Merge branch 'c10s' into a10s

2025-02-04 13:52:58 +03:00 · 2025-02-04 13:52:58 +03:00 · ef76bdc634
commit ef76bdc634
parent fee9e80345 34e41ff200
6 changed files with 235 additions and 27 deletions
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644
 +=item B<PROFILE=SYSTEM>
 +
 +The list of enabled cipher suites will be loaded from the system crypto policy
-+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+configuration file B</etc/crypto-policies/back-ends/opensslcnf.config>.
 +See also L<update-crypto-policies(8)>.
 +This is the default behavior unless an application explicitly sets a cipher
 +list. If used in a cipher list configuration value this string must be at the
@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
 index 8360991ce4..33c23efb0d 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
-@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
+@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
     return ret;
 }
 +#ifdef SYSTEM_CIPHERS_FILE
 +static char *load_system_str(const char *suffix)
 +{
 +    FILE *fp;
 +    char buf[1024];
 +    char *new_rules;
 +    const char *ciphers_path;
@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644
 +
 +    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
 +        ciphers_path = SYSTEM_CIPHERS_FILE;
-+    fp = fopen(ciphers_path, "r");
+
-+    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+    if (access(ciphers_path, R_OK) == 0) {
-+        /* cannot open or file is empty */
+        CONF *conf = NCONF_new_ex(NULL, NCONF_default());
 +        char *value = NULL;
 +
 +        if (NCONF_load(conf, ciphers_path, NULL) > 0)
 +            value = NCONF_get_string(conf, "global", "CipherString");
 +
 +        snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
 +
 +        NCONF_free(conf);
 +    } else {
 +        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
 +    }
 +
 +    if (fp)
 +        fclose(fp);
 +
 +    slen = strlen(suffix);
 +    len = strlen(buf);
 +
-+    if (buf[len - 1] == '\n') {
+    new_rules = OPENSSL_zalloc(len + slen + 1);
-+        len--;
+    if (new_rules == NULL)
 +        buf[len] = 0;
 +    }
 +    if (buf[len - 1] == '\r') {
 +        len--;
 +        buf[len] = 0;
 +    }
 +
 +    new_rules = OPENSSL_malloc(len + slen + 1);
 +    if (new_rules == 0)
 +        return NULL;
 +
 +    memcpy(new_rules, buf, len);
@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644
 +    char *new_rules = NULL;
 +
 +    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
-+        char *p = rule_str + 14;
+        const char *p = rule_str + 14;
 +
 +        new_rules = load_system_str(p);
 +        rule_str = new_rules;
