rpms / openssl

Clone
Source Code
GIT

#45 [DRAFT] Rebasing OpenSSL from 3.0.8 to 3.1.1
Closed 9 months ago by saprasad. Opened 11 months ago by dbelyavs.
openssl_rebase_308to311  into  rawhide

file modified
+1 
@@ -58,3 +58,4 @@ 
 

  /openssl-3.0.7-hobbled.tar.gz
 

  /openssl-3.0.8-hobbled.tar.gz
 

  /openssl-3.0.8.tar.gz
 

+ /openssl-3.1.1.tar.gz

file modified
+3 -3 
@@ -272,9 +272,9 @@ 
 

  --- a/util/libcrypto.num
 

  +++ b/util/libcrypto.num
 

  @@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure    ?	3_0_0	EXIST::FUNCTION:
 

-  OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
 

-  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 

-  OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
 

+  EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
 

+  BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
 

+  OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
 

  +ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 

  -- 

  2.26.2

file modified
+8 -13 
@@ -1,9 +1,9 @@ 
 

  diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
 

  --- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips	2021-03-16 00:09:55.814826432 +0100
 

  +++ openssl-3.0.0-alpha13/crypto/context.c	2021-03-16 00:15:55.129043811 +0100
 

- @@ -12,11 +12,46 @@
 

-  #include "crypto/ctype.h"
 

-  #include "crypto/rand.h"
 

+ @@ -12,6 +12,41 @@
 

+  #include "internal/provider.h"
 

+  #include "crypto/context.h"
 

   

  +# include <sys/types.h>
 

  +# include <sys/stat.h>
 
@@ -11,11 +11,6 @@ 
 

  +# include <unistd.h>
 

  +# include <openssl/evp.h>
 

  +
 

-  struct ossl_lib_ctx_onfree_list_st {
 

-      ossl_lib_ctx_onfree_fn *fn;
 

-      struct ossl_lib_ctx_onfree_list_st *next;
 

-  };
 

-  

  +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
 

  +
 

  +static int kernel_fips_flag;
 
@@ -46,16 +41,16 @@ 
 

  +
 

  +
 

   struct ossl_lib_ctx_st {
 

-      CRYPTO_RWLOCK *lock;
 

-      CRYPTO_EX_DATA data;
 

+      CRYPTO_RWLOCK *lock, *rand_crngt_lock;
 

+      OSSL_EX_DATA_GLOBAL global;
 

  @@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
 

   

   DEFINE_RUN_ONCE_STATIC(default_context_do_init)
 

   {
 

  +	 read_kernel_fips_flag();
 

-      return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
 

-          && context_init(&default_context_int);
 

-  }
 

+      if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
 

+          goto err;
 

+  

  diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
 

  --- openssl-3.0.1/include/internal/provider.h.embed-fips	2022-01-11 13:13:08.323238760 +0100
 

  +++ openssl-3.0.1/include/internal/provider.h	2022-01-11 13:13:43.522558909 +0100

file modified
-12 
@@ -1,15 +1,3 @@ 
 

- diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t
 

- --- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit	2021-09-22 11:56:49.452507975 +0200
 

- +++ openssl-3.0.0/test/recipes/90-test_sslapi.t	2021-09-22 11:57:19.371764742 +0200
 

- @@ -40,7 +40,7 @@ unless ($no_fips) {
 

-                               "recipes",
 

-                               "90-test_sslapi_data",
 

-                               "dhparams.pem")])),
 

- -                 "running sslapitest");
 

- +                 "running sslapitest - FIPS");
 

-  }
 

-  

-  unlink $tmpfilename;
 

  diff --git a/test/sslapitest.c b/test/sslapitest.c
 

  index e95d2657f46c..7af0eab3fce0 100644
 

  --- a/test/sslapitest.c

file modified
+7 -143 
@@ -1,9 +1,3 @@ 
 

- #Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
 

- #(partial) of the function provider_conf_load() under the 'if (activate) section.
 

- #If there is any change to this section, after deleting it in provider_conf_load()
 

- #ensure that you also add those changes to the provider_conf_activate() function.
 

- #additionally please add this check for cnf explicitly as shown below.
 

