#20 Update to openssl 3.0.2
Merged 11 months ago by dbelyavs. Opened 11 months ago by dbelyavs.

file modified
+1
@@ -53,3 +53,4 @@ 

  /openssl-1.1.1j-hobbled.tar.xz

  /openssl-1.1.1k-hobbled.tar.xz

  /openssl-3.0.0-hobbled.tar.xz

+ /openssl-3.0.2-hobbled.tar.gz

@@ -216,14 +216,6 @@ 

       /* Add TLSv1.3 ciphers first - we always prefer those if possible */

       for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {

           const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);

- @@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,

-  

-          if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {

-              sk_SSL_CIPHER_free(cipherstack);

- +            OPENSSL_free(co_list);

-              return NULL;

-          }

-      }

  @@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,

       *cipher_list = cipherstack;

   

@@ -0,0 +1,80 @@ 

+ diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c

+ --- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec	2022-02-22 09:08:48.557823665 +0100

+ +++ openssl-3.0.1/crypto/ec/ec_lib.c	2022-02-22 09:09:26.634133847 +0100

+ @@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na

+                  goto err;

+          }

+      } else {

+ -        ret_group = (EC_GROUP *)group;

+ +        goto err;

+      }

+      EC_GROUP_free(dup);

+      return ret_group;

+ diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c

+ --- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec	2022-02-22 13:04:16.850856612 +0100

+ +++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c	2022-02-22 14:16:19.848369641 +0100

+ @@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int

+      if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {

+          int flags = EC_KEY_get_flags(eck);

+  

+ -        if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)

+ -            ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),

+ -                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);

+ -        else

+ -            ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);

+ +        ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),

+ +                      (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);

+      }

+  

+      if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {

+ @@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e

+          ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);

+          return 0;

+      }

+ +    if (EC_GROUP_get_curve_name(group) == NID_undef) {

+ +        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);

+ +        return 0;

+ +    }

+      return EC_KEY_set_group(ec, group) > 0;

+  }

+  

+ diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c

+ --- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec	2022-02-25 11:44:19.554673396 +0100

+ +++ openssl-3.0.1/providers/common/securitycheck.c	2022-02-25 12:16:38.168610089 +0100

+ @@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx

+  int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)

+  {

+  # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)

+ -    if (ossl_securitycheck_enabled(ctx)) {

+ -        int nid, strength;

+ -        const char *curve_name;

+ -        const EC_GROUP *group = EC_KEY_get0_group(ec);

+ +    int nid, strength;

+ +    const char *curve_name;

+ +    const EC_GROUP *group = EC_KEY_get0_group(ec);

+  

+ -        if (group == NULL) {

+ -            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");

+ -            return 0;

+ -        }

+ -        nid = EC_GROUP_get_curve_name(group);

+ -        if (nid == NID_undef) {

+ -            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

+ -                           "Explicit curves are not allowed in fips mode");

+ -            return 0;

+ -        }

+ +    if (group == NULL) {

+ +        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");

+ +        return 0;

+ +    }

+ +    nid = EC_GROUP_get_curve_name(group);

+ +    if (nid == NID_undef) {

+ +        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

+ +                       "Explicit curves are not allowed in this build");

+ +        return 0;

+ +    }

+  

+ +    if (ossl_securitycheck_enabled(ctx)) {

+          curve_name = EC_curve_nid2nist(nid);

+          if (curve_name == NULL) {

+              ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

The added file is too large to be shown here, see it at: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
file modified
+2 -2
@@ -2300,8 +2300,8 @@ 

      ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);

      ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);

      ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);

-     ADD_ALL_TESTS(custom_generator_test, crv_len);

-     ADD_ALL_TESTS(custom_params_test, crv_len);

+     /* ADD_ALL_TESTS(custom_generator_test, crv_len);

+     ADD_ALL_TESTS(custom_params_test, crv_len); */

      return 1;

  }

  

file modified
+15 -4
@@ -14,13 +14,13 @@ 

  

  Summary: Utilities from the general purpose cryptography library with TLS implementation

  Name: openssl

- Version: 3.0.0

- Release: 2%{?dist}

+ Version: 3.0.2

+ Release: 1%{?dist}

  Epoch: 1

  # We have to remove certain patented algorithms from the openssl source

  # tarball with the hobble-openssl script which is included below.

  # The original openssl upstream tarball cannot be shipped in the .src.rpm.

- Source: openssl-%{version}-hobbled.tar.xz

+ Source: openssl-%{version}-hobbled.tar.gz

  Source1: hobble-openssl

  Source2: Makefile.certificate

  Source3: genpatches
@@ -52,8 +52,12 @@ 

  #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch

  # remove unsupported EC curves

  Patch11: 0011-Remove-EC-curves.patch

+ # Disable explicit EC curves

+ Patch12: 0012-Disable-explicit-ec.patch

  # Instructions to load legacy provider in openssl.cnf

  Patch24: 0024-load-legacy-prov.patch

+ # Backport of patch for RHEL for Edge rhbz #2027261

+ Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch

  

  License: ASL 2.0

  URL: http://www.openssl.org/
@@ -177,6 +181,10 @@ 

  %ifarch riscv64

  sslarch=linux-generic64

  %endif

+ ktlsopt=enable-ktls

+ %ifarch armv7hl

+ ktlsopt=disable-ktls

+ %endif

  

  # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be

  # marked as not requiring an executable stack.
@@ -194,7 +202,7 @@ 

  	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \

  	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \

  	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \

- 	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\

+ 	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\

  	no-mdc2 no-ec2m no-sm2 no-sm4 \

  	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

  
@@ -376,6 +384,9 @@ 

  %ldconfig_scriptlets libs

  

  %changelog

+ * Fri Mar 18 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-1

+ - Rebase to upstream version 3.0.2

+ 

  * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.0-2

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

  

file modified
+1 -1
@@ -1,1 +1,1 @@ 

- SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27

+ SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5

Pull-Request has been merged by dbelyavs

11 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci