74 changed files with 137 additions and 19 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,47 @@
-SOURCES/openssl-1.1.1k-hobbled.tar.xz
+.build*.log
+clog
+000*.patch
+*.src.rpm
+openssl-1.0.0a-usa.tar.bz2
+/openssl-1.0.0b-usa.tar.bz2
+/openssl-1.0.0c-usa.tar.bz2
+/openssl-1.0.0d-usa.tar.bz2
+/openssl-1.0.0e-usa.tar.bz2
+/openssl-1.0.0f-usa.tar.bz2
+/openssl-1.0.0g-usa.tar.xz
+/openssl-1.0.1-beta2-usa.tar.xz
+/openssl-1.0.1-beta3-usa.tar.xz
+/openssl-1.0.1-usa.tar.xz
+/openssl-1.0.1a-usa.tar.xz
+/openssl-1.0.1b-usa.tar.xz
+/openssl-1.0.1c-usa.tar.xz
+/openssl-1.0.1e-usa.tar.xz
+/openssl-1.0.1e-hobbled.tar.xz
+/openssl-1.0.1g-hobbled.tar.xz
+/openssl-1.0.1h-hobbled.tar.xz
+/openssl-1.0.1i-hobbled.tar.xz
+/openssl-1.0.1j-hobbled.tar.xz
+/openssl-1.0.1k-hobbled.tar.xz
+/openssl-1.0.2a-hobbled.tar.xz
+/openssl-1.0.2c-hobbled.tar.xz
+/openssl-1.0.2d-hobbled.tar.xz
+/openssl-1.0.2e-hobbled.tar.xz
+/openssl-1.0.2f-hobbled.tar.xz
+/openssl-1.0.2g-hobbled.tar.xz
+/openssl-1.0.2h-hobbled.tar.xz
+/openssl-1.0.2i-hobbled.tar.xz
+/openssl-1.0.2j-hobbled.tar.xz
+/openssl-1.1.0b-hobbled.tar.xz
+/openssl-1.1.0c-hobbled.tar.xz
+/openssl-1.1.0d-hobbled.tar.xz
+/openssl-1.1.0e-hobbled.tar.xz
+/openssl-1.1.0f-hobbled.tar.xz
+/openssl-1.1.0g-hobbled.tar.xz
+/openssl-1.1.0h-hobbled.tar.xz
+/openssl-1.1.1-pre8-hobbled.tar.xz
+/openssl-1.1.1-pre9-hobbled.tar.xz
+/openssl-1.1.1-hobbled.tar.xz
+/openssl-1.1.1b-hobbled.tar.xz
+/openssl-1.1.1c-hobbled.tar.xz
+/openssl-1.1.1g-hobbled.tar.xz
+/openssl-1.1.1k-hobbled.tar.xz
--- a/.openssl.metadata
+++ b/.openssl.metadata
@ -1 +0,0 @@
-6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
--- a/SOURCES/Makefile.certificate
+++ b/SOURCES/Makefile.certificate
--- a/SOURCES/README.FIPS
+++ b/SOURCES/README.FIPS
--- a/ci.fmf
+++ b/ci.fmf
@ -0,0 +1 @@
+resultsdb-testcase: separate
--- a/SOURCES/ec_curve.c
+++ b/SOURCES/ec_curve.c
--- a/SOURCES/ectest.c
+++ b/SOURCES/ectest.c
--- a/15
+++ b/15
@ -0,0 +1,15 @@
+#!/bin/sh
+# Fixes patch from upstream tracker view
+gawk '
+BEGIN {
+   dir=""
+}
+/^Index: openssl\// {
+   dir = $2
+}
+/^(---|\+\+\+)/ {
+   $2 = dir
+}
+{
+   print
+}'
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
--- a/SOURCES/hobble-openssl
+++ b/SOURCES/hobble-openssl
--- a/SOURCES/make-dummy-cert
+++ b/SOURCES/make-dummy-cert
--- a/SOURCES/openssl-1.1.1-addrconfig.patch
+++ b/SOURCES/openssl-1.1.1-addrconfig.patch
--- a/SOURCES/openssl-1.1.1-alpn-cb.patch
+++ b/SOURCES/openssl-1.1.1-alpn-cb.patch
--- a/SOURCES/openssl-1.1.1-apps-dgst.patch
+++ b/SOURCES/openssl-1.1.1-apps-dgst.patch
--- a/SOURCES/openssl-1.1.1-arm-update.patch
+++ b/SOURCES/openssl-1.1.1-arm-update.patch
--- a/SOURCES/openssl-1.1.1-build.patch
+++ b/SOURCES/openssl-1.1.1-build.patch
--- a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
+++ b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
@ -1,11 +1,13 @@
 diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
 --- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg	2021-03-25 14:28:38.000000000 +0100
 +++ openssl-1.1.1k/ssl/statem/extensions.c	2021-06-24 16:16:19.526181743 +0200
-@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
+@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
 #ifndef OPENSSL_NO_SRP
 static int init_srp(SSL *s, unsigned int context);
 #endif
+#ifndef OPENSSL_NO_EC
 +static int init_ec_point_formats(SSL *s, unsigned int context);
+#endif
 static int init_etm(SSL *s, unsigned int context);
 static int init_ems(SSL *s, unsigned int context);
 static int final_ems(SSL *s, unsigned int context, int sent);
@ -18,10 +20,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
         tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
         final_ec_pt_formats
     },
-@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
+@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
 }
 #endif
 
