From a74bafc73ce6d8db7ae4768ecade4a0ad9694418 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 01 2022 12:55:59 +0000 Subject: import openssl-3.0.1-5.el9 --- diff --git a/.gitignore b/.gitignore index 29a5b86..7de2940 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-3.0.0-hobbled.tar.xz +SOURCES/openssl-3.0.1-hobbled.tar.xz diff --git a/.openssl.metadata b/.openssl.metadata index b5f3eda..f4d8930 100644 --- a/.openssl.metadata +++ b/.openssl.metadata @@ -1 +1 @@ -68bab87c3606ad903a4b74e2cd79bf3bb30fd6b3 SOURCES/openssl-3.0.0-hobbled.tar.xz +1170b5119f0e591f6a2515d099abd06d0184f77c SOURCES/openssl-3.0.1-hobbled.tar.xz diff --git a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index a32c9e8..9917fcf 100644 --- a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - - if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { - sk_SSL_CIPHER_free(cipherstack); -+ OPENSSL_free(co_list); - return NULL; - } - } @@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, *cipher_list = cipherstack; diff --git a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch index 73bd7f9..01bd840 100644 --- a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -56,12 +56,12 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) && context_init(&default_context_int); } -diff -up openssl-3.0.0/include/internal/provider.h.embed-fips openssl-3.0.0/include/internal/provider.h ---- openssl-3.0.0/include/internal/provider.h.embed-fips 2021-11-12 12:18:36.215333452 +0100 -+++ openssl-3.0.0/include/internal/provider.h 2021-11-12 12:22:41.298409269 +0100 -@@ -109,6 +109,9 @@ int ossl_provider_init_as_child(OSSL_LIB - const OSSL_CORE_HANDLE *handle, +diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h +--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 ++++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 +@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); +/* FIPS flag access */ +int ossl_get_kernel_fips_flag(void); diff --git a/SOURCES/0030-tmp-Fix-rng-seed-double-free.patch b/SOURCES/0030-tmp-Fix-rng-seed-double-free.patch deleted file mode 100644 index 35658eb..0000000 --- a/SOURCES/0030-tmp-Fix-rng-seed-double-free.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c -index 173c99ce1732..7a4b780bb469 100644 ---- a/providers/implementations/rands/seed_src.c -+++ b/providers/implementations/rands/seed_src.c -@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - return 0; - } -- *pout = p; - if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, -- adin, adin_len) != 0) -+ adin, adin_len) != 0) { -+ *pout = p; - return bytes_needed; -+ } - OPENSSL_secure_clear_free(p, bytes_needed); - return 0; - } diff --git a/SOURCES/0032-Force-fips.patch b/SOURCES/0032-Force-fips.patch index 84687e4..9f83fcd 100644 --- a/SOURCES/0032-Force-fips.patch +++ b/SOURCES/0032-Force-fips.patch @@ -1,139 +1,145 @@ -diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/provider_conf.c ---- openssl-3.0.0/crypto/provider_conf.c.fips-force 2021-11-12 14:21:01.878339467 +0100 -+++ openssl-3.0.0/crypto/provider_conf.c 2021-11-12 16:13:19.301542866 +0100 -@@ -136,13 +136,73 @@ static int prov_already_activated(const +#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite +#(partial) of the function provider_conf_load() under the 'if (activate) section. +#If there is any change to this section, after deleting it in provider_conf_load() +#ensure that you also add those changes to the provider_conf_activate() function. +#additionally please add this check for cnf explicitly as shown below. +#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' +diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c +--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE 2022-01-18 15:36:00.956141345 +0100 ++++ openssl-3.0.1/crypto/provider_conf.c 2022-01-18 15:42:36.345172203 +0100 +@@ -136,58 +136,18 @@ static int prov_already_activated(const return 0; } - -+static int provider_conf_activate(OSSL_LIB_CTX *libctx, PROVIDER_CONF_GLOBAL *pcgbl, -+ const char *name, const char *value, const char *path, + +-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, +- const char *value, const CONF *cnf) ++static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, ++ const char *value, const char *path, + int soft, const CONF *cnf) + { +- int i; +- STACK_OF(CONF_VALUE) *ecmds; +- int soft = 0; +- OSSL_PROVIDER *prov = NULL, *actual = NULL; +- const char *path = NULL; +- long activate = 0; + int ok = 0; +- +- name = skip_dot(name); +- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); +- /* Value is a section containing PROVIDER commands */ +- ecmds = NCONF_get_section(cnf, value); +- +- if (!ecmds) { +- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, +- "section=%s