018-FIPS-disable-fipsinstall.patch +++ b/0018-FIPS-disable-fipsinstall.patch @@ -1,7 +1,7 @@ -From f40c27149fd5bb1864d069b3d116ffd88cca5f2f Mon Sep 17 00:00:00 2001 +From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 18/58] FIPS: disable fipsinstall +Subject: [PATCH 18/53] FIPS: disable fipsinstall Patch-name: 0034.fipsinstall_disable.patch Patch-id: 34 @@ -800,10 +800,10 @@ index a25ced3383..15748c5756 100644 =head1 COPYRIGHT diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod -index 20d35fada8..f8f219d647 100644 +index 571a1e99e0..1e384a4ff3 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod -@@ -575,7 +575,6 @@ want to operate in a FIPS approved manner. The algorithms are: +@@ -588,7 +588,6 @@ process. =head1 SEE ALSO @@ -866,5 +866,5 @@ index 1f9110ef60..7e80637bd5 # Compatible options for pedantic FIPS compliance -- -2.49.0 +2.50.0 diff --git a/0019-FIPS-Force-fips-provider-on.patch b/0019-FIPS-Force-fips-provider-on.patch index 6bcd040..a931116 100644 --- a/0019-FIPS-Force-fips-provider-on.patch +++ b/0019-FIPS-Force-fips-provider-on.patch @@ -1,7 +1,7 @@ -From ad031aa2b8ec4042b0081f4179b8a05131bd52df Mon Sep 17 00:00:00 2001 +From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 19/58] FIPS: Force fips provider on +Subject: [PATCH 19/53] FIPS: Force fips provider on Patch-name: 0032-Force-fips.patch Patch-id: 32 @@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c -index 5ec50f97e4..a2a9786e1c 100644 +index 9649517dd2..1e5053cbce 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -10,6 +10,8 @@ @@ -75,5 +75,5 @@ index 5ec50f97e4..a2a9786e1c 100644 } -- -2.49.0 +2.50.0 diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch index 528588e..ecb98c7 100644 --- a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch +++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch @@ -1,7 +1,7 @@ -From ee1a3977388a9ec10aa4998beb67d8e3b4bfdd9e Mon Sep 17 00:00:00 2001 +From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 20/58] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE +Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE Corrected by squashing in: 0052-Restore-the-correct-verify_integrity-function.patch @@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe +[fips_sect] +activate = 1 -- -2.49.0 +2.50.0 diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch index 2931295..cce845d 100644 --- a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch +++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch @@ -1,7 +1,7 @@ -From c202200bda962300ebc7d19e62ea0df734488c0c Mon Sep 17 00:00:00 2001 +From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 20 Feb 2025 15:30:32 -0500 -Subject: [PATCH 21/58] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so +Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so This script rewrites the fips.so binary to embed the hmac result into it so that after a build it can be called to make the fips.so as modified @@ -28,5 +28,5 @@ index 0000000000..54ae60b07f +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so -- -2.49.0 +2.50.0 diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch index fafbff9..a66c84a 100644 --- a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch +++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch @@ -1,7 +1,7 @@ -From d0ad196c07d223cbb1dd2419b1ec0b0e4458febb Mon Sep 17 00:00:00 2001 +From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 22/58] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW +Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW Patch-name: 0047-FIPS-early-KATS.patch Patch-id: 47 @@ -45,5 +45,5 @@ index 8b17b8ca94..0f5074936f 100644 rng = ossl_rand_get0_private_noncreating(st->libctx); if (rng != NULL) -- -2.49.0 +2.50.0 diff --git a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch index 1a38677..1ae9587 100644 --- a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch +++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch @@ -1,7 +1,7 @@ -From 19617bb4a510d73e5080d026d22b06b637a6ad1a Mon Sep 17 00:00:00 2001 +From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 23/58] FIPS: RSA: encrypt limits - REVIEW +Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW Patch-name: 0058-FIPS-limit-rsa-encrypt.patch Patch-id: 58 @@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4 } next if $protocol eq "-tls1_3"; -- -2.49.0 +2.50.0 diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch index bbc2ec7..8f0c1a2 100644 --- a/0024-FIPS-RSA-PCTs.patch +++ b/0024-FIPS-RSA-PCTs.patch @@ -1,7 +1,7 @@ -From 7cb38d617ceb819a58ac14b266787ad3d71f6206 Mon Sep 17 00:00:00 2001 +From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Mar 2025 10:50:37 -0400 -Subject: [PATCH 24/58] FIPS: RSA: PCTs +Subject: [PATCH 24/53] FIPS: RSA: PCTs Signed-off-by: Simo Sorce --- @@ -153,5 +153,5 @@ index 645304b951..3d5af1046a 100644 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, -- -2.49.0 +2.50.0 diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch index 18d5e4c..06591da 100644 --- a/0025-FIPS-RSA-encapsulate-limits.patch +++ b/0025-FIPS-RSA-encapsulate-limits.patch @@ -1,7 +1,7 @@ -From 158637448165abbde8d4b0c24bf4344744b79adc Mon Sep 17 00:00:00 