rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Merge branch 'c10s' into a10s

Browse Source
This commit is contained in:
eabdullin 2025-02-04 13:52:58 +03:00
commit ef76bdc634
6 changed files with 235 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+configuration file B</etc/crypto-policies/back-ends/opensslcnf.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 8360991ce4..33c23efb0d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
+#ifdef SYSTEM_CIPHERS_FILE
+static char *load_system_str(const char *suffix)
+{
+ FILE *fp;
+ char buf[1024];
+ char *new_rules;
+ const char *ciphers_path;
@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644
+
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
+ ciphers_path = SYSTEM_CIPHERS_FILE;
+ fp = fopen(ciphers_path, "r");
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+ /* cannot open or file is empty */
+
+ if (access(ciphers_path, R_OK) == 0) {
+ CONF *conf = NCONF_new_ex(NULL, NCONF_default());
+ char *value = NULL;
+
+ if (NCONF_load(conf, ciphers_path, NULL) > 0)
+ value = NCONF_get_string(conf, "global", "CipherString");
+
+ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
+
+ NCONF_free(conf);
+ } else {
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
+ }
+
+ if (fp)
+ fclose(fp);
+
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len - 1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len - 1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = OPENSSL_malloc(len + slen + 1);
+ if (new_rules == 0)
+ new_rules = OPENSSL_zalloc(len + slen + 1);
+ if (new_rules == NULL)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644
+ char *new_rules = NULL;
+
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
+ char *p = rule_str + 14;
+ const char *p = rule_str + 14;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;

10
0025-for-tests.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
@@ -55,11 +55,11 @@ providers = provider_sect
@@ -55,17 +55,17 @@ providers = provider_sect
# to side-channel attacks and as such have been deprecated.
[provider_sect]
@ -16,3 +16,11 @@ diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
##[legacy_sect]
##activate = 1
-#Place the third party provider configuration files into this folder
-.include /etc/pki/tls/openssl.d
+##Place the third party provider configuration files into this folder
+#.include /etc/pki/tls/openssl.d
####################################################################