- #'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
 

  diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
 

  --- openssl-3.0.1/crypto/provider_conf.c.fipsact	2022-05-12 12:44:31.199034948 +0200
 

  +++ openssl-3.0.1/crypto/provider_conf.c	2022-05-12 12:49:17.468318373 +0200
 
@@ -15,151 +9,21 @@ 
 

   #include <openssl/conf.h>
 

   #include <openssl/safestack.h>
 

   #include <openssl/provider.h>
 

- @@ -136,58 +136,18 @@ static int prov_already_activated(const
 

-      return 0;
 

-  }
 

-  

- -static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
 

- -                              const char *value, const CONF *cnf)
 

- +static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
 

- +                                  const char *value, const char *path,
 

- +                                  int soft, const CONF *cnf)
 

-  {
 

- -    int i;
 

- -    STACK_OF(CONF_VALUE) *ecmds;
 

- -    int soft = 0;
 

- -    OSSL_PROVIDER *prov = NULL, *actual = NULL;
 

- -    const char *path = NULL;
 

- -    long activate = 0;
 

-      int ok = 0;
 

- -
 

- -    name = skip_dot(name);
 

- -    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
 

- -    /* Value is a section containing PROVIDER commands */
 

- -    ecmds = NCONF_get_section(cnf, value);
 

- -
 

- -    if (!ecmds) {
 

- -        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
 

- -                       "section=%s not found", value);
 

- -        return 0;
 

- -    }
 

- -
 

- -    /* Find the needed data first */
 

- -    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
 

- -        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
 

- -        const char *confname = skip_dot(ecmd->name);
 

- -        const char *confvalue = ecmd->value;
 

- -
 

- -        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
 

- -                    confname, confvalue);
 

- -
 

- -        /* First handle some special pseudo confs */
 

- -
 

- -        /* Override provider name to use */
 

- -        if (strcmp(confname, "identity") == 0)
 

- -            name = confvalue;
 

- -        else if (strcmp(confname, "soft_load") == 0)
 

- -            soft = 1;
 

- -        /* Load a dynamic PROVIDER */
 

- -        else if (strcmp(confname, "module") == 0)
 

- -            path = confvalue;
 

- -        else if (strcmp(confname, "activate") == 0)
 

- -            activate = 1;
 

- -    }
 

- -
 

- -    if (activate) {
 

- -        PROVIDER_CONF_GLOBAL *pcgbl
 

- -            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
 

- -                                    &provider_conf_ossl_ctx_method);
 

- +    OSSL_PROVIDER *prov = NULL, *actual = NULL;
 

- +    PROVIDER_CONF_GLOBAL *pcgbl
 

- +        = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
 

- +                                &provider_conf_ossl_ctx_method);
 

-  

-          if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
 

- -            ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
 

- +           ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
 

-              return 0;
 

-          }
 

-          if (!prov_already_activated(name, pcgbl->activated_providers)) {
 

  @@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
 

-              if (path != NULL)
 

-                  ossl_provider_set_module_path(prov, path);
 

+          if (path != NULL)
 

+              ossl_provider_set_module_path(prov, path);
 

   

- -            ok = provider_conf_params(prov, NULL, NULL, value, cnf);
 

- +            ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
 

-  

-              if (ok) {
 

-                  if (!ossl_provider_activate(prov, 1, 0)) {
 

- @@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
 

-              }
 

-              if (!ok)
 

-                  ossl_provider_free(prov);
 

- +        } else { /* No reason to activate the provider twice, returning OK */
 

- +            ok = 1;
 

-          }
 

-          CRYPTO_THREAD_unlock(pcgbl->lock);
 

- +    return ok;
 

- +}
 

- +
 

- +static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
 

- +                              const char *value, const CONF *cnf)
 

- +{
 

- +    int i;
 

- +    STACK_OF(CONF_VALUE) *ecmds;
 

- +    int soft = 0;
 

- +    const char *path = NULL;
 

- +    long activate = 0;
 

- +    int ok = 0;
 

- +
 

- +    name = skip_dot(name);
 

- +    OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
 

- +    /* Value is a section containing PROVIDER commands */
 

- +    ecmds = NCONF_get_section(cnf, value);
 

- +
 

- +    if (!ecmds) {
 

- +        ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
 

- +                       "section=%s not found", value);
 

- +        return 0;
 

- +    }
 

- +
 

- +    /* Find the needed data first */
 

- +    for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
 

- +        CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
 

- +        const char *confname = skip_dot(ecmd->name);
 

- +        const char *confvalue = ecmd->value;
 

- +
 

- +        OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
 

- +                    confname, confvalue);
 

- +
 

- +        /* First handle some special pseudo confs */
 

- +
 

- +        /* Override provider name to use */
 

- +        if (strcmp(confname, "identity") == 0)
 

- +            name = confvalue;
 

- +        else if (strcmp(confname, "soft_load") == 0)
 