--- a/0025-for-tests.patch
+++ b/0025-for-tests.patch
@ -1,7 +1,7 @@
 diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
 --- openssl-3.0.0/apps/openssl.cnf.xxx	2021-11-23 16:29:50.618691603 +0100
 +++ openssl-3.0.0/apps/openssl.cnf	2021-11-23 16:28:16.872882099 +0100
-@@ -55,11 +55,11 @@ providers = provider_sect
+@@ -55,17 +55,17 @@ providers = provider_sect
 # to side-channel attacks and as such have been deprecated.
 [provider_sect]
@ -16,3 +16,11 @@ diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
 ##[legacy_sect]
 ##activate = 1
 -#Place the third party provider configuration files into this folder
 -.include /etc/pki/tls/openssl.d
 +##Place the third party provider configuration files into this folder
 +#.include /etc/pki/tls/openssl.d
 ####################################################################
--- a/0124-PBMAC1-PKCS12-FIPS-support.patch
+++ b/0124-PBMAC1-PKCS12-FIPS-support.patch
@ -90,7 +90,7 @@ index 54323a9713393..cbe133742a8be 100644
             }
         }
         assert(private);
-@@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv)
+@@ -774,23 +792,60 @@ int pkcs12_main(int argc, char **argv)
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
         BIO_puts(bio_err, "MAC: ");
         i2a_ASN1_OBJECT(bio_err, macobj);
@ -139,6 +139,12 @@ index 54323a9713393..cbe133742a8be 100644
 -            BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
 -            goto end;
 +        PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
 +
 +        if (macalgid == NULL) {
 +            BIO_printf(bio_err, "Warning: MAC is absent!\n");
 +            goto dump;
 +        }
 +
 +        X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
 +
 +        if (OBJ_obj2nid(macobj) != NID_pbmac1) {
@ -1078,7 +1084,7 @@ index 999129a03074d..c14ef94998cde 100644
 -plan tests => 31;
 +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 +
-+plan tests => $no_fips ? 45 : 51;
+plan tests => $no_fips ? 46 : 52;
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@ -1163,6 +1169,20 @@ index 999129a03074d..c14ef94998cde 100644
 # Test some bad pkcs12 files
 my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
 my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
@@ -288,6 +288,13 @@ with({ exit_checker => sub { return shift == 1; } },
            "test bad pkcs12 file 3 (info)");
      });
 +# Test that mac verification doesn't fail when mac is absent in the file
 +{
 +    my $nomac = srctop_file("test", "recipes", "80-test_pkcs12_data", "nomac_parse.p12");
 +    ok(run(app(["openssl", "pkcs12", "-in", $nomac, "-passin", "pass:testpassword"])),
 +       "test pkcs12 file without MAC");
 +}
 +
 # Test with Oracle Trusted Key Usage specified in openssl.cnf
 {
     ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
 diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12
 new file mode 100644
 index 0000000000000000000000000000000000000000..9957d473c433bc9fb9572ecf51332a7f325fe36f
@ -1523,3 +1543,37 @@ D?Q7k<
 literal 0
 HcmV?d00001
 diff --git a/test/recipes/80-test_pkcs12_data/nomac_parse.p12 b/test/recipes/80-test_pkcs12_data/nomac_parse.p12
 new file mode 100644
 index 0000000000000000000000000000000000000000..d1a025e8bd7ba388106c9b0b69917bcf0d75c981
 GIT binary patch
 literal 1191
 zcmV;Y1X%kpf&`-i0Ru3C1e^v5Duzgg_YDCD0ic2ejRb-Oi7<i$g)o8yfd&aGhDe6@
 z4FLxOpn?Q)FoFbb0s#Oq05F0CWd;c<hDe6@4FLxMFcby|Duzgg_YDIF1PJvY)RYyF
 zI0Arz1VFeo*Dy4}{O!4=d-4kQxBh11UJEvOENc$<`EZ{55&y+a&j8`-Wo4)OcT>q@
 zm`Z3Oq*FzpEwAUgTK!>P0tmf$!rKkJRCN*BGpSYjYzgM!Gc-6XRWeVUUAAN|1nJIT
 z`n?9lMQ%vyvf8&JttHg_Q>ZosE<Q)3-1(Bcwu|CtQF42GM(|s@aePNKDXp@ciE%Z>
 zp_Y3ncv1g>L6*c(uu<w2)I;^_n{W)?9G6ua@%az;?F2}LRLZBX<CFM!WSyx-@7P*(
 zY+_D$IMM;71<DMmd$vtjO3RGeGsJ4G+nRoyytESz;MRP8mB&7*2<Mo*<#LC%uA;pJ
 z+i|`HiJq(&U<q5IaHoFAD3uAo;CX<W{0U_Gaq6PO92png9q$m%s)C2<&8T#=2c@kV
 zXrRTLDu6whjo$=r8U-Z!{`1Yr<F&oyy9sul^3t#@{U8xSVkeaGXrVMwXXUB*X?*&?
