1 |
jpp |
1.1 |
# For the curious: |
2 |
|
|
# 0.9.8jk + EAP-FAST soversion = 8 |
3 |
|
|
# 1.0.0 soversion = 10 |
4 |
|
|
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols |
5 |
|
|
# depends on build configuration options) |
6 |
|
|
# 3.0.0 soversion = 3 (same as upstream) |
7 |
|
|
%define soversion 3 |
8 |
|
|
|
9 |
|
|
# Arches on which we need to prevent arch conflicts on opensslconf.h, must |
10 |
|
|
# also be handled in opensslconf-new.h. |
11 |
|
|
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 |
12 |
|
|
|
13 |
|
|
%define srpmhash() %{lua: |
14 |
|
|
local files = rpm.expand("%_specdir/openssl3.spec") |
15 |
|
|
for i, p in ipairs(patches) do |
16 |
|
|
files = files.." "..p |
17 |
|
|
end |
18 |
|
|
for i, p in ipairs(sources) do |
19 |
|
|
files = files.." "..p |
20 |
|
|
end |
21 |
|
|
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum")) |
22 |
|
|
local hash = sha256sum:read("*a") |
23 |
|
|
sha256sum:close() |
24 |
|
|
print(string.sub(hash, 0, 16)) |
25 |
|
|
} |
26 |
|
|
|
27 |
|
|
%global _performance_build 1 |
28 |
|
|
|
29 |
|
|
Summary: Utilities from the general purpose cryptography library with TLS implementation |
30 |
|
|
Name: openssl3 |
31 |
|
|
Version: 3.0.7 |
32 |
|
|
Release: 5%{?dist}.1 |
33 |
|
|
# We have to remove certain patented algorithms from the openssl source |
34 |
|
|
# tarball with the hobble-openssl script which is included below. |
35 |
|
|
# The original openssl upstream tarball cannot be shipped in the .src.rpm. |
36 |
|
|
Source: openssl-%{version}-hobbled.tar.gz |
37 |
|
|
Source1: hobble-openssl |
38 |
|
|
Source2: Makefile.certificate |
39 |
|
|
Source3: genpatches |
40 |
|
|
Source6: make-dummy-cert |
41 |
|
|
Source7: renew-dummy-cert |
42 |
|
|
Source9: configuration-switch.h |
43 |
|
|
Source10: configuration-prefix.h |
44 |
|
|
Source12: ec_curve.c |
45 |
|
|
Source13: ectest.c |
46 |
|
|
Source14: 0025-for-tests.patch |
47 |
|
|
|
48 |
|
|
# Patches exported from source git |
49 |
|
|
# Aarch64 and ppc64le use lib64 |
50 |
|
|
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch |
51 |
|
|
# Use more general default values in openssl.cnf |
52 |
|
|
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch |
53 |
|
|
# Do not install html docs |
54 |
|
|
Patch3: 0003-Do-not-install-html-docs.patch |
55 |
|
|
# Override default paths for the CA directory tree |
56 |
|
|
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch |
57 |
|
|
# apps/ca: fix md option help text |
58 |
|
|
Patch5: 0005-apps-ca-fix-md-option-help-text.patch |
59 |
|
|
# Disable signature verification with totally unsafe hash algorithms |
60 |
|
|
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch |
61 |
|
|
# Add support for PROFILE=SYSTEM system default cipherlist |
62 |
|
|
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch |
63 |
|
|
# Add FIPS_mode() compatibility macro |
64 |
|
|
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch |
65 |
|
|
# Add check to see if fips flag is enabled in kernel |
66 |
|
|
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch |
67 |
|
|
# remove unsupported EC curves |
68 |
|
|
Patch11: 0011-Remove-EC-curves.patch |
69 |
|
|
# Disable explicit EC curves |
70 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412 |
71 |
|
|
Patch12: 0012-Disable-explicit-ec.patch |
72 |
|
|
# Instructions to load legacy provider in openssl.cnf |
73 |
|
|
Patch24: 0024-load-legacy-prov.patch |
74 |
|
|
# Tmp: test name change |
75 |
|
|
Patch31: 0031-tmp-Fix-test-names.patch |
76 |
|
|
# We load FIPS provider and set FIPS properties implicitly |
77 |
|
|
Patch32: 0032-Force-fips.patch |
78 |
|
|
# Embed HMAC into the fips.so |
79 |
|
|
Patch33: 0033-FIPS-embed-hmac.patch |
80 |
|
|
# Comment out fipsinstall command-line utility |
81 |
|
|
Patch34: 0034.fipsinstall_disable.patch |
82 |
|
|
# Skip unavailable algorithms running `openssl speed` |
83 |
|
|
Patch35: 0035-speed-skip-unavailable-dgst.patch |
84 |
|
|
# Extra public/private key checks required by FIPS-140-3 |
85 |
|
|
Patch44: 0044-FIPS-140-3-keychecks.patch |
86 |
|
|
# Minimize fips services |
87 |
|
|