not found", value); +- return 0; +- } +- +- /* Find the needed data first */ +- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { +- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); +- const char *confname = skip_dot(ecmd->name); +- const char *confvalue = ecmd->value; +- +- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", +- confname, confvalue); +- +- /* First handle some special pseudo confs */ +- +- /* Override provider name to use */ +- if (strcmp(confname, "identity") == 0) +- name = confvalue; +- else if (strcmp(confname, "soft_load") == 0) +- soft = 1; +- /* Load a dynamic PROVIDER */ +- else if (strcmp(confname, "module") == 0) +- path = confvalue; +- else if (strcmp(confname, "activate") == 0) +- activate = 1; +- } +- +- if (activate) { +- PROVIDER_CONF_GLOBAL *pcgbl +- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, +- &provider_conf_ossl_ctx_method); ++ OSSL_PROVIDER *prov = NULL, *actual = NULL; ++ PROVIDER_CONF_GLOBAL *pcgbl ++ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, ++ &provider_conf_ossl_ctx_method); + + if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { +- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); ++ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!prov_already_activated(name, pcgbl->activated_providers)) { +@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C + ossl_provider_free(prov); + } + CRYPTO_THREAD_unlock(pcgbl->lock); ++ return ok; ++} ++ ++static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, ++ const char *value, const CONF *cnf) +{ ++ int i; ++ STACK_OF(CONF_VALUE) *ecmds; ++ int soft = 0; ++ const char *path = NULL; ++ long activate = 0; + int ok = 0; -+ OSSL_PROVIDER *prov = NULL, *actual = NULL; + -+ if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) { -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); ++ name = skip_dot(name); ++ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); ++ /* Value is a section containing PROVIDER commands */ ++ ecmds = NCONF_get_section(cnf, value); ++ ++ if (!ecmds) { ++ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, ++ "section=%s not found", value); + return 0; + } -+ if (!prov_already_activated(name, pcgbl->activated_providers)) { -+ /* -+ * There is an attempt to activate a provider, so we should disable -+ * loading of fallbacks. Otherwise a misconfiguration could mean the -+ * intended provider does not get loaded. Subsequent fetches could -+ * then fallback to the default provider - which may be the wrong -+ * thing. -+ */ -+ if (!ossl_provider_disable_fallback_loading(libctx)) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ prov = ossl_provider_find(libctx, name, 1); -+ if (prov == NULL) -+ prov = ossl_provider_new(libctx, name, NULL, 1); -+ if (prov == NULL) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ if (soft) -+ ERR_clear_error(); -+ return 0; -+ } + -+ if (path != NULL) -+ ossl_provider_set_module_path(prov, path); ++ /* Find the needed data first */ ++ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { ++ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); ++ const char *confname = skip_dot(ecmd->name); ++ const char *confvalue = ecmd->value; + -+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; -+ -+ if (ok) { -+ if (!ossl_provider_activate(prov, 1, 0)) { -+ ok = 0; -+ } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -+ ossl_provider_deactivate(prov); -+ ok = 0; -+ } else { -+ if (pcgbl->activated_providers == NULL) -+ pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -+ sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual); -+ ok = 1; -+ } -+ } -+ if (!ok) -+ ossl_provider_free(prov); -+ } -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ return ok; -+} ++ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", ++ confname, confvalue); + ++ /* First handle some special pseudo confs */ + ++ /* Override provider name to use */ ++ if (strcmp(confname, "identity") == 0) ++ name = confvalue; ++ else if (strcmp(confname, "soft_load") == 0) ++ soft = 1; ++ /* Load a dynamic PROVIDER */ ++ else if (strcmp(confname, "module") == 0) ++ path = confvalue; ++ else if (strcmp(confname, "activate") == 0) ++ activate = 1; ++ } + - static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, - const char *value, const CONF *cnf) - { - int i; - STACK_OF(CONF_VALUE) *ecmds; - int soft = 0; -- OSSL_PROVIDER *prov = NULL, *actual = NULL; - const char *path = NULL; - long activate = 0; - int ok = 0; -@@ -185,55 +245,7 @@ static int provider_conf_load(OSSL_LIB_C - } - - if (activate) { -- if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) { -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- if (!prov_already_activated(name, pcgbl->activated_providers)) { -- /* -- * There is an attempt to activate a provider, so we should disable -- * loading of fallbacks. Otherwise a misconfiguration could mean the -- * intended provider does not get loaded. Subsequent fetches could -- * then fallback to the default provider - which may be the wrong -- * thing. -- */ -- if (!ossl_provider_disable_fallback_loading(libctx)) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- prov = ossl_provider_find(libctx, name, 1); -- if (prov == NULL) -- prov = ossl_provider_new(libctx, name, NULL, 1); -- if (prov == NULL) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- if (soft) -- ERR_clear_error(); -- return 0; -- } -- -- if (path != NULL) -- ossl_provider_set_module_path(prov, path); -- -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -- -- if (ok) { -- if (!ossl_provider_activate(prov, 1, 0)) { -- ok = 0; -- } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -- ossl_provider_deactivate(prov); -- ok = 0; -- } else { -- if (pcgbl->activated_providers == NULL) -- pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -- sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual); -- ok = 1; -- } -- } -- if (!ok) -- ossl_provider_free(prov); -- } -- CRYPTO_THREAD_unlock(pcgbl->lock); -+ ok = provider_conf_activate(libctx, pcgbl, name, value, path, soft, cnf); ++ if (activate) { ++ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); } else { OSSL_PROVIDER_INFO entry; -@@ -294,6 +306,19 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU return 0; } @@ -142,9 +148,9 @@ diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/pr + PROVIDER_CONF_GLOBAL *pcgbl + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, + &provider_conf_ossl_ctx_method); -+ if (provider_conf_activate(libctx, pcgbl, "fips", NULL, NULL, 0, NULL) != 1) ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; -+ if (provider_conf_activate(libctx, pcgbl, "base", NULL, NULL, 0, NULL) != 1) ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) + return 0; diff --git a/SOURCES/0033-FIPS-embed-hmac.patch b/SOURCES/0033-FIPS-embed-hmac.patch index 5e914ed..c788072 100644 --- a/SOURCES/0033-FIPS-embed-hmac.patch +++ b/SOURCES/0033-FIPS-embed-hmac.patch @@ -10,7 +10,7 @@ diff -up openssl-3.0.0/providers/fips/self_test.c.embed-hmac openssl-3.0.0/provi + * The __attribute__ ensures we've created the .rodata1 section + * static ensures it's zero filled +*/ -+static const volatile unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; + /* * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify diff --git a/SOURCES/0034.fipsinstall_disable.patch b/SOURCES/0034.fipsinstall_disable.patch index b0e0c4b..c4f9efd 100644 --- a/SOURCES/0034.fipsinstall_disable.patch +++ b/SOURCES/0034.fipsinstall_disable.patch @@ -11,10 +11,160 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in ---- openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx 2021-11-22 13:19:55.192959061 +0100 -+++ openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in 2021-11-22 13:20:56.978491104 +0100 -@@ -8,224 +8,10 @@ openssl-fipsinstall - perform FIPS confi +diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod +--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 ++++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 +@@ -158,10 +158,6 @@ Engine (loadable module) information and + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 ++++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 +@@ -573,7 +573,6 @@ configuration files using that syntax wi + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod +--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 ++++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 COPYRIGHT + +diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod +--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 ++++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 +@@ -388,7 +388,6 @@ A simple self test callback is shown bel + + =head1 SEE ALSO + +-L, + L, + L, + L, +diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in +--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100 ++++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100 +@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi =head1 SYNOPSIS B @@ -37,7 +187,7 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc -[B<-config> I] =head1 DESCRIPTION - +- -This command is used to generate a FIPS module configuration file. -This configuration file can be used each time a FIPS module is loaded -in order to pass data to the FIPS module self tests. The FIPS module always @@ -207,6 +357,18 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc - -=back - +-=head1 NOTES +- +-Self tests