- +            soft = 1;
 

- +        /* Load a dynamic PROVIDER */
 

- +        else if (strcmp(confname, "module") == 0)
 

- +            path = confvalue;
 

- +        else if (strcmp(confname, "activate") == 0)
 

- +            activate = 1;
 

- +    }
 

- +
 

- +    if (activate) {
 

- +       ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
 

-      } else {
 

-          OSSL_PROVIDER_INFO entry;
 

+ -        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
 

+ +        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
 

   

- @@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU
 

+          if (ok) {
 

+              if (!ossl_provider_activate(prov, 1, 0)) {
 

+ @@ -306,6 +317,16 @@ static int provider_conf_init(CONF_IMODU
 

               return 0;
 

       }
 

   

  +    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
 

  +        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
 

- +        PROVIDER_CONF_GLOBAL *pcgbl
 

- +            = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
 

- +                                    &provider_conf_ossl_ctx_method);
 

  +        if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
 

  +            return 0;
 

  +        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)

file modified
+10 -7 
@@ -2,8 +2,8 @@ 
 

  --- openssl-3.0.7/providers/fips/self_test.c.embed-hmac	2023-01-05 10:03:44.864869710 +0100
 

  +++ openssl-3.0.7/providers/fips/self_test.c	2023-01-05 10:15:17.041606472 +0100
 

  @@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
 

+      return ok;
 

   }
 

-  #endif
 

   

  +#define HMAC_LEN 32
 

  +/*
 
@@ -29,7 +29,7 @@ 
 

   static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
 

                               unsigned char *expected, size_t expected_len,
 

                               OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
 

- @@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
 

+ @@ -189,12 +205,23 @@ static int verify_integrity(OSSL_CORE_BI
 

       EVP_MAC *mac = NULL;
 

       EVP_MAC_CTX *ctx = NULL;
 

       OSSL_PARAM params[2], *p = params;
 
@@ -39,6 +39,9 @@ 
 

  +    unsigned long paddr;
 

  +    unsigned long off = 0;
 

   

+      if (!integrity_self_test(ev, libctx))
 

+          goto err;
 

+  

       OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
 

   

  +    if (!dladdr1 ((const void *)fips_hmac_container,
 
@@ -118,8 +121,8 @@ 
 

           ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
 

           goto end;
 

  @@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
 

-      ok = 1;
 

   end:
 

+      EVP_RAND_free(testrand);
 

       OSSL_SELF_TEST_free(ev);
 

  -    OPENSSL_free(module_checksum);
 

       OPENSSL_free(indicator_checksum);
 
@@ -159,8 +162,8 @@ 
 

  -plan skip_all => "Test only supported in a fips build" if disabled("fips");
 

  +plan skip_all => "Test only supported in a fips build" if 1;
 

   

-  plan tests => 29;
 

-  

+  # Compatible options for pedantic FIPS compliance
 

+  my @pedantic_okay =
 

  diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
 

  --- openssl-3.0.0/test/recipes/30-test_defltfips.t	2021-09-07 13:46:32.000000000 +0200
 

  +++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t	2021-11-18 10:22:54.179659682 +0100
 
@@ -194,9 +197,9 @@ 
 

   

  -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 

  +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
 

+  my $fipsmodcfg_filename = "fipsmodule.cnf";
 

+  my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
 

   

-  plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
 

-      if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
 

  --- /dev/null	2021-11-16 15:27:32.915000000 +0100
 

  +++ openssl-3.0.0/test/fipsmodule.cnf	2021-11-18 11:15:34.538060408 +0100
 

  @@ -0,0 +1,2 @@

file modified
+42 -3 
@@ -164,7 +164,7 @@ 
 

  diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
 

  --- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac	2022-01-11 13:26:33.279906225 +0100
 

  +++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in	2022-01-11 13:33:18.757994419 +0100
 

- @@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
 

+ @@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi
 

   =head1 SYNOPSIS
 

   

   B<openssl fipsinstall>
 
@@ -179,14 +179,18 @@ 
 

  -[B<-macopt> I<nm>:I<v>]
 

  -[B<-noout>]
 

  -[B<-quiet>]
 

+ -[B<-pedantic>]
 

  -[B<-no_conditional_errors>]
 

  -[B<-no_security_checks>]
 

+ -[B<-ems_check>]
 

+ -[B<-no_drbg_truncated_digests>]
 

  -[B<-self_test_onload>]
 

+ -[B<-self_test_oninstall>]
 

  -[B<-corrupt_desc> I<selftest_description>]
 

  -[B<-corrupt_type> I<selftest_type>]
 

  -[B<-config> I<parent_config>]
 

-  

-  =head1 DESCRIPTION
 

+ -
 

+ -=head1 DESCRIPTION
 

  -
 

  -This command is used to generate a FIPS module configuration file.
 