+#ifndef OPENSSL_NO_EC
 +static int init_ec_point_formats(SSL *s, unsigned int context)
 +{
 +	    OPENSSL_free(s->ext.peer_ecpointformats);
@ -30,6 +33,7 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
 +
 +	    return 1;
 +}
+#endif
 +
 static int init_etm(SSL *s, unsigned int context)
 {
--- a/SOURCES/openssl-1.1.1-conf-paths.patch
+++ b/SOURCES/openssl-1.1.1-conf-paths.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-0778.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-0778.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-1292.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-1292.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-2068.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-2068.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-2097.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-2097.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
--- a/SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch
+++ b/SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch
--- a/SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
+++ b/SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
--- a/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch
+++ b/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch
--- a/SOURCES/openssl-1.1.1-cve-2023-3446.patch
+++ b/SOURCES/openssl-1.1.1-cve-2023-3446.patch
--- a/SOURCES/openssl-1.1.1-cve-2023-3817.patch
+++ b/SOURCES/openssl-1.1.1-cve-2023-3817.patch
--- a/SOURCES/openssl-1.1.1-cve-2023-5678.patch
+++ b/SOURCES/openssl-1.1.1-cve-2023-5678.patch
--- a/SOURCES/openssl-1.1.1-defaults.patch
+++ b/SOURCES/openssl-1.1.1-defaults.patch
--- a/SOURCES/openssl-1.1.1-detected-addr-ipv6.patch
+++ b/SOURCES/openssl-1.1.1-detected-addr-ipv6.patch
--- a/SOURCES/openssl-1.1.1-ec-curves.patch
+++ b/SOURCES/openssl-1.1.1-ec-curves.patch
--- a/SOURCES/openssl-1.1.1-edk2-build.patch
+++ b/SOURCES/openssl-1.1.1-edk2-build.patch
--- a/SOURCES/openssl-1.1.1-evp-kdf.patch
+++ b/SOURCES/openssl-1.1.1-evp-kdf.patch
--- a/SOURCES/openssl-1.1.1-fips-crng-test.patch
+++ b/SOURCES/openssl-1.1.1-fips-crng-test.patch
--- a/SOURCES/openssl-1.1.1-fips-curves.patch
+++ b/SOURCES/openssl-1.1.1-fips-curves.patch
--- a/SOURCES/openssl-1.1.1-fips-dh.patch
+++ b/SOURCES/openssl-1.1.1-fips-dh.patch
--- a/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
+++ b/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
--- a/SOURCES/openssl-1.1.1-fips-post-rand.patch
+++ b/SOURCES/openssl-1.1.1-fips-post-rand.patch
--- a/SOURCES/openssl-1.1.1-fips.patch
+++ b/SOURCES/openssl-1.1.1-fips.patch
--- a/SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch
+++ b/SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch
--- a/openssl-1.1.1-ignore-bound.patch
+++ b/openssl-1.1.1-ignore-bound.patch
@ -0,0 +1,14 @@
+Do not return failure when setting version bound on fixed protocol
+version method.
+diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
+--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
+@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
+          * methods are not subject to controls that disable individual protocol
