PR#20: Update to openssl 3.0.2 - rpms/openssl

rpms / openssl

#20 Update to openssl 3.0.2

Merged 11 months ago by dbelyavs. Opened 11 months ago by dbelyavs.

f36 into rawhide

Dmitry Belyavskiy • 11 months ago

a0bd929

.gitignore

file modified

		`@@ -53,3 +53,4 @@`
		`/openssl-1.1.1j-hobbled.tar.xz`
		`/openssl-1.1.1k-hobbled.tar.xz`
		`/openssl-3.0.0-hobbled.tar.xz`
		`+ /openssl-3.0.2-hobbled.tar.gz`

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

file modified

-8

		`@@ -216,14 +216,6 @@`
		`/* Add TLSv1.3 ciphers first - we always prefer those if possible */`
		`for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {`
		`const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);`
		`- @@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`-`
		`- if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {`
		`- sk_SSL_CIPHER_free(cipherstack);`
		`- + OPENSSL_free(co_list);`
		`- return NULL;`
		`- }`
		`- }`
		`@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`*cipher_list = cipherstack;`

0012-Disable-explicit-ec.patch

file added

+80

		`@@ -0,0 +1,80 @@`
		`+ diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c`
		`+ --- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100`
		`+ +++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100`
		`+ @@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na`
		`+ goto err;`
		`+ }`
		`+ } else {`
		`+ - ret_group = (EC_GROUP *)group;`
		`+ + goto err;`
		`+ }`
		`+ EC_GROUP_free(dup);`
		`+ return ret_group;`
		`+ diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c`
		`+ --- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100`
		`+ +++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100`
		`+ @@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int`
		`+ if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {`
		`+ int flags = EC_KEY_get_flags(eck);`
		`+`
		`+ - if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)`
		`+ - ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),`
		`+ - (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);`
		`+ - else`
		`+ - ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);`
		`+ + ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),`
		`+ + (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);`
		`+ }`
		`+`
		`+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {`
		`+ @@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e`
		`+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);`
		`+ return 0;`
		`+ }`
		`+ + if (EC_GROUP_get_curve_name(group) == NID_undef) {`
		`+ + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);`
		`+ + return 0;`
		`+ + }`
		`+ return EC_KEY_set_group(ec, group) > 0;`
		`+ }`
		`+`
		`+ diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c`
		`+ --- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100`
		`+ +++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100`
		`+ @@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx`
		`+ int ossl_ec_check_key(OSSL_LIB_CTX ctx, const EC_KEY ec, int protect)`
		`+ {`
		`+ # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)`
		`+ - if (ossl_securitycheck_enabled(ctx)) {`
		`+ - int nid, strength;`
		`+ - const char *curve_name;`
		`+ - const EC_GROUP *group = EC_KEY_get0_group(ec);`
		`+ + int nid, strength;`
		`+ + const char *curve_name;`
		`+ + const EC_GROUP *group = EC_KEY_get0_group(ec);`
		`+`
		`+ - if (group == NULL) {`
		`+ - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");`
		`+ - return 0;`
		`+ - }`
		`+ - nid = EC_GROUP_get_curve_name(group);`
		`+ - if (nid == NID_undef) {`
		`+ - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,`
		`+ - "Explicit curves are not allowed in fips mode");`
		`+ - return 0;`
		`+ - }`
		`+ + if (group == NULL) {`
		`+ + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");`
		`+ + return 0;`
		`+ + }`
		`+ + nid = EC_GROUP_get_curve_name(group);`
		`+ + if (nid == NID_undef) {`
		`+ + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,`
		`+ + "Explicit curves are not allowed in this build");`
		`+ + return 0;`
		`+ + }`
		`+`
		`+ + if (ossl_securitycheck_enabled(ctx)) {`
		`+ curve_name = EC_curve_nid2nist(nid);`
		`+ if (curve_name == NULL) {`
		`+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,`

0051-Support-different-R_BITS-lengths-for-KBKDF.patch

file added

+2151

The added file is too large to be shown here, see it at: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch

ectest.c

file modified

+2 -2

		`@@ -2300,8 +2300,8 @@`
		`ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);`
		`ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);`
		`ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);`
		`- ADD_ALL_TESTS(custom_generator_test, crv_len);`
		`- ADD_ALL_TESTS(custom_params_test, crv_len);`
		`+ /* ADD_ALL_TESTS(custom_generator_test, crv_len);`
		`+ ADD_ALL_TESTS(custom_params_test, crv_len); */`
		`return 1;`
		`}`

openssl.spec

file modified

+15 -4

		`@@ -14,13 +14,13 @@`

		`Summary: Utilities from the general purpose cryptography library with TLS implementation`
		`Name: openssl`
		`- Version: 3.0.0`
		`- Release: 2%{?dist}`
		`+ Version: 3.0.2`
		`+ Release: 1%{?dist}`
		`Epoch: 1`
		`# We have to remove certain patented algorithms from the openssl source`
		`# tarball with the hobble-openssl script which is included below.`
		`# The original openssl upstream tarball cannot be shipped in the .src.rpm.`
		`- Source: openssl-%{version}-hobbled.tar.xz`
		`+ Source: openssl-%{version}-hobbled.tar.gz`
		`Source1: hobble-openssl`
		`Source2: Makefile.certificate`
		`Source3: genpatches`
		`@@ -52,8 +52,12 @@`
		`#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch`
		`# remove unsupported EC curves`
		`Patch11: 0011-Remove-EC-curves.patch`
		`+ # Disable explicit EC curves`
		`+ Patch12: 0012-Disable-explicit-ec.patch`
		`# Instructions to load legacy provider in openssl.cnf`
		`Patch24: 0024-load-legacy-prov.patch`
		`+ # Backport of patch for RHEL for Edge rhbz #2027261`
		`+ Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch`

		`License: ASL 2.0`
		`URL: http://www.openssl.org/`
		`@@ -177,6 +181,10 @@`
		`%ifarch riscv64`
		`sslarch=linux-generic64`
		`%endif`
		`+ ktlsopt=enable-ktls`
		`+ %ifarch armv7hl`
		`+ ktlsopt=disable-ktls`
		`+ %endif`

		`# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be`
		`# marked as not requiring an executable stack.`
		`@@ -194,7 +202,7 @@`
		`--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \`
		`--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \`
		`zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \`
		`- enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\`
		`+ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\`
		`no-mdc2 no-ec2m no-sm2 no-sm4 \`
		`shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'`

		`@@ -376,6 +384,9 @@`
		`%ldconfig_scriptlets libs`

		`%changelog`
		`+ * Fri Mar 18 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-1`
		`+ - Rebase to upstream version 3.0.2`
		`+`
		`* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.0-2`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27`
		`+ SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5`