2001 +From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 25/58] FIPS: RSA: encapsulate limits +Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits Patch-name: 0091-FIPS-RSA-encapsulate.patch Patch-id: 91 @@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644 Op = RSASVE +Result = TEST_ENCAPSULATE_LEN_ERROR -- -2.49.0 +2.50.0 diff --git a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch index 00513c7..9a592fa 100644 --- a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch +++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch @@ -1,7 +1,7 @@ -From 9595ceef9fe9a45fca1f970706077712dbb9287f Mon Sep 17 00:00:00 2001 +From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 26/58] FIPS: RSA: Disallow SHAKE in OAEP and PSS +Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms must not be used in higher-level algorithms (such as RSA-OAEP and @@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644 if (hLen <= 0) goto err; -- -2.49.0 +2.50.0 diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch index 8a572a7..ca83feb 100644 --- a/0027-FIPS-RSA-size-mode-restrictions.patch +++ b/0027-FIPS-RSA-size-mode-restrictions.patch @@ -1,7 +1,7 @@ -From 47cf5bdab3a46ecffd3100330781e6c297e83d66 Mon Sep 17 00:00:00 2001 +From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:20:30 -0500 -Subject: [PATCH 27/58] FIPS: RSA: size/mode restrictions +Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions Signed-off-by: Simo Sorce --- @@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644 # Signing with SHA1 is not allowed in fips mode Availablein = fips -- -2.49.0 +2.50.0 diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch index 07fe304..068dc29 100644 --- a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch +++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch @@ -1,7 +1,7 @@ -From ae1fcbd1129fc53d4ac72148696efd126e574453 Mon Sep 17 00:00:00 2001 +From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Mar 2025 11:03:45 -0400 -Subject: [PATCH 28/58] FIPS: RSA: Mark x931 as not approved by default +Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default Signed-off-by: Simo Sorce --- @@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644 OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0) OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0) -- -2.49.0 +2.50.0 diff --git a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch index d6de25f..40a7f4c 100644 --- a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch +++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch @@ -1,7 +1,7 @@ -From 4ce72cfe8d1e0b37e882766b449af109d9e7c3f8 Mon Sep 17 00:00:00 2001 +From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:16 +0100 -Subject: [PATCH 29/58] FIPS: RSA: Remove X9.31 padding signatures tests +Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests The current draft of FIPS 186-5 [1] no longer contains specifications for X9.31 signature padding. Instead, it contains the following @@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644 "pss", 4096, -- -2.49.0 +2.50.0 diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch index f89bbfb..eac058b 100644 --- a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch +++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch @@ -1,7 +1,7 @@ -From 3a9f2ccf8120cbf5b854a403926dce2d772f5f78 Mon Sep 17 00:00:00 2001 +From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 12 Feb 2025 17:12:02 -0500 -Subject: [PATCH 30/58] FIPS: RSA: NEEDS-REWORK: +Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK: FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed Signed-off-by: Simo Sorce @@ -383,5 +383,5 @@ index 0000000000..2833a383c1 +-- + -- -2.49.0 +2.50.0 diff --git a/0031-FIPS-Deny-SHA-1-signature-verification.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch index 0adf37a..97b612a 100644 --- a/0031-FIPS-Deny-SHA-1-signature-verification.patch +++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch @@ -1,7 +1,7 @@ -From 9b198c3634fd3871dd535389e7b7c2379f6934fb Mon Sep 17 00:00:00 2001 +From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 31/58] FIPS: Deny SHA-1 signature verification +Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification For RHEL, we already disable SHA-1 signatures by default in the default provider, so it is unexpected that the FIPS provider would have a more @@ -704,5 +704,5 @@ index 568a1ddba4..6332aaec4b 100755 SKIP: { skip "No IPv4 available on this machine", 4 -- -2.49.0 +2.50.0 diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch index a20b46e..5430a7a 100644 --- a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch +++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch @@ -1,7 +1,7 @@ -From 39c7eb2e82b9df4ffe58d8e05fbdb9115dde50cc Mon Sep 17 00:00:00 2001 +From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:16 +0100 -Subject: [PATCH 32/58] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW +Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW providers/implementations/rands/crngt.c is gone @@ -14,9 +14,8 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- crypto/rand/prov_seed.c | 9 ++- providers/implementations/rands/drbg.c | 11 ++- - providers/implementations/rands/drbg_local.h | 2 +- .../implementations/rands/seeding/rand_unix.c | 68 ++----------------- - 4 files changed, 23 insertions(+), 67 deletions(-) + 3 files changed, 22 insertions(+), 66 deletions(-) diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c index 2985c7f2d8..3202a28226 100644 @@ -68,19 +67,6 @@ index 4925a3b400..1cdb67b22c 100644 if (reseed_required || prediction_resistance) { if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, -diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h -index e591e0b3d1..c7cafba1ea 100644 ---- a/providers/implementations/rands/drbg_local.h -+++ b/providers/implementations/rands/drbg_local.h -@@ -39,7 +39,7 @@ - * - * The value is in bytes. - */ --#define CRNGT_BUFSIZ 16 -+#define CRNGT_BUFSIZ 32 - - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c index c3a5d8b3bf..b7b34a9345 100644 --- a/providers/implementations/rands/seeding/rand_unix.c @@ -168,5 +154,5 @@ index c3a5d8b3bf..b7b34a9345 100644 # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ -- -2.49.0 +2.50.0 diff --git a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch index fa87558..86a363b 100644 --- a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch +++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch @@ -1,7 +1,7 @@ -From 92c90300747de60df2e805b9fe78fa016f5fd49e Mon Sep 17 00:00:00 2001 +From d2369dfc75e2b121650bc51f5ac3e0e7c9b75a29 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:16 +0100 -Subject: [PATCH 33/58] FIPS: RAND: Forbid truncated hashes & SHA-3 +Subject: [PATCH 33/53] FIPS: RAND: Forbid truncated hashes & SHA-3 Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs" of the Implementation Guidance for FIPS 140-3 [1] notes that there is no @@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644 +#Nonce.0 = 15e32abbae6b7433 +#Output.0 = ee9f -- -2.49.0 +2.50.0 diff --git a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch index 2aa30cc..936afd1 100644 --- a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch +++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch @@ -1,7 +1,7 @@ -From 5d5521b81a6714c88438e4f1fb0cf30096a0b0b6 Mon Sep 17 00:00:00 2001 +From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 34/58] FIPS: PBKDF2: Set minimum password length +Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -117,5 +117,5 @@ index b383314064..68f9355b7d 100644 if (!passed) { ERR_raise(ERR_LIB_PROV, error); -- -2.49.0 +2.50.0 diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch index a22cfa9..e7ab885 100644 --- a/0035-FIPS-DH-PCT.patch +++ b/0035-FIPS-DH-PCT.patch @@ -1,7 +1,7 @@ -From 1f54210f4e4de1f2143d02f6d0b56cc388b617cd Mon Sep 17 00:00:00 2001 +From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Mar 2025 10:49:00 -0400 -Subject: [PATCH 35/58] FIPS: DH: PCT +Subject: [PATCH 35/53] FIPS: DH: PCT Signed-off-by: Simo Sorce --- @@ -69,5 +69,5 @@ index 7132b9b68e..189bfc3e8b 100644 ok = 1; err: -- -2.49.0 +2.50.0 diff --git a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch index 0b2dd30..191985f 100644 --- a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch +++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch @@ -1,7 +1,7 @@ -From 863cb10f0add28b1d82ec3042d2e7b418169b48a Mon Sep 17 00:00:00 2001 +From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 36/58] FIPS: DH: Disable FIPS 186-4 type parameters +Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters For DH parameter and key pair generation/verification, the DSA procedures specified in FIPS 186-4 are used. With the release of FIPS @@ -156,7 +156,7 @@ index 189bfc3e8b..023d628502 100644 } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index c11ada9826..e279e9d60d 100644 +index 3b75a537b3..6ea7a423d5 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, @@ -326,5 +326,5 @@ index 6332aaec4b..4d8c900c00 100755 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } -- -2.49.0 +2.50.0 diff --git a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch index 8c0e545..ebeba13 100644 --- a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch +++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch @@ -1,7 +1,7 @@ -From 900d90fa1e34bfbbfcc91face57680c0424f2014 Mon Sep 17 00:00:00 2001 +From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 37/58] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE +Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code change the option to enforce it seem to be available only in FIPS build @@ -25,7 +25,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 9 files changed, 46 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod -index e2c1e69847..009b683b27 100644 +index 9338ffc01d..911ea21a68 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -621,6 +621,9 @@ B: use extended master secret extension, enabled by @@ -63,7 +63,7 @@ index 15748c5756..34cbfbb2ad 100644 Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index 0b2232b01c..99b2ad4eb3 100644 +index d1b00e8454..b815f25dae 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); @@ -175,7 +175,7 @@ index 50944328cb..edb2e81273 100644 KDF = TLS1-PRF Ctrl.digest = digest:SHA256 diff --git