 z8)37_Y|;U&@CQPFLcoNVn|sh)|G`xRR<bp4eBI>;OihCtB}=sr@F0RrQbczHighw}
 zCHVS#fOk?yDXd&IOQpas5z?eq&{!NIgiVN}QU%q0atzm2pm+t@wbLmMrBxz+v-ftM
 zEmW?FTMT-Ji?<-sRocHjA=27rWx(rhRzf%h!jjjWhJ2rs;eAO5ls!`EK8qty##9%P
 zs)&B83B+B&hJKktvV71Bq%nV+4=gW69hpiJ+D7;njk2wm)7C(f)UzuwVTiJyokgjc
 z*yD)Xpu<kQ3ardjMg0fc@>?U|OyC>0I`OSjoWc|oAoTIiUB_f+!^WWqg&Q3vxFi}l
 zW$JtEHd}hpcl63D&2=RD367hZq<-C;kzlr#V6J}dqwIz3h=rqkxlqW<{<*3iXO+Yi
 z6h_uyWZ8KSD0kkq-YFa%co5Qbe)OAm47ey6)lo8^c3T{!Z8r;&_vDPpnSkDv&*(f)
 z0tQx-e;R~JWoMWB0$+PY(-MY!`asK`F3}w%sy*g)Gn#BPkcvk3t$&6DS&3T&6nnQ<
 z=nKV)-MvN}FRLcX>3fL=q4aN3C!Iu^#V4(6mx{i_exS!lUV#^G_zqY&y;m;;7VuV8
 zlz+2g1U42cY)DPdjA)rW3)#aZYn%>Ot4ZRw+p6chfWw3F&^CR083G3^i{TvQh%PuL
 zI@YS2C2~)e2v!x{5Ll_p1*s@h%^Sc(2?v;@cT&{(#>rWyew_n93d3zt{Ey+9jn7kc
 zQ$n&dI(Sw&tA;g=OoTyro}FfEooxJ((fpLliunP1?Q0E(o^QB$Dd7u$4)13nakv(f
 zn#_CEaVG5=Qi)oGa8dq|Y@C+9c~*zzJB+EQ`rxJ1dthRxy0$m)y?e)2Q(8lN;ZcFg
 zyDMf8IvKYsj=I0O##^~wrSsWEF+>f(#9*eG#!CPO)cQ46{8u*V))|)ggdre%<DR)#
 F&9cN@JK_KU
 literal 0
 HcmV?d00001
--- a/0140-prov_no-cache.patch
+++ b/0140-prov_no-cache.patch
@ -0,0 +1,103 @@
 diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c
 index d311158d77589..70715e7d6a99c 100644
 --- a/crypto/core_fetch.c
 +++ b/crypto/core_fetch.c
@@ -120,7 +120,7 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider,
      * It is *expected* that the put function increments the refcnt
      * of the passed method.
      */
 -    data->mcm->put(data->store, method, provider, algo->algorithm_names,
 +    data->mcm->put(no_store ? data->store : NULL, method, provider, algo->algorithm_names,
                    algo->property_definition, data->mcm_data);
     /* refcnt-- because we're dropping the reference */
 diff --git a/test/nocache-and-default.cnf b/test/nocache-and-default.cnf
 new file mode 100644
 index 0000000000000..cf5ca8d114151
 --- /dev/null
 +++ b/test/nocache-and-default.cnf
@@ -0,0 +1,18 @@
 +openssl_conf = openssl_init
 +
 +# Comment out the next line to ignore configuration errors
 +config_diagnostics = 1
 +
 +[openssl_init]
 +providers = provider_sect
 +
 +[provider_sect]
 +test    = test_sect
 +default = default_sect
 +
 +[test_sect]
 +module = ../test/p_test.so
 +activate = true
 +
 +[default_sect]
 +activate = true
 diff --git a/test/p_test.c b/test/p_test.c
 index 2d20190d4d57b..05f71ec8347c0 100644
 --- a/test/p_test.c
 +++ b/test/p_test.c
@@ -230,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_)
     return reason_strings;
 }
 +static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov,
 +                                     int operation_id,
 +                                     int *no_cache)
 +{
 +    *no_cache = 1;
 +    return NULL;
 +}
 +
 static const OSSL_DISPATCH p_test_table[] = {
     { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params },
     { OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params },
     { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS,
         (void (*)(void))p_get_reason_strings},
     { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
 +    { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
     OSSL_DISPATCH_END
 };
 diff --git a/test/recipes/20-test_nocache.t b/test/recipes/20-test_nocache.t
 new file mode 100644
 index 0000000000000..734e44ec8c2e1
 --- /dev/null
 +++ b/test/recipes/20-test_nocache.t
@@ -0,0 +1,34 @@
 +#! /usr/bin/env perl
 +# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 +#
 +# Licensed under the Apache License 2.0 (the "License").  You may not use
 +# this file except in compliance with the License.  You can obtain a copy
 +# in the file LICENSE in the source distribution or at
 +# https://www.openssl.org/source/license.html
 +
 +use strict;
 +use warnings;
 +
 +use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
 +use OpenSSL::Test::Utils;
 +
 +setup("test_nocache");
 +
 +plan tests => 4;
 +
 +ok(run(app(["openssl", "list", "-mac-algorithms"],
 +        stdout => "listout.txt")),
 +"List mac algorithms - default configuration");
 +open DATA, "listout.txt";
 +my @match = grep /MAC/, <DATA>;