Patch45: 0045-FIPS-services-minimize.patch |
88 |
|
|
# Execute KATS before HMAC verification |
89 |
|
|
Patch47: 0047-FIPS-early-KATS.patch |
90 |
|
|
# Selectively disallow SHA1 signatures |
91 |
|
|
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch |
92 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265 |
93 |
|
|
Patch50: 0050-FIPS-enable-pkcs12-mac.patch |
94 |
|
|
# Backport of patch for RHEL for Edge rhbz #2027261 |
95 |
|
|
Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch |
96 |
|
|
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes |
97 |
|
|
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch |
98 |
|
|
# https://github.com/openssl/openssl/pull/18103 |
99 |
|
|
Patch56: 0056-strcasecmp.patch |
100 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289 |
101 |
|
|
Patch58: 0058-FIPS-limit-rsa-encrypt.patch |
102 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2069235 |
103 |
|
|
Patch60: 0060-FIPS-KAT-signature-tests.patch |
104 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147 |
105 |
|
|
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch |
106 |
|
|
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch |
107 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2130708 |
108 |
|
|
# https://github.com/openssl/openssl/pull/18883 |
109 |
|
|
Patch67: 0067-ppc64le-Montgomery-multiply.patch |
110 |
|
|
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c |
111 |
|
|
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd |
112 |
|
|
Patch71: 0071-AES-GCM-performance-optimization.patch |
113 |
|
|
# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 |
114 |
|
|
# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa |
115 |
|
|
# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 |
116 |
|
|
Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch |
117 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 |
118 |
|
|
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch |
119 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 |
120 |
|
|
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch |
121 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 |
122 |
|
|
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch |
123 |
|
|
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) |
124 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541 |
125 |
|
|
# no available on centos7 |
126 |
|
|
#Patch76: 0076-FIPS-140-3-DRBG.patch |
127 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542 |
128 |
|
|
Patch77: 0077-FIPS-140-3-zeroization.patch |
129 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772 |
130 |
|
|
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch |
131 |
|
|
#https://bugzilla.redhat.com/show_bug.cgi?id=2141748 |
132 |
|
|
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch |
133 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142131 |
134 |
|
|
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch |
135 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 |
136 |
|
|
Patch82: 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch |
137 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2136250 |
138 |
|
|
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch |
139 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2137557 |
140 |
|
|
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch |
141 |
|
|
#https://bugzilla.redhat.com/show_bug.cgi?id=2142121 |
142 |
|
|
Patch85: 0085-FIPS-RSA-disable-shake.patch |
143 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 |
144 |
|
|
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch |
145 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 |
146 |
|
|
Patch89: 0089-PSS-salt-length-from-provider.patch |
147 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 |
148 |
|
|
Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch |
149 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561 |
150 |
|
|
Patch91: 0091-FIPS-RSA-encapsulate.patch |
151 |
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2142517 |
152 |
|
|
Patch92: 0092-provider-improvements.patch |
153 |
|
|
|
154 |
|
|
# OpenSSL 3.0.8 CVEs |
155 |
|
|