  -This configuration file can be used each time a FIPS module is loaded
 
@@ -315,6 +319,14 @@ 
 

  -
 

  -Disable logging of the self tests.
 

  -
 

+ -=item B<-pedantic>
 

+ -
 

+ -Configure the module so that it is strictly FIPS compliant rather
 

+ -than being backwards compatible.  This enables conditional errors,
 

+ -security checks etc.  Note that any previous configuration options will
 

+ -be overwritten and any subsequent configuration options that violate
 

+ -FIPS compliance will result in an error.
 

+ -
 

  -=item B<-no_conditional_errors>
 

  -
 

  -Configure the module to not enter an error state if a conditional self test
 
@@ -324,6 +336,20 @@ 
 

  -
 

  -Configure the module to not perform run-time security checks as described above.
 

  -
 

+ -Enabling the configuration option "no-fips-securitychecks" provides another way to
 

+ -turn off the check at compile time.
 

+ -
 

+ -=item B<-ems_check>
 

+ -
 

+ -Configure the module to enable a run-time Extended Master Secret (EMS) check
 

+ -when using the TLS1_PRF KDF algorithm. This check is disabled by default.
 

+ -See RFC 7627 for information related to EMS.
 

+ -
 

+ -=item B<-no_drbg_truncated_digests>
 

+ -
 

+ -Configure the module to not allow truncated digests to be used with Hash and
 

+ -HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
 

+ -
 

  -=item B<-self_test_onload>
 

  -
 

  -Do not write the two fields related to the "test status indicator" and
 
@@ -334,6 +360,14 @@ 
 

  -could possibly then add the 2 fields into the configuration using some other
 

  -mechanism.
 

  -
 

+ -This is the default.
 

+ -
 

+ -=item B<-self_test_oninstall>
 

+ -
 

+ -The converse of B<-self_test_oninstall>.  The two fields related to the
 

+ -"test status indicator" and "MAC status indicator" are written to the
 

+ -output configuration file.
 

+ -
 

  -=item B<-quiet>
 

  -
 

  -Do not output pass/fail messages. Implies B<-noout>.
 
@@ -369,6 +403,11 @@ 
 

  -For normal usage the base configuration file should use the default provider
 

  -when generating the fips configuration file.
 

  -
 

+ -The B<-self_test_oninstall> option was added and the
 

+ -B<-self_test_onload> option was made the default in OpenSSL 3.1.
 

+ -
 

+ -The command and all remaining options were added in OpenSSL 3.0.
 

+ -
 

  -=head1 EXAMPLES
 

  -
 

  -Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test

file modified
-15 
@@ -89,21 +89,6 @@ 
 

   

       retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
 

   

- diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
 

- --- openssl-3.0.1/crypto/ec/ec_key.c.fips3	2022-07-25 14:03:34.420222507 +0200
 

- +++ openssl-3.0.1/crypto/ec/ec_key.c	2022-07-25 14:09:00.728164294 +0200
 

- @@ -336,6 +336,11 @@ static int ec_generate_key(EC_KEY *eckey
 

-  

-          OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
 

-          ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
 

- +
 

- +#ifdef FIPS_MODULE
 

- +        ok &= ossl_ec_key_public_check(eckey, ctx);
 

- +        ok &= ossl_ec_key_pairwise_check(eckey, ctx);
 

- +#endif /* FIPS_MODULE */
 

-      }
 

-  err:
 

-      /* Step (9): If there is an error return an invalid keypair. */
 

  diff -up openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 openssl-3.0.1/crypto/rsa/rsa_gen.c
 

  --- openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3	2022-07-25 17:02:17.807271297 +0200
 

  +++ openssl-3.0.1/crypto/rsa/rsa_gen.c	2022-07-25 17:18:24.931959649 +0200

file modified
+21 -40 
@@ -15,16 +15,8 @@ 
 

  diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c
 

  --- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2	2022-05-05 11:42:58.596848856 +0200
 

  +++ openssl-3.0.1/providers/fips/fipsprov.c	2022-05-05 11:55:42.997562712 +0200
 

- @@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void);
 