a/test/sslapitest.c b/test/sslapitest.c -index 39118a9162..9522478ad2 100644 +index 250a439137..acc4751095 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void) @@ -188,5 +188,5 @@ index 39118a9162..9522478ad2 100644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, -- -2.49.0 +2.50.0 diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch index 3e93713..3b9b627 100644 --- a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch +++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch @@ -1,7 +1,7 @@ -From a227572868569ba87b9aef722a8d981ad5feb11b Mon Sep 17 00:00:00 2001 +From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 13 Feb 2025 18:08:34 -0500 -Subject: [PATCH 38/58] FIPS: CMS: Set default padding to OAEP +Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe --- @@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) -- -2.49.0 +2.50.0 diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch index 5d7be3e..b26bfaf 100644 --- a/0039-FIPS-PKCS12-PBMAC1-defaults.patch +++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch @@ -1,7 +1,7 @@ -From 6ca4910fa964f135e5a18b31502bddef3aef1304 Mon Sep 17 00:00:00 2001 +From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 13 Feb 2025 18:16:29 -0500 -Subject: [PATCH 39/58] FIPS: PKCS12: PBMAC1 defaults +Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708 --- @@ -31,5 +31,5 @@ index 9964faf21a..59439a8cc0 100644 if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, macsaltlen, maciter, -- -2.49.0 +2.50.0 diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch index 762757c..e98b350 100644 --- a/0040-FIPS-Fix-encoder-decoder-negative-test.patch +++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch @@ -1,7 +1,7 @@ -From fe12acbd953da37dd25e8abca64582c9bdeadf3c Mon Sep 17 00:00:00 2001 +From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 5 Mar 2025 13:22:03 -0500 -Subject: [PATCH 40/58] FIPS: Fix encoder/decoder negative test +Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test Signed-off-by: Simo Sorce --- @@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115 my $conf2 = srctop_file("test", "default-and-fips.cnf"); ok(run(test(['decoder_propq_test', '-config', $conf2, -- -2.49.0 +2.50.0 diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch index 8770f3e..f5cdb07 100644 --- a/0041-FIPS-EC-DH-DSA-PCTs.patch +++ b/0041-FIPS-EC-DH-DSA-PCTs.patch @@ -1,7 +1,7 @@ -From a4fc741bd6e43b301121f01ef7c823a589faad39 Mon Sep 17 00:00:00 2001 +From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 24 Mar 2025 10:50:06 -0400 -Subject: [PATCH 41/58] FIPS: EC: DH/DSA PCTs +Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs Signed-off-by: Simo Sorce --- @@ -176,5 +176,5 @@ index 4e46eaf9bc..4d7c25728a 100644 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, -- -2.49.0 +2.50.0 diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch index 7d89757..f625b85 100644 --- a/0042-FIPS-EC-disable-weak-curves.patch +++ b/0042-FIPS-EC-disable-weak-curves.patch @@ -1,7 +1,7 @@ -From c3f3de074f9140dd8f5833f7fe3e751ac0838323 Mon Sep 17 00:00:00 2001 +From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:06:36 -0500 -Subject: [PATCH 42/58] FIPS: EC: disable weak curves +Subject: [PATCH 42/53] FIPS: EC: disable weak curves Signed-off-by: Simo Sorce --- @@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644 comment = "CURVE DESCRIPTION NOT AVAILABLE"; if (sname == NULL) -- -2.49.0 +2.50.0 diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch index bf39c28..f58ff19 100644 --- a/0043-FIPS-NO-DSA-Support.patch +++ b/0043-FIPS-NO-DSA-Support.patch @@ -1,7 +1,7 @@ -From d923f8b4531718ede24814722a0c0f0f912dca7c Mon Sep 17 00:00:00 2001 +From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:10:52 -0500 -Subject: [PATCH 43/58] FIPS: NO DSA Support +Subject: [PATCH 43/53] FIPS: NO DSA Support Signed-off-by: Simo Sorce --- @@ -18,10 +18,10 @@ Signed-off-by: Simo Sorce mode change 100644 => 100755 test/recipes/30-test_evp.t diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index aa1ab85470..7999744b5a 100644 +index 1e90f363af..84d8e897cc 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -430,7 +430,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = { +@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = { }; static const OSSL_ALGORITHM fips_signature[] = { @@ -31,7 +31,7 @@ index aa1ab85470..7999744b5a 100644 { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, { PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions }, { PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions }, -@@ -560,8 +561,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { +@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA @@ -396,5 +396,5 @@ index ece29485f4..756f90c1bd 100644 "-signer", $smrsa1, "-signer", catfile($smdir, "smrsa2.pem"), -- -2.49.0 +2.50.0 diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch index 2e49a80..2f55859 100644 --- a/0044-FIPS-NO-DES-support.patch +++ b/0044-FIPS-NO-DES-support.patch @@ -1,7 +1,7 @@ -From ca860bb5c16d9a96afb32e025b54db76e5f8cfd3 Mon Sep 17 00:00:00 2001 +From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:15:13 -0500 -Subject: [PATCH 44/58] FIPS: NO DES