 +close DATA;
 +ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - default configuration");
 +
 +$ENV{OPENSSL_CONF} = bldtop_file("test", "nocache-and-default.cnf");
 +ok(run(app(["openssl", "list", "-mac-algorithms"],
 +        stdout => "listout.txt")),
 +"List mac algorithms");
 +open DATA, "listout.txt";
 +my @match = grep /MAC/, <DATA>;
 +close DATA;
 +ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - nocache-and-default");
--- a/0141-print-pq-group.patch
+++ b/0141-print-pq-group.patch
@ -0,0 +1,19 @@
 diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
 index 3b3c0dd0b38f5..026315406e298 100644
 --- a/apps/lib/s_cb.c
 +++ b/apps/lib/s_cb.c
@@ -418,8 +418,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
 {
     EVP_PKEY *key;
 -    if (!SSL_get_peer_tmp_key(s, &key))
 +    if (!SSL_get_peer_tmp_key(s, &key)) {
 +        if (SSL_version(s) == TLS1_3_VERSION)
 +            BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
 +                       SSL_group_to_name(s, SSL_get_negotiated_group(s)));
         return 1;
 +    }
 +
     BIO_puts(out, "Server Temp Key: ");
     switch (EVP_PKEY_get_id(key)) {
     case EVP_PKEY_RSA:
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.2.2
-Release: 14%{?dist}.alma.1
+Release: 15%{?dist}.alma.1
 Epoch: 1
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
@ -181,6 +181,10 @@ Patch136: 0136-Add-ALPN-validation-in-the-client.patch
 Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
 Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch
 Patch139: 0139-CVE-2024-6119.patch
 # https://github.com/openssl/openssl/pull/26197
 Patch140: 0140-prov_no-cache.patch
 # https://github.com/openssl/openssl/pull/25959
 Patch141: 0141-print-pq-group.patch
 License: Apache-2.0
 URL: http://www.openssl.org/
@ -324,7 +328,7 @@ export HASHBANGPERL=/usr/bin/perl
 # RPM_OPT_FLAGS, so we can skip specifiying them here.
 ./Configure \
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
-	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
 	no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
@ -363,6 +367,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
 #embed HMAC into fips provider for test run
 dd if=/dev/zero bs=1 count=32 of=tmp.mac
 objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac
 mv providers/fips.so.zeromac providers/fips.so
 rm tmp.mac
 LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
 objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
 mv providers/fips.so.mac providers/fips.so
@ -384,6 +392,10 @@ make test HARNESS_JOBS=8
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    dd if=/dev/zero bs=1 count=32 of=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \
    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac \
    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.zeromac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/tmp.mac \
    LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
@ -530,9 +542,25 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %ldconfig_scriptlets libs
 %changelog
-* Fri Dec 06 2024 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-14.alma.1
+* Tue Feb 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:3.2.2-15.alma.1
 - Redefine sslarch for x86_64_v2 arch
 * Thu Jan 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-15
 - Fix providers no_cache behavior
  Resolves: RHEL-71903
 - Fix pkcs12 command line segfault
  Resolves: RHEL-70878
 - Print key exchange group for hybrid PQC
  Resolves: RHEL-66163
 - Ensure correct fips.so checksum calculation
  Resolves: RHEL-73170
 - Locally configured providers should not interfere with openssl build-time tests
  Resolves: RHEL-76182
 - Load system default cipher string from crypto-policies configuration file
  include /etc/crypto-policies/back-ends/opensslcnf.config and remove
  /etc/crypto-policies/back-ends/openssl.config.
  Resolves: RHEL-71132
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:3.2.2-14
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018