-  

-  #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
 

-  #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
 

- -
 

-  extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
 

-  int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
 

-  

  @@ -191,13 +190,13 @@ static int fips_get_params(void *provctx
 

-                                                &fips_prov_ossl_ctx_method);
 

+                                                OSSL_LIB_CTX_FIPS_PROV_INDEX);
 

   

       p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
 

  -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
 
@@ -58,8 +50,8 @@ 
 

       ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
 

            ossl_cipher_capable_aes_cbc_hmac_sha256),
 

   #ifndef OPENSSL_NO_DES
 

- -    ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
 

- -    ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
 

+ -    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
 

+ -    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
 

  +    /* We don't certify 3DES in our FIPS provider */
 

  +    /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
 

  +    ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
 
@@ -90,7 +82,7 @@ 
 

   #endif
 

       { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
 

         ossl_kdf_tls1_prf_keyexch_functions },
 

- @@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch
 

+ @@ -403,13 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch
 

   

   static const OSSL_ALGORITHM fips_signature[] = {
 

   #ifndef OPENSSL_NO_DSA
 
@@ -100,8 +92,9 @@ 
 

   #endif
 

       { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
 

   #ifndef OPENSSL_NO_EC
 

- -    { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
 

- -    { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
 

+ -    { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
 

+ -      ossl_ed25519_signature_functions },
 

+ -    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
 

  +    /* We don't certify Edwards curves in our FIPS provider */
 

  +    /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
 

  +    { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
 
@@ -130,9 +123,9 @@ 
 

         PROV_DESCS_X25519 },
 

       { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
 

         PROV_DESCS_X448 },
 

-      { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
 

+      { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
 

         PROV_DESCS_ED25519 },
 

-      { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
 

+      { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
 

  -      PROV_DESCS_ED448 },
 

  +      PROV_DESCS_ED448 }, */
 

   #endif
 
@@ -158,22 +151,6 @@ 
 

   /* AES-256 GCM test data */
 

   static const unsigned char aes_256_gcm_key[] = {
 

       0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
 

- @@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c
 

-  };
 

-  

-  static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
 

- +#if 0
 

-  #ifndef OPENSSL_NO_DES
 

-      {
 

-          {
 

- @@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher
 

-          ITM(des_ede3_cbc_iv),
 

-      },
 

-  #endif
 

- +#endif
 

-      {
 

-          {
 

-              OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
 

  @@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
 

   # endif /* OPENSSL_NO_EC2M */
 

   #endif /* OPENSSL_NO_EC */
 
@@ -193,9 +170,9 @@ 
 

  -
 

  +#endif
 

  +#endif
 

-  static const ST_KAT_SIGN st_kat_sign_tests[] = {
 

-      {
 

-          OSSL_SELF_TEST_DESC_SIGN_RSA,
 

+  /* Hash DRBG inputs for signature KATs */
 

+  static const unsigned char sig_kat_entropyin[] = {
 

+      0x06, 0x6d, 0xc8, 0xce, 0x75, 0xb2, 0x89, 0x66, 0xa6, 0x85, 0x16, 0x3f,
 

  @@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
 

       },
 

   # endif
 
@@ -205,7 +182,7 @@ 
 

       {
 

           OSSL_SELF_TEST_DESC_SIGN_DSA,
 

  @@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
 

-           */
 

+          ITM(dsa_expected_sig)
 

       },
 

   #endif /* OPENSSL_NO_DSA */
 

  +#endif
 
@@ -395,14 +372,17 @@ 
 

  diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t
 

  --- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3	2022-05-05 14:43:04.276857033 +0200
 

  +++ openssl-3.0.1/test/recipes/30-test_evp.t	2022-05-05 14:43:35.975138234 +0200
 

- @@ -43,7 +43,6 @@ my @files = qw(
 

+ @@ -43,10 +43,8 @@ my @files = qw(
 

                   evpciph_aes_cts.txt
 

                   evpciph_aes_wrap.txt
 

                   evpciph_aes_stitched.txt
 

  -                evpciph_des3_common.txt
 

                   evpkdf_hkdf.txt
 

+                  evpkdf_kbkdf_counter.txt
 

+ -                evpkdf_kbkdf_kmac.txt
 

                   evpkdf_pbkdf1.txt
 

                   evpkdf_pbkdf2.txt
 

+                  evpkdf_ss.txt
 

  @@ -66,12 +65,6 @@ push @files, qw(
 

                   evppkey_dh.txt
 

                  ) unless $no_dh;
 