58
0124-PBMAC1-PKCS12-FIPS-support.patch
View File

@ -90,7 +90,7 @@ index 54323a9713393..cbe133742a8be 100644
}
}
assert(private);
@@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv)
@@ -774,23 +792,60 @@ int pkcs12_main(int argc, char **argv)
X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
BIO_puts(bio_err, "MAC: ");
i2a_ASN1_OBJECT(bio_err, macobj);
@ -139,6 +139,12 @@ index 54323a9713393..cbe133742a8be 100644
- BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
- goto end;
+ PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
+
+ if (macalgid == NULL) {
+ BIO_printf(bio_err, "Warning: MAC is absent!\n");
+ goto dump;
+ }
+
+ X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
+
+ if (OBJ_obj2nid(macobj) != NID_pbmac1) {
@ -1078,7 +1084,7 @@ index 999129a03074d..c14ef94998cde 100644
-plan tests => 31;
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+
+plan tests => $no_fips ? 45 : 51;
+plan tests => $no_fips ? 46 : 52;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@ -1163,6 +1169,20 @@ index 999129a03074d..c14ef94998cde 100644
# Test some bad pkcs12 files
my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
@@ -288,6 +288,13 @@ with({ exit_checker => sub { return shift == 1; } },
"test bad pkcs12 file 3 (info)");
});
+# Test that mac verification doesn't fail when mac is absent in the file
+{
+ my $nomac = srctop_file("test", "recipes", "80-test_pkcs12_data", "nomac_parse.p12");
+ ok(run(app(["openssl", "pkcs12", "-in", $nomac, "-passin", "pass:testpassword"])),
+ "test pkcs12 file without MAC");
+}
+
# Test with Oracle Trusted Key Usage specified in openssl.cnf
{
ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12
new file mode 100644
index 0000000000000000000000000000000000000000..9957d473c433bc9fb9572ecf51332a7f325fe36f
@ -1523,3 +1543,37 @@ D?Q7k<
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/nomac_parse.p12 b/test/recipes/80-test_pkcs12_data/nomac_parse.p12
new file mode 100644
index 0000000000000000000000000000000000000000..d1a025e8bd7ba388106c9b0b69917bcf0d75c981
GIT binary patch
literal 1191
zcmV;Y1X%kpf&`-i0Ru3C1e^v5Duzgg_YDCD0ic2ejRb-Oi7<i$g)o8yfd&aGhDe6@
z4FLxOpn?Q)FoFbb0s#Oq05F0CWd;c<hDe6@4FLxMFcby|Duzgg_YDIF1PJvY)RYyF
zI0Arz1VFeo*Dy4}{O!4=d-4kQxBh11UJEvOENc$<`EZ{55&y+a&j8`-Wo4)OcT>q@
zm`Z3Oq*FzpEwAUgTK!>P0tmf$!rKkJRCN*BGpSYjYzgM!Gc-6XRWeVUUAAN|1nJIT
z`n?9lMQ%vyvf8&JttHg_Q>ZosE<Q)3-1(Bcwu|CtQF42GM(|s@aePNKDXp@ciE%Z>
zp_Y3ncv1g>L6*c(uu<w2)I;^_n{W)?9G6ua@%az;?F2}LRLZBX<CFM!WSyx-@7P*(
zY+_D$IMM;71<DMmd$vtjO3RGeGsJ4G+nRoyytESz;MRP8mB&7*2<Mo*<#LC%uA;pJ
z+i|`HiJq(&U<q5IaHoFAD3uAo;CX<W{0U_Gaq6PO92png9q$m%s)C2<&8T#=2c@kV
zXrRTLDu6whjo$=r8U-Z!{`1Yr<F&oyy9sul^3t#@{U8xSVkeaGXrVMwXXUB*X?*&?
z8)37_Y|;U&@CQPFLcoNVn|sh)|G`xRR<bp4eBI>;OihCtB}=sr@F0RrQbczHighw}
zCHVS#fOk?yDXd&IOQpas5z?eq&{!NIgiVN}QU%q0atzm2pm+t@wbLmMrBxz+v-ftM
zEmW?FTMT-Ji?<-sRocHjA=27rWx(rhRzf%h!jjjWhJ2rs;eAO5ls!`EK8qty##9%P
zs)&B83B+B&hJKktvV71Bq%nV+4=gW69hpiJ+D7;njk2wm)7C(f)UzuwVTiJyokgjc
z*yD)Xpu<kQ3ardjMg0fc@>?U|OyC>0I`OSjoWc|oAoTIiUB_f+!^WWqg&Q3vxFi}l
zW$JtEHd}hpcl63D&2=RD367hZq<-C;kzlr#V6J}dqwIz3h=rqkxlqW<{<*3iXO+Yi
z6h_uyWZ8KSD0kkq-YFa%co5Qbe)OAm47ey6)lo8^c3T{!Z8r;&_vDPpnSkDv&*(f)
z0tQx-e;R~JWoMWB0$+PY(-MY!`asK`F3}w%sy*g)Gn#BPkcvk3t$&6DS&3T&6nnQ<
z=nKV)-MvN}FRLcX>3fL=q4aN3C!Iu^#V4(6mx{i_exS!lUV#^G_zqY&y;m;;7VuV8
zlz+2g1U42cY)DPdjA)rW3)#aZYn%>Ot4ZRw+p6chfWw3F&^CR083G3^i{TvQh%PuL
zI@YS2C2~)e2v!x{5Ll_p1*s@h%^Sc(2?v;@cT&{(#>rWyew_n93d3zt{Ey+9jn7kc
zQ$n&dI(Sw&tA;g=OoTyro}FfEooxJ((fpLliunP1?Q0E(o^QB$Dd7u$4)13nakv(f
zn#_CEaVG5=Qi)oGa8dq|Y@C+9c~*zzJB+EQ`rxJ1dthRxy0$m)y?e)2Q(8lN;ZcFg
zyDMf8IvKYsj=I0O##^~wrSsWEF+>f(#9*eG#!CPO)cQ46{8u*V))|)ggdre%<DR)#
F&9cN@JK_KU
literal 0
HcmV?d00001