results are logged by default if the options B<-quiet> and B<-noout> +-are not specified, or if either of the options B<-corrupt_desc> or +-B<-corrupt_type> are used. +-If the base configuration file is set up to autoload the fips module, then the +-fips module will be loaded and self tested BEFORE the fipsinstall application +-has a chance to set up its own self test callback. As a result of this the self +-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +-For normal usage the base configuration file should use the default provider +-when generating the fips configuration file. +- -=head1 EXAMPLES - -Calculate the mac of a FIPS module F and run a FIPS self test @@ -236,157 +398,9 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc -L, -L, -L -+This command is disabled. Please consult Red Hat Enterprise Linux documentation to learn how to correctly enable FIPS mode on Red Hat Enterprise Linux. ++This command is disabled. ++Please consult Red Hat Enterprise Linux documentation to learn how to correctly ++enable FIPS mode on Red Hat Enterprise =head1 COPYRIGHT -diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod ---- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 -+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 -@@ -158,10 +158,6 @@ Engine (loadable module) information and - - Error Number to Error String Conversion. - --=item B -- --FIPS configuration installation. -- - =item B - - Generation of DSA Private Key from Parameters. Superseded by -diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 -+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 -@@ -573,7 +573,6 @@ configuration files using that syntax wi - =head1 SEE ALSO - - L, L, L, --L, - L, - L, - L, -diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod ---- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 -+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration - - =head1 DESCRIPTION - --A separate configuration file, using the OpenSSL L syntax, --is used to hold information about the FIPS module. This includes a digest --of the shared library file, and status about the self-testing. --This data is used automatically by the module itself for two --purposes: -- --=over 4 -- --=item - Run the startup FIPS self-test known answer tests (KATS). -- --This is normally done once, at installation time, but may also be set up to --run each time the module is used. -- --=item - Verify the module's checksum. -- --This is done each time the module is used. -- --=back -- --This file is generated by the L program, and --used internally by the FIPS module during its initialization. -- --The following options are supported. They should all appear in a section --whose name is identified by the B option in the B --section, as described in L. -- --=over 4 -- --=item B -- --If present, the module is activated. The value assigned to this name is not --significant. -- --=item B -- --A version number for the fips install process. Should be 1. -- --=item B -- --The FIPS module normally enters an internal error mode if any self test fails. --Once this error mode is active, no services or cryptographic algorithms are --accessible from this point on. --Continuous tests are a subset of the self tests (e.g., a key pair test during key --generation, or the CRNG output test). --Setting this value to C<0> allows the error mode to not be triggered if any --continuous test fails. The default value of C<1> will trigger the error mode. --Regardless of the value, the operation (e.g., key generation) that called the --continuous test will return an error code if its continuous test fails. The --operation may then be retried if the error mode has not been triggered. -- --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- --=item B -- --The calculated MAC of the FIPS provider file. -- --=item B -- --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. -- --=item B -- --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. -- --=back -- --For example: -- -- [fips_sect] -- activate = 1 -- install-version = 1 -- conditional-errors = 1 -- security-checks = 1 -- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC -- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C -- install-status = INSTALL_SELF_TEST_KATS_RUN -- --=head1 NOTES -- --When using the FIPS provider, it is recommended that the --B option is enabled to prevent accidental use of --non-FIPS validated algorithms via broken or mistaken configuration. --See L. -- --=head1 SEE ALSO -- --L --L -+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is -+automatically loaded when the system is boots in FIPS mode, or when the -+environment variable B is set. See the documentation -+for more