+          * versions.
+          */
+-        return 0;
+        return 1;
+ 
+     case TLS_ANY_VERSION:
+         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
--- a/SOURCES/openssl-1.1.1-intel-cet.patch
+++ b/SOURCES/openssl-1.1.1-intel-cet.patch
--- a/SOURCES/openssl-1.1.1-kdf-selftest.patch
+++ b/SOURCES/openssl-1.1.1-kdf-selftest.patch
--- a/SOURCES/openssl-1.1.1-krb5-kdf.patch
+++ b/SOURCES/openssl-1.1.1-krb5-kdf.patch
--- a/SOURCES/openssl-1.1.1-man-rename.patch
+++ b/SOURCES/openssl-1.1.1-man-rename.patch
--- a/SOURCES/openssl-1.1.1-no-brainpool.patch
+++ b/SOURCES/openssl-1.1.1-no-brainpool.patch
--- a/SOURCES/openssl-1.1.1-no-html.patch
+++ b/SOURCES/openssl-1.1.1-no-html.patch
--- a/SOURCES/openssl-1.1.1-no-weak-verify.patch
+++ b/SOURCES/openssl-1.1.1-no-weak-verify.patch
--- a/SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch
+++ b/SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch
--- a/SOURCES/openssl-1.1.1-read-buff.patch
+++ b/SOURCES/openssl-1.1.1-read-buff.patch
--- a/SOURCES/openssl-1.1.1-replace-expired-certs.patch
+++ b/SOURCES/openssl-1.1.1-replace-expired-certs.patch
--- a/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch
+++ b/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch
--- a/SOURCES/openssl-1.1.1-s390x-aes-tests.patch
+++ b/SOURCES/openssl-1.1.1-s390x-aes-tests.patch
--- a/SOURCES/openssl-1.1.1-s390x-aes.patch
+++ b/SOURCES/openssl-1.1.1-s390x-aes.patch
--- a/SOURCES/openssl-1.1.1-s390x-ecc.patch
+++ b/SOURCES/openssl-1.1.1-s390x-ecc.patch
--- a/SOURCES/openssl-1.1.1-s390x-update.patch
+++ b/SOURCES/openssl-1.1.1-s390x-update.patch
--- a/SOURCES/openssl-1.1.1-seclevel.patch
+++ b/SOURCES/openssl-1.1.1-seclevel.patch
--- a/SOURCES/openssl-1.1.1-servername-cb.patch
+++ b/SOURCES/openssl-1.1.1-servername-cb.patch
--- a/SOURCES/openssl-1.1.1-ssh-kdf.patch
+++ b/SOURCES/openssl-1.1.1-ssh-kdf.patch
--- a/SOURCES/openssl-1.1.1-sslv3-keep-abi.patch
+++ b/SOURCES/openssl-1.1.1-sslv3-keep-abi.patch
--- a/SOURCES/openssl-1.1.1-system-cipherlist.patch
+++ b/SOURCES/openssl-1.1.1-system-cipherlist.patch
--- a/SOURCES/openssl-1.1.1-tls13-curves.patch
+++ b/SOURCES/openssl-1.1.1-tls13-curves.patch
--- a/SOURCES/openssl-1.1.1-ts-sha256-default.patch
+++ b/SOURCES/openssl-1.1.1-ts-sha256-default.patch
--- a/SOURCES/openssl-1.1.1-version-add-engines.patch
+++ b/SOURCES/openssl-1.1.1-version-add-engines.patch
--- a/SOURCES/openssl-1.1.1-version-override.patch
+++ b/SOURCES/openssl-1.1.1-version-override.patch
--- a/SOURCES/openssl-1.1.1-weak-ciphers.patch
+++ b/SOURCES/openssl-1.1.1-weak-ciphers.patch
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1k
-Release: 14%{?dist}
+Release: 13%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -99,7 +99,7 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
 # Backport from OpenSSL 3.2/RHEL 9
 # Proper fix for CVE-2020-25659
 Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
-# Backport from OpenSSL 3.2
+# Backport from OpenSSL 3.0
 # Fix for CVE-2024-5535
 Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch

@ -519,52 +519,54 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig

 %changelog
-* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
- Backport fix SSL_select_next proto from OpenSSL 3.2
+* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
+- Backport fix SSL_select_next proto from OpenSSL 3.2  
  Fix CVE-2024-5535 
  Resolves: RHEL-45654

 * Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
 - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
  (a proper fix for CVE-2020-25659)
-  Resolves: RHEL-17694
+  Resolves: RHEL-17696

 * Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
 - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
  excessively long X9.42 DH keys or parameters may be very slow
-  Resolves: RHEL-16536
+  Resolves: RHEL-16538

 * Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
 - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
-  Resolves: RHEL-14243
+  Resolves: RHEL-14245
 - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
-  Resolves: RHEL-14237
+  Resolves: RHEL-14239

-* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
+* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
 - Fixed Timing Oracle in RSA Decryption
  Resolves: CVE-2022-4304
 - Fixed Double free after calling PEM_read_bio_ex
  Resolves: CVE-2022-4450
 - Fixed Use-after-free following BIO_new_NDEF
  Resolves: CVE-2023-0215
-
-* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
 - Fixed X.400 address type confusion in X.509 GeneralName
  Resolves: CVE-2023-0286

+* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
+- Fix no-ec build
+  Resolves: rhbz#2071020
+
 * Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
 - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
  Resolves: CVE-2022-2097
 - Update expired certificates used in the testsuite
-  Resolves: rhbz#2100554
+  Resolves: rhbz#2092462
 - Fix CVE-2022-1292: openssl: c_rehash script allows command injection
-  Resolves: rhbz#2090371
+  Resolves: rhbz#2090372
 - Fix CVE-2022-2068: the c_rehash script allows command injection
-  Resolves: rhbz#2098278
+  Resolves: rhbz#2098279

 * Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Resolves: rhbz#2067145
+- Resolves: rhbz#2067146

 * Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
 - Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
--- a/SOURCES/opensslconf-new-warning.h
+++ b/SOURCES/opensslconf-new-warning.h
--- a/SOURCES/opensslconf-new.h
+++ b/SOURCES/opensslconf-new.h
--- a/plans/ci.fmf
+++ b/plans/ci.fmf
@ -0,0 +1,26 @@
+/fips-disabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssl
+      name: /Plans/ci/fips-disabled-buildroot-disabled
+
+
+/fips-disabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssl
+      name: /Plans/ci/fips-disabled-buildroot-enabled
+
+
+/fips-enabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssl
+      name: /Plans/ci/fips-enabled-buildroot-disabled
+
+
+/fips-enabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssl
+      name: /Plans/ci/fips-enabled-buildroot-enabled
--- a/SOURCES/renew-dummy-cert
+++ b/SOURCES/renew-dummy-cert
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8
				`@ -1 +0,0 @@`
				`6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz`
				`@ -0,0 +1 @@`
				`SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8`