103
0140-prov_no-cache.patch Normal file
View File

@ -0,0 +1,103 @@
diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c
index d311158d77589..70715e7d6a99c 100644
--- a/crypto/core_fetch.c
+++ b/crypto/core_fetch.c
@@ -120,7 +120,7 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider,
* It is *expected* that the put function increments the refcnt
* of the passed method.
*/
- data->mcm->put(data->store, method, provider, algo->algorithm_names,
+ data->mcm->put(no_store ? data->store : NULL, method, provider, algo->algorithm_names,
algo->property_definition, data->mcm_data);
/* refcnt-- because we're dropping the reference */
diff --git a/test/nocache-and-default.cnf b/test/nocache-and-default.cnf
new file mode 100644
index 0000000000000..cf5ca8d114151
--- /dev/null
+++ b/test/nocache-and-default.cnf
@@ -0,0 +1,18 @@
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+test = test_sect
+default = default_sect
+
+[test_sect]
+module = ../test/p_test.so
+activate = true
+
+[default_sect]
+activate = true
diff --git a/test/p_test.c b/test/p_test.c
index 2d20190d4d57b..05f71ec8347c0 100644
--- a/test/p_test.c
+++ b/test/p_test.c
@@ -230,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_)
return reason_strings;
}
+static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov,
+ int operation_id,
+ int *no_cache)
+{
+ *no_cache = 1;
+ return NULL;
+}
+
static const OSSL_DISPATCH p_test_table[] = {
{ OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params },
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params },
{ OSSL_FUNC_PROVIDER_GET_REASON_STRINGS,
(void (*)(void))p_get_reason_strings},
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
OSSL_DISPATCH_END
};
diff --git a/test/recipes/20-test_nocache.t b/test/recipes/20-test_nocache.t
new file mode 100644
index 0000000000000..734e44ec8c2e1
--- /dev/null
+++ b/test/recipes/20-test_nocache.t
@@ -0,0 +1,34 @@
+#! /usr/bin/env perl
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
+use OpenSSL::Test::Utils;
+
+setup("test_nocache");
+
+plan tests => 4;
+
+ok(run(app(["openssl", "list", "-mac-algorithms"],
+ stdout => "listout.txt")),
+"List mac algorithms - default configuration");
+open DATA, "listout.txt";
+my @match = grep /MAC/, <DATA>;
+close DATA;
+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - default configuration");
+
+$ENV{OPENSSL_CONF} = bldtop_file("test", "nocache-and-default.cnf");
+ok(run(app(["openssl", "list", "-mac-algorithms"],
+ stdout => "listout.txt")),
+"List mac algorithms");
+open DATA, "listout.txt";
+my @match = grep /MAC/, <DATA>;
+close DATA;
+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - nocache-and-default");

19
0141-print-pq-group.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 3b3c0dd0b38f5..026315406e298 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -418,8 +418,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
- if (!SSL_get_peer_tmp_key(s, &key))
+ if (!SSL_get_peer_tmp_key(s, &key)) {
+ if (SSL_version(s) == TLS1_3_VERSION)
+ BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
+ SSL_group_to_name(s, SSL_get_negotiated_group(s)));
return 1;
+ }
+
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_get_id(key)) {
case EVP_PKEY_RSA:

34
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.2.2
Release: 14%{?dist}.alma.1
Release: 15%{?dist}.alma.1
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@ -181,6 +181,10 @@ Patch136: 0136-Add-ALPN-validation-in-the-client.patch
Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch
Patch139: 0139-CVE-2024-6119.patch
# https://github.com/openssl/openssl/pull/26197
Patch140: 0140-prov_no-cache.patch
# https://github.com/openssl/openssl/pull/25959
Patch141: 0141-print-pq-group.patch
License: Apache-2.0
URL: http://www.openssl.org/
@ -324,7 +328,7 @@ export HASHBANGPERL=/usr/bin/perl
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
@ -363,6 +367,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
dd if=/dev/zero bs=1 count=32 of=tmp.mac
objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac
mv providers/fips.so.zeromac providers/fips.so
rm tmp.mac
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
@ -384,6 +392,10 @@ make test HARNESS_JOBS=8
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
dd if=/dev/zero bs=1 count=32 of=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac \
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
@ -530,9 +542,25 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
%ldconfig_scriptlets libs
%changelog
* Fri Dec 06 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-14.alma.1
* Tue Feb 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-15.alma.1
- Redefine sslarch for x86_64_v2 arch
* Thu Jan 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-15
- Fix providers no_cache behavior
Resolves: RHEL-71903
- Fix pkcs12 command line segfault
Resolves: RHEL-70878
- Print key exchange group for hybrid PQC
Resolves: RHEL-66163
- Ensure correct fips.so checksum calculation
Resolves: RHEL-73170
- Locally configured providers should not interfere with openssl build-time tests
Resolves: RHEL-76182
- Load system default cipher string from crypto-policies configuration file
include /etc/crypto-policies/back-ends/opensslcnf.config and remove
/etc/crypto-policies/back-ends/openssl.config.
Resolves: RHEL-71132
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:3.2.2-14
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018