@@ -416,11 +396,12 @@ 
 

                   evppkey_ecc.txt
 

                   evppkey_ecdh.txt
 

                   evppkey_ecdsa.txt
 

- @@ -91,6 +84,7 @@ my @defltfiles = qw(
 

+ @@ -91,6 +84,8 @@ my @defltfiles = qw(
 

                        evpciph_cast5.txt
 

                        evpciph_chacha.txt
 

                        evpciph_des.txt
 

  +                     evpciph_des3_common.txt
 

+ +                     evpkdf_kbkdf_kmac.txt
 

                        evpciph_idea.txt
 

                        evpciph_rc2.txt
 

                        evpciph_rc4.txt
 
@@ -441,8 +422,8 @@ 
 

  --- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3	2022-05-05 14:46:32.721700697 +0200
 

  +++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt	2022-05-05 14:51:40.205418897 +0200
 

  @@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100
 

-  Output = 00BDA1B7E87608BCBF470F12157F4C07
 

-  

+  Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
 

+  Result = MAC_INIT_ERROR
 

   

  +Availablein = default
 

   Title = KMAC Tests (From NIST)

file modified
+3 -3 
@@ -34,6 +34,6 @@ 
 

  -            goto end;
 

  -        }
 

  -    }
 

-      ok = 1;
 

-  end:
 

-      OSSL_SELF_TEST_free(ev);
 

+  

+      /* Verify that the RNG has been restored properly */
 

+      testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL);

file modified
+4 -4 
@@ -258,8 +258,8 @@ 
 

  +# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES      19
 

  +# define OSSL_LIB_CTX_MAX_INDEXES                   20
 

   

-  # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY          -1
 

-  # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY       0
 

+  OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
 

+  int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
 

  diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
 

  index fd7f7e3331..05464b0655 100644
 

  --- a/include/internal/sslconf.h
 
@@ -493,8 +493,8 @@ 
 

  --- a/util/libcrypto.num
 

  +++ b/util/libcrypto.num
 

  @@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex                        5552	3_0_0	EXIST::FUNCTION:
 

-  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 

-  OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
 

+  BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
 

+  OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
 

   ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 

  +ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 

  +ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:

file modified
+4 -6 
@@ -1,15 +1,13 @@ 
 

  diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
 

  --- openssl-3.0.3/util/libcrypto.num.locale	2022-06-01 12:35:52.667498724 +0200
 

  +++ openssl-3.0.3/util/libcrypto.num	2022-06-01 12:36:08.112633093 +0200
 

- @@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
 

-  OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
 

-  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 

-  OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
 

+ @@ -5425,4 +5425,6 @@ ASN1_item_d2i_ex
 

+  EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
 

+  BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
 

+  OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
 

  +OPENSSL_strcasecmp                      ?	3_0_1	EXIST::FUNCTION:
 

  +OPENSSL_strncasecmp                     ? 	3_0_1	EXIST::FUNCTION:
 

   ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 

-  ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 

-  ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
 

  diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
 

  --- openssl-3.0.7/crypto/o_str.c.cmp	2022-11-25 12:50:22.449760653 +0100
 

  +++ openssl-3.0.7/crypto/o_str.c	2022-11-25 12:51:19.416350584 +0100

file modified
+1 -1 
@@ -248,8 +248,8 @@ 
 

  --- a/providers/fips/fipsprov.c
 

  +++ b/providers/fips/fipsprov.c
 

  @@ -23,6 +23,7 @@
 

-  #include "prov/seeding.h"
 

   #include "self_test.h"
 

+  #include "crypto/context.h"
 

   #include "internal/core.h"
 

  +#include "indicator.h"

file modified
+1 -1 
@@ -295,7 +295,7 @@ 
 

   

   static void *rsa_newctx(void *provctx)
 

  @@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
 

-              return 0;
 

+              }
 

           }
 

           ret =
 

  -            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,

file modified
+1 -2 
@@ -231,7 +231,7 @@ 
 

  index b6d5e8e134..77eec075e6 100644
 

  --- a/providers/fips/self_test_kats.c
 

  +++ b/providers/fips/self_test_kats.c
 

- @@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,
 

+ @@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
 

       int ret = 0;
 

       OSSL_PARAM *params = NULL, *params_sig = NULL;
 

       OSSL_PARAM_BLD *bld = NULL;
 
@@ -241,7 +241,6 @@ 
 

       EVP_PKEY *pkey = NULL;
 

  -    unsigned char sig[256];
 

       BN_CTX *bnctx = NULL;
 

-      BIGNUM *K = NULL;
 

  +    const char *msg = "Hello World!";
 

