diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 5189459..c9c7a4f 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644 +=item B + +The list of enabled cipher suites will be loaded from the system crypto policy -+configuration file B. ++configuration file B. +See also L. +This is the default behavior unless an application explicitly sets a cipher +list. If used in a cipher list configuration value this string must be at the @@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 8360991ce4..33c23efb0d 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } +#ifdef SYSTEM_CIPHERS_FILE +static char *load_system_str(const char *suffix) +{ -+ FILE *fp; + char buf[1024]; + char *new_rules; + const char *ciphers_path; @@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644 + + if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; -+ fp = fopen(ciphers_path, "r"); -+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { -+ /* cannot open or file is empty */ ++ ++ if (access(ciphers_path, R_OK) == 0) { ++ CONF *conf = NCONF_new_ex(NULL, NCONF_default()); ++ char *value = NULL; ++ ++ if (NCONF_load(conf, ciphers_path, NULL) > 0) ++ value = NCONF_get_string(conf, "global", "CipherString"); ++ ++ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST); ++ ++ NCONF_free(conf); ++ } else { + snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); + } + -+ if (fp) -+ fclose(fp); -+ + slen = strlen(suffix); + len = strlen(buf); + -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) ++ new_rules = OPENSSL_zalloc(len + slen + 1); ++ if (new_rules == NULL) + return NULL; + + memcpy(new_rules, buf, len); @@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644 + char *new_rules = NULL; + + if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char *p = rule_str + 14; ++ const char *p = rule_str + 14; + + new_rules = load_system_str(p); + rule_str = new_rules; diff --git a/0025-for-tests.patch b/0025-for-tests.patch index aef200b..0e0146c 100644 --- a/0025-for-tests.patch +++ b/0025-for-tests.patch @@ -1,7 +1,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf --- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100 +++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100 -@@ -55,11 +55,11 @@ providers = provider_sect +@@ -55,17 +55,17 @@ providers = provider_sect # to side-channel attacks and as such have been deprecated. [provider_sect] @@ -16,3 +16,11 @@ diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf ##[legacy_sect] ##activate = 1 + +-#Place the third party provider configuration files into this folder +-.include /etc/pki/tls/openssl.d ++##Place the third party provider configuration files into this folder ++#.include /etc/pki/tls/openssl.d + + +#################################################################### diff --git a/0124-PBMAC1-PKCS12-FIPS-support.patch b/0124-PBMAC1-PKCS12-FIPS-support.patch index 6e1cc96..1aa529e 100644 --- a/0124-PBMAC1-PKCS12-FIPS-support.patch +++ b/0124-PBMAC1-PKCS12-FIPS-support.patch @@ -90,7 +90,7 @@ index 54323a9713393..cbe133742a8be 100644 } } assert(private); -@@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv) +@@ -774,23 +792,60 @@ int pkcs12_main(int argc, char **argv) X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); BIO_puts(bio_err, "MAC: "); i2a_ASN1_OBJECT(bio_err, macobj); @@ -139,6 +139,12 @@ index 54323a9713393..cbe133742a8be 100644 - BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); - goto end; + PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12); ++ ++ if (macalgid == NULL) { ++ BIO_printf(bio_err, "Warning: MAC is absent!\n"); ++ goto dump; ++ } ++ + X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); + + if (OBJ_obj2nid(macobj) != NID_pbmac1) { @@ -1078,7 +1084,7 @@ index 999129a03074d..c14ef94998cde 100644 -plan tests => 31; +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); + -+plan tests => $no_fips ? 45 : 51; ++plan tests => $no_fips ? 46 : 52; # Test different PKCS#12 formats ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); @@ -1163,6 +1169,20 @@ index 999129a03074d..c14ef94998cde 100644 # Test some bad pkcs12 files my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); +@@ -288,6 +288,13 @@ with({ exit_checker => sub { return shift == 1; } }, + "test bad pkcs12 file 3 (info)"); + }); + ++# Test that mac verification doesn't fail when mac is absent in the file ++{ ++ my $nomac = srctop_file("test", "recipes", "80-test_pkcs12_data", "nomac_parse.p12"); ++ ok(run(app(["openssl", "pkcs12", "-in", $nomac, "-passin", "pass:testpassword"])), ++ "test pkcs12 file without MAC"); ++} ++ + # Test with Oracle Trusted Key Usage specified in openssl.cnf + { + ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7, diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 new file mode 100644 index 0000000000000000000000000000000000000000..9957d473c433bc9fb9572ecf51332a7f325fe36f @@ -1523,3 +1543,37 @@ D?Q7k< literal 0 HcmV?d00001 +diff --git a/test/recipes/80-test_pkcs12_data/nomac_parse.p12 b/test/recipes/80-test_pkcs12_data/nomac_parse.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..d1a025e8bd7ba388106c9b0b69917bcf0d75c981 +GIT binary patch +literal 1191 +zcmV;Y1X%kpf&`-i0Ru3C1e^v5Duzgg_YDCD0ic2ejRb-Oi7q@ +zm`Z3Oq*FzpEwAUgTK!>P0tmf$!rKkJRCN*BGpSYjYzgM!Gc-6XRWeVUUAAN|1nJIT +z`n?9lMQ%vyvf8&JttHg_Q>ZosE +zp_Y3ncv1g>L6*c(uu;OihCtB}=sr@F0RrQbczHighw} +zCHVS#fOk?yDXd&IOQpas5z?eq&{!NIgiVN}QU%q0atzm2pm+t@wbLmMrBxz+v-ftM +zEmW?FTMT-Ji?<-sRocHjA=27rWx(rhRzf%h!jjjWhJ2rs;eAO5ls!`EK8qty##9%P +zs)&B83B+B&hJKktvV71Bq%nV+4=gW69hpiJ+D7;njk2wm)7C(f)UzuwVTiJyokgjc +z*yD)Xpu?U|OyC>0I`OSjoWc|oAoTIiUB_f+!^WWqg&Q3vxFi}l +zW$JtEHd}hpcl63D&2=RD367hZq<-C;kzlr#V6J}dqwIz3h=rqkxlqW<{<*3iXO+Yi +z6h_uyWZ8KSD0kkq-YFa%co5Qbe)OAm47ey6)lo8^c3T{!Z8r;&_vDPpnSkDv&*(f) +z0tQx-e;R~JWoMWB0$+PY(-MY!`asK`F3}w%sy*g)Gn#BPkcvk3t$&6DS&3T&6nnQ< +z=nKV)-MvN}FRLcX>3fL=q4aN3C!Iu^#V4(6mx{i_exS!lUV#^G_zqY&y;m;;7VuV8 +zlz+2g1U42cY)DPdjA)rW3)#aZYn%>Ot4ZRw+p6chfWw3F&^CR083G3^i{TvQh%PuL +zI@YS2C2~)e2v!x{5Ll_p1*s@h%^Sc(2?v;@cT&{(#>rWyew_n93d3zt{Ey+9jn7kc +zQ$n&dI(Sw&tA;g=OoTyro}FfEooxJ((fpLliunP1?Q0E(o^QB$Dd7u$4)13nakv(f +zn#_CEaVG5=Qi)oGa8dq|Y@C+9c~*zzJB+EQ`rxJ1dthRxy0$m)y?e)2Q(8lN;ZcFg +zyDMf8IvKYsj=I0O##^~wrSsWEF+>f(#9*eG#!CPO)cQ46{8u*V))|)ggdre%mcm->put(data->store, method, provider, algo->algorithm_names, ++ data->mcm->put(no_store ? data->store : NULL, method, provider, algo->algorithm_names, + algo->property_definition, data->mcm_data); + + /* refcnt-- because we're dropping the reference */ +diff --git a/test/nocache-and-default.cnf b/test/nocache-and-default.cnf +new file mode 100644 +index 0000000000000..cf5ca8d114151 +--- /dev/null ++++ b/test/nocache-and-default.cnf +@@ -0,0 +1,18 @@ ++openssl_conf = openssl_init ++ ++# Comment out the next line to ignore configuration errors ++config_diagnostics = 1 ++ ++[openssl_init] ++providers = provider_sect ++ ++[provider_sect] ++test = test_sect ++default = default_sect ++ ++[test_sect] ++module = ../test/p_test.so ++activate = true ++ ++[default_sect] ++activate = true +diff --git a/test/p_test.c b/test/p_test.c +index 2d20190d4d57b..05f71ec8347c0 100644 +--- a/test/p_test.c ++++ b/test/p_test.c +@@ -230,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_) + return reason_strings; + } + ++static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov, ++ int operation_id, ++ int *no_cache) ++{ ++ *no_cache = 1; ++ return NULL; ++} ++ + static const OSSL_DISPATCH p_test_table[] = { + { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params }, + { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params }, + { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, + (void (*)(void))p_get_reason_strings}, + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown }, ++ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query }, + OSSL_DISPATCH_END + }; + +diff --git a/test/recipes/20-test_nocache.t b/test/recipes/20-test_nocache.t +new file mode 100644 +index 0000000000000..734e44ec8c2e1 +--- /dev/null ++++ b/test/recipes/20-test_nocache.t +@@ -0,0 +1,34 @@ ++#! /usr/bin/env perl ++# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/; ++use OpenSSL::Test::Utils; ++ ++setup("test_nocache"); ++ ++plan tests => 4; ++ ++ok(run(app(["openssl", "list", "-mac-algorithms"], ++ stdout => "listout.txt")), ++"List mac algorithms - default configuration"); ++open DATA, "listout.txt"; ++my @match = grep /MAC/, ; ++close DATA; ++ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - default configuration"); ++ ++$ENV{OPENSSL_CONF} = bldtop_file("test", "nocache-and-default.cnf"); ++ok(run(app(["openssl", "list", "-mac-algorithms"], ++ stdout => "listout.txt")), ++"List mac algorithms"); ++open DATA, "listout.txt"; ++my @match = grep /MAC/, ; ++close DATA; ++ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - nocache-and-default"); diff --git a/0141-print-pq-group.patch b/0141-print-pq-group.patch new file mode 100644 index 0000000..a6462fe --- /dev/null +++ b/0141-print-pq-group.patch @@ -0,0 +1,19 @@ +diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c +index 3b3c0dd0b38f5..026315406e298 100644 +--- a/apps/lib/s_cb.c ++++ b/apps/lib/s_cb.c +@@ -418,8 +418,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s) + { + EVP_PKEY *key; + +- if (!SSL_get_peer_tmp_key(s, &key)) ++ if (!SSL_get_peer_tmp_key(s, &key)) { ++ if (SSL_version(s) == TLS1_3_VERSION) ++ BIO_printf(out, "Negotiated TLS1.3 group: %s\n", ++ SSL_group_to_name(s, SSL_get_negotiated_group(s))); + return 1; ++ } ++ + BIO_puts(out, "Server Temp Key: "); + switch (EVP_PKEY_get_id(key)) { + case EVP_PKEY_RSA: diff --git a/openssl.spec b/openssl.spec index 0b686c1..27b75b9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.2.2 -Release: 14%{?dist}.alma.1 +Release: 15%{?dist}.alma.1 Epoch: 1 Source: openssl-%{version}.tar.gz Source2: Makefile.certificate @@ -181,6 +181,10 @@ Patch136: 0136-Add-ALPN-validation-in-the-client.patch Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch Patch139: 0139-CVE-2024-6119.patch +# https://github.com/openssl/openssl/pull/26197 +Patch140: 0140-prov_no-cache.patch +# https://github.com/openssl/openssl/pull/25959 +Patch141: 0141-print-pq-group.patch License: Apache-2.0 URL: http://www.openssl.org/ @@ -324,7 +328,7 @@ export HASHBANGPERL=/usr/bin/perl # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ - --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ @@ -363,6 +367,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE #embed HMAC into fips provider for test run +dd if=/dev/zero bs=1 count=32 of=tmp.mac +objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac +mv providers/fips.so.zeromac providers/fips.so +rm tmp.mac LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac mv providers/fips.so.mac providers/fips.so @@ -384,6 +392,10 @@ make test HARNESS_JOBS=8 %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ + dd if=/dev/zero bs=1 count=32 of=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \ + objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac \ + mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ + rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ @@ -530,9 +542,25 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h %ldconfig_scriptlets libs %changelog -* Fri Dec 06 2024 Eduard Abdullin - 1:3.2.2-14.alma.1 +* Tue Feb 04 2025 Eduard Abdullin - 1:3.2.2-15.alma.1 - Redefine sslarch for x86_64_v2 arch +* Thu Jan 02 2025 Dmitry Belyavskiy - 1:3.2.2-15 +- Fix providers no_cache behavior + Resolves: RHEL-71903 +- Fix pkcs12 command line segfault + Resolves: RHEL-70878 +- Print key exchange group for hybrid PQC + Resolves: RHEL-66163 +- Ensure correct fips.so checksum calculation + Resolves: RHEL-73170 +- Locally configured providers should not interfere with openssl build-time tests + Resolves: RHEL-76182 +- Load system default cipher string from crypto-policies configuration file + include /etc/crypto-policies/back-ends/opensslcnf.config and remove + /etc/crypto-policies/back-ends/openssl.config. + Resolves: RHEL-71132 + * Tue Oct 29 2024 Troy Dawson - 1:3.2.2-14 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018