support +Subject: [PATCH 44/53] FIPS: NO DES support Signed-off-by: Simo Sorce --- @@ -14,10 +14,10 @@ Signed-off-by: Simo Sorce 6 files changed, 14 insertions(+), 23 deletions(-) diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 7999744b5a..30f0c8ca14 100644 +index 84d8e897cc..4b394c3e39 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { +@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { ossl_cipher_capable_aes_cbc_hmac_sha256), ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), @@ -80,7 +80,7 @@ index 2838f343bd..19dd2c6c63 100644 return 1; } diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt -index 1947e21f74..119b75d9ce 100644 +index 6c74b65cef..8bcb78cd2d 100644 --- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt @@ -14,7 +14,7 @@ @@ -132,7 +132,7 @@ index 1947e21f74..119b75d9ce 100644 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 # Test that DES3 ECB mode encryption is not FIPS approved --Availablein = fipss +-Availablein = fips -FIPSversion = >=3.4.0 +Availablein = none Cipher = DES-EDE3-ECB @@ -170,5 +170,5 @@ index 756f90c1bd..ac833d2a2f 100644 "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", "-stream", "-out", "{output}.cms" ], -- -2.49.0 +2.50.0 diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch index bf948cf..89c3248 100644 --- a/0045-FIPS-NO-Kmac.patch +++ b/0045-FIPS-NO-Kmac.patch @@ -1,7 +1,7 @@ -From 3928272f2d86188ef8796c7d18b1ec7d617cae97 Mon Sep 17 00:00:00 2001 +From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Mar 2025 18:22:07 -0500 -Subject: [PATCH 45/58] FIPS: NO Kmac +Subject: [PATCH 45/53] FIPS: NO Kmac Signed-off-by: Simo Sorce --- @@ -15,10 +15,10 @@ Signed-off-by: Simo Sorce 7 files changed, 40 insertions(+), 86 deletions(-) diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 30f0c8ca14..00b7d1e2aa 100644 +index 4b394c3e39..8f00dfa0ef 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = { +@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = { * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ @@ -32,7 +32,7 @@ index 30f0c8ca14..00b7d1e2aa 100644 { NULL, NULL, NULL } }; -@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = { +@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = { #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, @@ -422,5 +422,5 @@ index 831eecbac9..af92ceea98 100644 -Custom = "" -Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 -- -2.49.0 +2.50.0 diff --git a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch similarity index 96% rename from 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch rename to 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch index d593bc5..e7e10be 100644 --- a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch +++ b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch @@ -1,7 +1,7 @@ -From 50c0087bdd6c15e2c63c8324f35221fd45a10518 Mon Sep 17 00:00:00 2001 +From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 10 Mar 2025 13:52:50 -0400 -Subject: [PATCH 47/58] FIPS: Fix some tests due to our versioning change +Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change Signed-off-by: Simo Sorce --- @@ -102,5 +102,5 @@ index af47842fd8..21c75033e8 100644 my @tests_mldsa_tls_1_3 = ( -- -2.49.0 +2.50.0 diff --git a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch deleted file mode 100644 index 5822c05..0000000 --- a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a6dce07d8e44e79dc3db9538d269bbbc903a8e15 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 7 Mar 2025 18:24:36 -0500 -Subject: [PATCH 46/58] FIPS: NO PQ (ML/SLH-DSA) - -Signed-off-by: Simo Sorce ---- - providers/fips/self_test_data.inc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index f3059a8446..9659f10613 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -3037,6 +3037,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - #endif /* OPENSSL_NO_DSA */ - #endif - -+#if 0 - #ifndef OPENSSL_NO_ML_DSA - { - OSSL_SELF_TEST_DESC_SIGN_ML_DSA, -@@ -3081,6 +3082,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - slh_dsa_sig_params, slh_dsa_sig_params - }, - #endif /* OPENSSL_NO_SLH_DSA */ -+#endif - }; - - #if !defined(OPENSSL_NO_ML_DSA) --- -2.49.0 - diff --git a/0048-Current-Rebase-status.patch b/0047-Current-Rebase-status.patch similarity index 96% rename from 0048-Current-Rebase-status.patch rename to 0047-Current-Rebase-status.patch index 4c64f0a..317a565 100644 --- a/0048-Current-Rebase-status.patch +++ b/0047-Current-Rebase-status.patch @@ -1,7 +1,7 @@ -From 3bc3a6514c078564ac8addbdf24172a5fb90f4d7 Mon Sep 17 00:00:00 2001 +From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 12 Feb 2025 17:25:47 -0500 -Subject: [PATCH 48/58] Current Rebase status +Subject: [PATCH 47/53] Current Rebase status Signed-off-by: Simo Sorce --- @@ -102,5 +102,5 @@ index 2833a383c1..c8f6c992a8 100644 +./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition + -- -2.49.0 +2.50.0 diff --git a/0049-FIPS-KDF-key-lenght-errors.patch b/0048-FIPS-KDF-key-lenght-errors.patch similarity index 98% rename from 0049-FIPS-KDF-key-lenght-errors.patch rename to 0048-FIPS-KDF-key-lenght-errors.patch index c557654..42aec19 100644 --- a/0049-FIPS-KDF-key-lenght-errors.patch +++ b/0048-FIPS-KDF-key-lenght-errors.patch @@ -1,7 +1,7 @@ -From 573cde99e796fbd76f9be7f6a553c681abbfb55a Mon Sep 17 00:00:00 2001 +From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 14 Apr 2025 15:25:40 -0400 -Subject: [PATCH 49/58] FIPS: KDF key lenght errors +Subject: [PATCH 48/53] FIPS: KDF key lenght errors Signed-off-by: Simo Sorce --- @@ -171,5 +171,5 @@ index 1fb2472001..93c07ede7c 100644 # Test that the key whose length is shorter than 112 bits is reported as -- -2.49.0 +2.50.0 diff --git a/0050-FIPS-fix-disallowed-digests-tests.patch b/0049-FIPS-fix-disallowed-digests-tests.patch similarity index 93% rename from 0050-FIPS-fix-disallowed-digests-tests.patch rename to 0049-FIPS-fix-disallowed-digests-tests.patch index a062ce1..40edd3c 100644 --- a/0050-FIPS-fix-disallowed-digests-tests.patch +++ b/0049-FIPS-fix-disallowed-digests-tests.patch @@ -1,7 +1,7 @@ -From 48498bd445161f1d0fffb60bce8d9474acfe840b Mon Sep 17 00:00:00 2001 +From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 15 Apr 2025 13:41:42 -0400 -Subject: [PATCH 50/58] FIPS: fix disallowed digests tests +Subject: [PATCH 49/53] FIPS: fix disallowed digests tests Signed-off-by: Simo Sorce --- @@ -47,5 +47,5 @@ index 6688c217aa..8347f773e6 100644 # Test that the key whose length is shorter than 112 bits is reported as # unapproved -- -2.49.0 +2.50.0 diff --git a/0051-Make-openssl-speed-run-in-FIPS-mode.patch b/0050-Make-openssl-speed-run-in-FIPS-mode.patch similarity index 94% rename from 0051-Make-openssl-speed-run-in-FIPS-mode.patch rename to 0050-Make-openssl-speed-run-in-FIPS-mode.patch index 6a232f0..3351cb1 100644 --- a/0051-Make-openssl-speed-run-in-FIPS-mode.patch +++ b/0050-Make-openssl-speed-run-in-FIPS-mode.patch @@ -1,14 +1,14 @@ -From 0895e273cacec26a4bd027bef7ab07bae12d9741 Mon Sep 17 00:00:00 2001 +From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 9 May 2025 15:09:46 +0200 -Subject: [PATCH 51/58] Make `openssl speed` run in FIPS mode +Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode --- apps/speed.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/apps/speed.c b/apps/speed.c -index 1edf9b8485..d4e707074c 100644 +index 3307a9cb46..ae2f166d24 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv) @@ -72,5 +72,5 @@ index 1edf9b8485..d4e707074c 100644 for (i = 0; i < loopargs_len; i++) -- -2.49.0 +2.50.0 diff --git a/0052-Backport-upstream-27483-for-PKCS11-needs.patch b/0051-Backport-upstream-27483-for-PKCS11-needs.patch similarity index 97% rename from 0052-Backport-upstream-27483-for-PKCS11-needs.patch rename to 0051-Backport-upstream-27483-for-PKCS11-needs.patch index afbce9a..c2d8a0f 100644 --- a/0052-Backport-upstream-27483-for-PKCS11-needs.patch +++ b/0051-Backport-upstream-27483-for-PKCS11-needs.patch @@ -1,7 +1,7 @@ -From 120558807e15d3cb2959020bacc928988e512a78 Mon Sep 17 00:00:00 2001 +From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 12 May 2025 14:34:39 +0200 -Subject: [PATCH 52/58] Backport upstream #27483 for PKCS11 needs +Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs --- .../implementations/skeymgmt/aes_skmgmt.c | 2 + @@ -142,5 +142,5 @@ index b81df9c8f8..e33bbbe003 100644 ADD_TEST(test_aes_raw_skey); #ifndef OPENSSL_NO_DES -- -2.49.0 +2.50.0 diff --git a/0053-Red-Hat-9-FIPS-indicator-defines.patch b/0052-Red-Hat-9-FIPS-indicator-defines.patch similarity index 98% rename from 0053-Red-Hat-9-FIPS-indicator-defines.patch rename to 0052-Red-Hat-9-FIPS-indicator-defines.patch index dea0da0..f3e4488 100644 --- a/0053-Red-Hat-9-FIPS-indicator-defines.patch +++ b/0052-Red-Hat-9-FIPS-indicator-defines.patch @@ -1,7 +1,7 @@ -From ee9a3d993eb82f98e4670adc9ccb015065b81555 Mon Sep 17 00:00:00 2001 +From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 12 May 2025 16:21:23 +0200 -Subject: [PATCH 53/58] Red Hat 9 FIPS indicator defines +Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines --- include/openssl/evp.h | 15 +++++++++++++++ @@ -125,5 +125,5 @@ index 059b489735..5a1864309d 100644 'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK', 'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR', -- -2.49.0 +2.50.0 diff --git a/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch similarity index 96% rename from 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch rename to 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch index b139ecc..e3e72f2 100644 --- a/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch +++ b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch @@ -1,7 +1,7 @@ -From 26ad3b905a6d4b1fa50b304f21f67aa0d35265e9 Mon Sep 17 00:00:00 2001 +From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 30 May 2025 16:17:37 +0200 -Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode +Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode --- crypto/ml_kem/ml_kem.c | 11 ++-- @@ -12,18 +12,18 @@ Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode 5 files changed, 103 insertions(+), 12 deletions(-) diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c -index ec75233435..8d0cc1a82c 100644 +index 4474af0f87..6eca7dc29d 100644 --- a/crypto/ml_kem/ml_kem.c +++ b/crypto/ml_kem/ml_kem.c -@@ -1581,6 +1581,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties, +@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties, { const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type); ML_KEM_KEY *key; + char *adjusted_propq = NULL; - if (vinfo == NULL) - return NULL; -@@ -1588,15 +1589,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties, + if (vinfo == NULL) { + ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT, +@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties, if ((key = OPENSSL_malloc(sizeof(*key))) == NULL) return NULL; @@ -298,5 +298,5 @@ index bea8783276..aeef0c8f84 100644 key->xinfo->algorithm_name, key->xinfo->group_name); -- -2.49.0 +2.50.0 diff --git a/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch b/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch deleted file mode 100644 index cc3db16..0000000 --- a/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 92e50723ae6aa29476b7ebb66d262f78677ee68d Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 7 Apr 2025 12:58:54 +0200 -Subject: [PATCH 54/58] crypto: disable OSSL_PARAM_REAL on UEFI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Floating point types like double can't be used on UEFI. -Fix build on UEFI by disabling the OSSL_PARAM_REAL branch. - -Signed-off-by: Gerd Hoffmann - -Reviewed-by: Saša Nedvědický -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/27284) ---- - crypto/params_from_text.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c -index 7532d4d439..fb25400dc1 100644 ---- a/crypto/params_from_text.c -+++ b/crypto/params_from_text.c -@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values) - BIGNUM *bn; - #ifndef OPENSSL_SYS_UEFI - double d; -+ int dok; - #endif - int ok = -1; -- int dok; - - /* - * Iterate through each key in the array printing its key and value -@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values) - case OSSL_PARAM_OCTET_STRING: - ok = BIO_dump(bio, (char *)p->data, p->data_size); - break; -+#ifndef OPENSSL_SYS_UEFI - case OSSL_PARAM_REAL: - dok = 0; --#ifndef OPENSSL_SYS_UEFI - dok = OSSL_PARAM_get_double(p, &d); --#endif - if (dok == 1) - ok = BIO_printf(bio, "%f\n", d); - else - ok = BIO_printf(bio, "error getting value\n"); - break; -+#endif - default: - ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n", - p->data_type, p->data_size); --- -2.49.0 - diff --git a/0055-hashfunc-add-stddef.h-include.patch b/0055-hashfunc-add-stddef.h-include.patch deleted file mode 100644 index 7c894c0..0000000 --- a/0055-hashfunc-add-stddef.h-include.patch +++ /dev/null @@ -1,36 +0,0 @@ -From fb8649ec423277d50936a6a7848a1b6705e208cc Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 7 Apr 2025 13:29:36 +0200 -Subject: [PATCH 55/58] hashfunc: add stddef.h include -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -size_t is declared in stddef.h, so include the header file to -make sure it is available. Fixes build on UEFI. - -Signed-off-by: Gerd Hoffmann - -Reviewed-by: Saša Nedvědický -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/27284) ---- - include/internal/hashfunc.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h -index cabc7beed4..fae8a275fa 100644 ---- a/include/internal/hashfunc.h -+++ b/include/internal/hashfunc.h -@@ -11,6 +11,7 @@ - # define OPENSSL_HASHFUNC_H - - # include -+# include - /** - * Generalized fnv1a 64 bit hash function - */ --- -2.49.0 - diff --git a/0056-rio-add-RIO_POLL_METHOD_NONE.patch b/0056-rio-add-RIO_POLL_METHOD_NONE.patch deleted file mode 100644 index 5c7b9c1..0000000 --- a/0056-rio-add-RIO_POLL_METHOD_NONE.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 60699bc32870a3325a79234158740aac917b39a6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 7 Apr 2025 14:06:28 +0200 -Subject: [PATCH 56/58] rio: add RIO_POLL_METHOD_NONE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes build on UEFI. - -Signed-off-by: Gerd Hoffmann - -Reviewed-by: Saša Nedvědický -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/27284) ---- - ssl/rio/poll_builder.c | 4 +++- - ssl/rio/poll_builder.h | 4 +++- - ssl/rio/poll_method.h | 5 ++++- - 3 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c -index 007e360d87..3cfbe3b0ac 100644 ---- a/ssl/rio/poll_builder.c -+++ b/ssl/rio/poll_builder.c -@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t) - - int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb) - { --#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT -+#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE -+ return 0; -+#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT - FD_ZERO(&rpb->rfd); - FD_ZERO(&rpb->wfd); - FD_ZERO(&rpb->efd); -diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h -index ffc9bbf9fc..985e4713b2 100644 ---- a/ssl/rio/poll_builder.h -+++ b/ssl/rio/poll_builder.h -@@ -23,7 +23,9 @@ - * FDs. - */ - typedef struct rio_poll_builder_st { --# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT -+# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE -+ /* nothing */; -+# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT - fd_set rfd, wfd, efd; - int hwm_fd; - # elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL -diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h -index 9a6de89270..d5af8663c2 100644 ---- a/ssl/rio/poll_method.h -+++ b/ssl/rio/poll_method.h -@@ -14,9 +14,12 @@ - - # define RIO_POLL_METHOD_SELECT 1 - # define RIO_POLL_METHOD_POLL 2 -+# define RIO_POLL_METHOD_NONE 3 - - # ifndef RIO_POLL_METHOD --# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN) -+# if defined(OPENSSL_SYS_UEFI) -+# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE -+# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN) - # define RIO_POLL_METHOD RIO_POLL_METHOD_POLL - # else - # define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT --- -2.49.0 - diff --git a/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch b/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch deleted file mode 100644 index 765a4f3..0000000 --- a/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch +++ /dev/null @@ -1,62 +0,0 @@ -From d7ab338f85b55ed6aa6d0187123dbab8684551a5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 20 May 2025 16:34:10 +0200 -Subject: [PATCH 57/58] apps/x509.c: Fix the -addreject option adding trust - instead of rejection - -Fixes CVE-2025-4575 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/27672) ---- - apps/x509.c | 2 +- - test/recipes/25-test_x509.t | 12 +++++++++++- - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/apps/x509.c b/apps/x509.c -index fdae8f383a..0c340c15b3 100644 ---- a/apps/x509.c -+++ b/apps/x509.c -@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv) - prog, opt_arg()); - goto opthelp; - } -- if (!sk_ASN1_OBJECT_push(trust, objtmp)) -+ if (!sk_ASN1_OBJECT_push(reject, objtmp)) - goto end; - trustout = 1; - break; -diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t -index 09b61708ff..dfa0a428f5 100644 ---- a/test/recipes/25-test_x509.t -+++ b/test/recipes/25-test_x509.t -@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; - - setup("test_x509"); - --plan tests => 134; -+plan tests => 138; - - # Prevent MSys2 filename munging for arguments that look like file paths but - # aren't -@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE", - && run(app(["openssl", "verify", "-no_check_time", - "-trusted", $ca, "-partial_chain", $caout]))); - -+# test trust decoration -+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection", -+ "-out", "ca-trusted.pem"]))); -+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection", -+ 1, 'trusted use - E-mail Protection'); -+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection", -+ "-out", "ca-rejected.pem"]))); -+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection", -+ 1, 'rejected use - E-mail Protection'); -+ - subtest 'x509 -- x.509 v1 certificate' => sub { - tconversion( -type => 'x509', -prefix => 'x509v1', - -in => srctop_file("test", "testx509.pem") ); --- -2.49.0 - diff --git a/openssl.spec b/openssl.spec index 18ad24d..27c9de2 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.5.0 -Release: 8%{?dist} +Version: 3.5.1 +Release: 1%{?dist} Epoch: 1 Source0: openssl-%{version}.tar.gz Source1: fips-hmacify.sh @@ -85,20 +85,15 @@ Patch0042: 0042-FIPS-EC-disable-weak-curves.patch Patch0043: 0043-FIPS-NO-DSA-Support.patch Patch0044: 0044-FIPS-NO-DES-support.patch Patch0045: 0045-FIPS-NO-Kmac.patch -Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch -Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch -Patch0048: 0048-Current-Rebase-status.patch -Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch -Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch -Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch -Patch0052: 0052-Backport-upstream-27483-for-PKCS11-needs.patch -Patch0053: 0053-Red-Hat-9-FIPS-indicator-defines.patch -Patch0054: 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch -Patch0055: 0055-hashfunc-add-stddef.h-include.patch -Patch0056: 0056-rio-add-RIO_POLL_METHOD_NONE.patch -Patch0057: 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch +Patch0046: 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch +Patch0047: 0047-Current-Rebase-status.patch +Patch0048: 0048-FIPS-KDF-key-lenght-errors.patch +Patch0049: 0049-FIPS-fix-disallowed-digests-tests.patch +Patch0050: 0050-Make-openssl-speed-run-in-FIPS-mode.patch +Patch0051: 0051-Backport-upstream-27483-for-PKCS11-needs.patch +Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch %if ( %{defined rhel} && (! %{defined centos}) ) -Patch0058: 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch +Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch %endif License: Apache-2.0 @@ -438,6 +433,14 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog +* Tue Jul 01 2025 Dmitry Belyavskiy - 1:3.5.1-1 +- Rebasing to OpenSSL 3.5.1 + Resolves: RHEL-90350 + Resolves: RHEL-95613 + Resolves: RHEL-97796 + Resolves: RHEL-99353 + Resolves: RHEL-100168 + * Thu Jun 05 2025 Dmitry Belyavskiy - 1:3.5.0-8 - rebuilt Related: RHEL-80811 diff --git a/sources b/sources index 423bcc8..951b06e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.5.0.tar.gz) = 39cc80e2843a2ee30f3f5de25cd9d0f759ad8de71b0b39f5a679afaaa74f4eb58d285ae50e29e4a27b139b49343ac91d1f05478f96fb0c6b150f16d7b634676f +SHA512 (openssl-3.5.1.tar.gz) = 0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3