  +    unsigned char sig[256];
 

       size_t siglen = sizeof(sig);

file modified
+2 -17 
@@ -75,7 +75,7 @@ 
 

               } else {
 

                   /* legacy engine support : remove the mark when this is deleted */
 

                   ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
 

- @@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 

+ @@ -318,6 +326,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 

                       ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
 

                       goto err;
 

                   }
 
@@ -83,20 +83,6 @@ 
 

               }
 

               (void)ERR_pop_to_mark();
 

           }
 

-      }
 

-  

- +#ifndef FIPS_MODULE
 

-      if (ctx->reqdigest != NULL
 

-              && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
 

-              && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
 

- @@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 

-              }
 

-          }
 

-      }
 

- +#endif /* !defined(FIPS_MODULE) */
 

-  

-      if (ver) {
 

-          if (signature->digest_verify_init == NULL) {
 

  @@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 

       EVP_KEYMGMT_free(tmp_keymgmt);
 

       return 0;
 
@@ -231,7 +217,7 @@ 
 

  index b6d5e8e134..77eec075e6 100644
 

  --- a/providers/fips/self_test_kats.c
 

  +++ b/providers/fips/self_test_kats.c
 

- @@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,
 

+ @@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
 

       int ret = 0;
 

       OSSL_PARAM *params = NULL, *params_sig = NULL;
 

       OSSL_PARAM_BLD *bld = NULL;
 
@@ -241,7 +227,6 @@ 
 

       EVP_PKEY *pkey = NULL;
 

  -    unsigned char sig[256];
 

       BN_CTX *bnctx = NULL;
 

-      BIGNUM *K = NULL;
 

  +    const char *msg = "Hello World!";
 

  +    unsigned char sig[256];
 

       size_t siglen = sizeof(sig);

file modified
+1 -1 
@@ -9,7 +9,7 @@ 
 

  +# include <openssl/evp.h>
 

   

   static uint64_t get_time_stamp(void);
 

-  static uint64_t get_timer_bits(void);
 

+ 

  @@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
 

        * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
 

        * between size_t and ssize_t is safe even without a range check.

file modified
+5 -5 
@@ -183,11 +183,11 @@ 
 

  +        }
 

  +    }
 

  +
 

-      if (blinding) {
 

-          /*
 

-           * ossl_bn_rsa_do_unblind() combines blinding inversion and
 

+      if (blinding)
 

+          if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
 

+              goto err;
 

  @@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
 

-      }
 

+          goto err;
 

   

       switch (padding) {
 

  -    case RSA_PKCS1_PADDING:
 
@@ -739,9 +739,9 @@ 
 

   #define OSSL_PKEY_PARAM_PUB_KEY             "pub"
 

   #define OSSL_PKEY_PARAM_PRIV_KEY            "priv"
 

  +#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION  "implicit-rejection"
 

-  #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K   "rh_sign_kat_k"
 

   

   /* Diffie-Hellman/DSA Parameters */
 

+  #define OSSL_PKEY_PARAM_FFC_P               "p"
 

  @@ -482,6 +483,7 @@ extern "C" {
 

   #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL               "oaep-label"
 

   #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION       "tls-client-version"

file modified
+33 -13 
@@ -28,8 +28,8 @@ 
 

  

  Summary: Utilities from the general purpose cryptography library with TLS implementation
 

  Name: openssl
 

- Version: 3.0.8
 

- Release: 2%{?dist}
 

+ Version: 3.1.1
 

+ Release: 1%{?dist}
 

  Epoch: 1
 

  Source: openssl-%{version}.tar.gz
 

  Source2: Makefile.certificate
 
@@ -93,22 +93,28 @@ 
 

  Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
 

  %else
 

  # Selectively disallow SHA1 signatures rhbz#2070977
 

- Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
 

+ #XXX add OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES to ossl_lib_ctx_get_data
 

+ # To be reimplemented
 

+ # See also https://github.com/openssl/openssl/pull/17881
 

+ #Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
 

  %endif
 

  # Backport of patch for RHEL for Edge rhbz #2027261
 

- Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 

+ # To be removed
 

+ # Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 

  %if 0%{?rhel}
 

  # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 

  Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
 

  %else
 

+ # To be reimplemented
 

  # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
 

- Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 

+ # Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 

  %endif
 

  %if 0%{?rhel}
 

  # no USDT probe instrumentation required
 

  %else
 

+ # To be reimplemented
 

  # Instrument with USDT probes related to SHA-1 deprecation
 

- Patch53: 0053-Add-SHA1-probes.patch
 

+ # Patch53: 0053-Add-SHA1-probes.patch
 

  %endif
 

  # https://github.com/openssl/openssl/pull/18103
 

  # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
 
@@ -119,18 +125,23 @@ 
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
 

  Patch58: 0058-FIPS-limit-rsa-encrypt.patch
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2069235
 