information. - - =head1 COPYRIGHT - -diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod ---- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 -+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 -@@ -388,7 +388,6 @@ A simple self test callback is shown bel - - =head1 SEE ALSO - --L, - L, - L, - L, diff --git a/SOURCES/0045-FIPS-services-minimize.patch b/SOURCES/0045-FIPS-services-minimize.patch new file mode 100644 index 0000000..1c92bbe --- /dev/null +++ b/SOURCES/0045-FIPS-services-minimize.patch @@ -0,0 +1,120 @@ +diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c +--- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100 ++++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100 +@@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio + + #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) ++#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } ++#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL) ++ + + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); +@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, + ossl_keccak_kmac_128_functions }, +- { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, ++ { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, + ossl_keccak_kmac_256_functions }, + { NULL, NULL, NULL } + }; +@@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), + #ifndef OPENSSL_NO_DES +- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + #endif /* OPENSSL_NO_DES */ + { { NULL, NULL, NULL }, NULL } + }; +@@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[] + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions }, + { NULL, NULL, NULL } + }; + +@@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch + #endif + #ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, ++ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions }, + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, + ossl_kdf_tls1_prf_keyexch_functions }, +@@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch + + static const OSSL_ALGORITHM fips_signature[] = { + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, ++ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions }, + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, + #ifndef OPENSSL_NO_EC +- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, + { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, + #endif + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, +@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions, + PROV_DESCS_DSA }, + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, +@@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt + #ifndef OPENSSL_NO_EC + { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, ++ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions, + PROV_DESCS_X25519 }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, ++ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions, + PROV_DESCS_X448 }, +- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, ++ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, + PROV_DESCS_ED25519 }, +- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, + PROV_DESCS_ED448 }, + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, +diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c +--- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100 ++++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100 +@@ -1473,6 +1473,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1480,6 +1481,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); diff --git a/SOURCES/0046-FIPS-s390x-hardening.patch b/SOURCES/0046-FIPS-s390x-hardening.patch new file mode 100644 index 0000000..f79abf9 --- /dev/null +++ b/SOURCES/0046-FIPS-s390x-hardening.patch @@ -0,0 +1,22 @@ +diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c +index 5c70b2d67840..c5726c638bdd 100644 +--- a/crypto/ec/ecp_s390x_nistp.c ++++ b/crypto/ec/ecp_s390x_nistp.c +@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, + /* Otherwise use default. */ + if (rc == -1) + rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); +- OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); ++ OPENSSL_cleanse(param, sizeof(param)); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + return rc; +@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, + + ok = 1; + ret: +- OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); ++ OPENSSL_cleanse(param, sizeof(param)); + if (ok != 1) { + ECDSA_SIG_free(sig); + sig = NULL; diff --git a/SOURCES/0047-FIPS-early-KATS.patch b/SOURCES/0047-FIPS-early-KATS.patch new file mode 100644 index 0000000..ef2d081 --- /dev/null +++ b/SOURCES/0047-FIPS-early-KATS.patch @@ -0,0 +1,39 @@ +diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c +--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100 ++++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100 +@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (ev == NULL) + goto end; + ++ /* ++ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements ++ */ ++ if (kats_already_passed == 0) { ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; ++ } ++ } ++ + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); + +@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + kats_already_passed = 1; + } + } +- +- /* +- * Only runs the KAT's during installation OR on_demand(). +- * NOTE: If the installation option 'self_test_onload' is chosen then this +- * path will always be run, since kats_already_passed will always be 0. +- */ +- if (on_demand_test || kats_already_passed == 0) { +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; +- } +- } + ok = 1; + end: + OSSL_SELF_TEST_free(ev); diff --git a/SOURCES/0100-coverity.patch b/SOURCES/0100-coverity.patch deleted file mode 100644 index d81d531..0000000 --- a/SOURCES/0100-coverity.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c ---- openssl-3.0.0/apps/s_client.c.coverity 2021-10-07 16:59:37.938432118 +0200 -+++ openssl-3.0.0/apps/s_client.c 2021-10-07 17:00:52.994075755 +0200 -@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv) - #endif - OPENSSL_free(connectstr); - OPENSSL_free(bindstr); -+ OPENSSL_free(bindhost); -+ OPENSSL_free(bindport); - OPENSSL_free(host); - OPENSSL_free(port); - OPENSSL_free(thost); diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 728072c..fb2651e 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -14,8 +14,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.0 -Release: 6%{?dist} +Version: 3.0.1 +Release: 5%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -55,8 +55,6 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch11: 0011-Remove-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch -# Tmp: Upstream #16636 -Patch30: 0030-tmp-Fix-rng-seed-double-free.patch # Tmp: test name change Patch31: 0031-tmp-Fix-test-names.patch # We load FIPS provider and set FIPS properties implicitly @@ -67,12 +65,16 @@ Patch33: 0033-FIPS-embed-hmac.patch Patch34: 0034.fipsinstall_disable.patch # Skip unavailable algorithms running `openssl speed` Patch35: 0035-speed-skip-unavailable-dgst.patch -# Tmp: coverity -Patch100: 0100-coverity.patch +# Minimize fips services +Patch45: 0045-FIPS-services-minimize.patch +# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486 +Patch46: 0046-FIPS-s390x-hardening.patch +# Execute KATS before HMAC verification +Patch47: 0047-FIPS-early-KATS.patch License: ASL 2.0 URL: http://www.openssl.org/ -BuildRequires: gcc +BuildRequires: gcc g++ BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename @@ -210,13 +212,13 @@ export HASHBANGPERL=/usr/bin/perl --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ - no-mdc2 no-ec2m no-sm2 no-sm4 \ + no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update -make -s %{?_smp_mflags} all +make %{?_smp_mflags} all # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do @@ -310,9 +312,8 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist -%ifarch i686 +#we don't use native fipsmodule.cnf because FIPS module is loaded automatically rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf -%endif # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} @@ -374,9 +375,6 @@ install -m644 %{SOURCE9} \ %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/ossl-modules -%ifnarch i686 -%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf -%endif %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el @@ -400,6 +398,32 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Wed Jan 26 2022 Dmitry Belyavskiy - 1:3.0.1-5 +- On the s390x, zeroize all the copies of TLS premaster secret +- Related: rhbz#2040448 + +* Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-4 +- rebuilt + +* Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-3 +- KATS tests should be executed before HMAC verification +- Restoring fips=yes for SHA1 +- Related: rhbz#2026445, rhbz#2041994 + +* Thu Jan 20 2022 Sahana Prasad - 1:3.0.1-2 +- Add enable-buildtest-c++ to the configure options. +- Related: rhbz#1990814 + +* Tue Jan 18 2022 Sahana Prasad - 1:3.0.1-1 +- Rebase to upstream version 3.0.1 +- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl +- Resolves: rhbz#2038910, rhbz#2035148 + +* Mon Jan 17 2022 Dmitry Belyavskiy - 1:3.0.0-7 +- Remove algorithms we don't plan to certify from fips module +- Remove native fipsmodule.cnf +- Related: rhbz#2026445 + * Tue Dec 21 2021 Dmitry Belyavskiy - 1:3.0.0-6 - openssl speed should run in FIPS mode - Related: rhbz#1977318