- Patch60: 0060-FIPS-KAT-signature-tests.patch
 

+ # This patch to be removed
 

+ # Tests for 384/521 curves TBD
 

+ # Patch60: 0060-FIPS-KAT-signature-tests.patch
 

+ # To be reimplemented
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
 

- Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
 

+ # Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
 

  Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
 

  # https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
 

  # https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
 

  # Regression on Power8, see rhbz2124845, https://github.com/openssl/openssl/issues/19163; fix in 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
 

- Patch71: 0071-AES-GCM-performance-optimization.patch
 

+ # To be removed
 

+ # Patch71: 0071-AES-GCM-performance-optimization.patch
 

  # https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149
 

  # https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa
 

  # hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447
 

- Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
 

+ # To be removed
 

+ # Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
 

  Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
 
@@ -149,7 +160,8 @@ 
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
 

  Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
 

  # https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
 

- Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
 

+ # To be removed
 

+ # Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
 

  # https://github.com/openssl/openssl/pull/13817
 

  Patch100: 0100-RSA-PKCS15-implicit-rejection.patch
 

  
@@ -330,7 +342,7 @@ 
 

  OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 

  export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
 

  #embed HMAC into fips provider for test run
 

- LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
 

+ OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
 

  objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
 

  mv providers/fips.so.mac providers/fips.so
 

  #run tests itself
 
@@ -343,7 +355,7 @@ 
 

      %{?__debug_package:%{__debug_install_post}} \
 

      %{__arch_install_post} \
 

      %{__os_install_post} \
 

-     LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
 

+     OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
 

      objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
 

      mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
 

      rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
 
@@ -483,6 +495,14 @@ 
 

  %ldconfig_scriptlets libs
 

  

  %changelog
 

+ * Wed May 31 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.9-1
 

+ - Rebase to upstream version 3.1.1
 

+   Resolves: CVE-2023-0464
 

+   Resolves: CVE-2023-0465
 

+   Resolves: CVE-2023-0466
 

+   Resolves: CVE-2023-1255
 

+   Resolves: CVE-2023-2650
 

+ 

  * Tue Mar 21 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.8-2
 

  - Upload new upstream sources without manually hobbling them.
 

  - Remove the hobbling script as it is redundant. It is now allowed to ship

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (openssl-3.0.8.tar.gz) = 6c5651e1ed66a567238948b306aa9140c407a153da9c6afe14268c830748df252c955819fac4eb0759dae4dcbc9ec98f5cc2a4a90bb575747b1b040e104c7ffd
 

+ SHA512 (openssl-3.1.1.tar.gz) = 8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9

New sources, commented out already present patches, fedpkg prep passes

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/ffdb270a6c154961b14c16e95afb4762

3 new commits added

  • Making tests pass
  • Temporary commenting out SHA1 Fedora dances, need to refactor
  • Enforcing FIPS - compilation fix
11 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/924f523621cf4c5f860761f4d971b9a1

Pull-Request has been closed by saprasad
9 months ago
Metadata
None
No Tags
Changes Summary 20
+1 -0
file changed
.gitignore
+3 -3
file changed
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+8 -13
file changed
0009-Add-Kernel-FIPS-mode-flag-support.patch
+0 -12
file changed
0031-tmp-Fix-test-names.patch
+7 -143
file changed
0032-Force-fips.patch
+10 -7
file changed
0033-FIPS-embed-hmac.patch
+42 -3
file changed
0034.fipsinstall_disable.patch
+0 -15
file changed
0044-FIPS-140-3-keychecks.patch
+21 -40
file changed
0045-FIPS-services-minimize.patch
+3 -3
file changed
0047-FIPS-early-KATS.patch
+4 -4
file changed
0049-Allow-disabling-of-SHA1-signatures.patch
+4 -6
file changed
0056-strcasecmp.patch
+1 -1
file changed
0062-fips-Expose-a-FIPS-indicator.patch
+1 -1
file changed
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+1 -2
file changed
0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch
+2 -17
file changed
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+1 -1
file changed
0076-FIPS-140-3-DRBG.patch
+5 -5
file changed
0100-RSA-PKCS15-implicit-rejection.patch
+33 -13
file changed
openssl.spec
+1 -1
file changed
sources
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.