Patch101: 0101-CVE-2022-4203-nc-match.patch |
156 |
|
|
Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch |
157 |
|
|
Patch103: 0103-CVE-2022-4450-pem-read-bio.patch |
158 |
|
|
Patch104: 0104-CVE-2023-0215-UAF-bio.patch |
159 |
|
|
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch |
160 |
|
|
Patch106: 0106-CVE-2023-0217-dsa.patch |
161 |
|
|
Patch107: 0107-CVE-2023-0286-X400.patch |
162 |
|
|
Patch108: 0108-CVE-2023-0401-pkcs7-md.patch |
163 |
|
|
|
164 |
|
|
License: ASL 2.0 |
165 |
|
|
URL: http://www.openssl.org/ |
166 |
|
|
BuildRequires: gcc-c++ |
167 |
|
|
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp |
168 |
|
|
BuildRequires: lksctp-tools-devel |
169 |
|
|
BuildRequires: /usr/bin/rename |
170 |
|
|
BuildRequires: /usr/bin/pod2man |
171 |
|
|
BuildRequires: /usr/sbin/sysctl |
172 |
|
|
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) |
173 |
|
|
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) |
174 |
|
|
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) |
175 |
|
|
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) |
176 |
|
|
BuildRequires: git-core |
177 |
|
|
Requires: coreutils |
178 |
|
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release} |
179 |
|
|
#KOOZALI |
180 |
|
|
BuildRequires: dietlibc-devel |
181 |
|
|
Source55: random.h |
182 |
|
|
|
183 |
|
|
%description |
184 |
|
|
The OpenSSL toolkit provides support for secure communications between |
185 |
|
|
machines. OpenSSL includes a certificate management tool and shared |
186 |
|
|
libraries which provide various cryptographic algorithms and |
187 |
|
|
protocols. |
188 |
|
|
|
189 |
|
|
%package libs |
190 |
|
|
Summary: A general purpose cryptography library with TLS implementation |
191 |
|
|
Requires: ca-certificates >= 2008-5 |
192 |
|
|
Requires: crypto-policies >= 20180730 |
193 |
|
|
|
194 |
|
|
%description libs |
195 |
|
|
OpenSSL is a toolkit for supporting cryptography. The openssl-libs |
196 |
|
|
package contains the libraries that are used by various applications which |
197 |
|
|
support cryptographic algorithms and protocols. |
198 |
|
|
|
199 |
|
|
%package devel |
200 |
|
|
Summary: Files for development of applications which will use OpenSSL |
201 |
|
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release} |
202 |
|
|
Requires: pkgconfig |
203 |
|
|
|
204 |
|
|
%description devel |
205 |
|
|
OpenSSL is a toolkit for supporting cryptography. The openssl-devel |
206 |
|
|
package contains include files needed to develop applications which |
207 |
|
|
support various cryptographic algorithms and protocols. |
208 |
|
|
|
209 |
|
|
%prep |
210 |
|
|
%autosetup -S git -n openssl-%{version} |
211 |
|
|
|
212 |
|
|
# The hobble_openssl is called here redundantly, just to be sure. |
213 |
|
|
# The tarball has already the sources removed. |
214 |
|
|
%{SOURCE1} > /dev/null |
215 |
|
|
|
216 |
|
|
cp %{SOURCE12} crypto/ec/ |
217 |
|
|
cp %{SOURCE13} test/ |
218 |
|
|
mkdir include/sys |
219 |
|
|
cp %{SOURCE55} include/sys |
220 |
|
|
|
221 |
|
|
%build |
222 |
|
|
# Figure out which flags we want to use. |
223 |
|
|
# default |
224 |
|
|
sslarch=%{_os}-%{_target_cpu} |
225 |
|
|
%ifarch %ix86 |
226 |
|
|
sslarch=linux-elf |
227 |
|
|
if ! echo %{_target} | grep -q i686 ; then |
228 |
|
|
sslflags="no-asm 386" |
229 |
|
|
fi |
230 |
|
|
%endif |
231 |
|
|
%ifarch x86_64 |
232 |
|
|
sslflags=enable-ec_nistp_64_gcc_128 |
233 |
|
|
%endif |
234 |
|
|
%ifarch sparcv9 |
235 |
|
|
sslarch=linux-sparcv9 |
236 |
|
|
sslflags=no-asm |
237 |
|
|
%endif |
238 |
|
|
%ifarch sparc64 |
239 |
|
|
sslarch=linux64-sparcv9 |
240 |
|
|
sslflags=no-asm |
241 |
|
|
%endif |
242 |
|
|
%ifarch alpha alphaev56 alphaev6 alphaev67 |
243 |
|
|
sslarch=linux-alpha-gcc |
244 |
|
|
%endif |
245 |
|
|
%ifarch s390 sh3eb sh4eb |
246 |
|
|
sslarch="linux-generic32 -DB_ENDIAN" |
247 |
|
|
%endif |
248 |
|
|
%ifarch s390x |
249 |
|
|
sslarch="linux64-s390x" |
250 |
|
|
%endif |
251 |
|
|
%ifarch %{arm} |
252 |
|
|
sslarch=linux-armv4 |
253 |
|
|
%endif |
254 |
|
|
%ifarch aarch64 |
255 |
|
|
sslarch=linux-aarch64 |
256 |
|
|
sslflags=enable-ec_nistp_64_gcc_128 |
257 |
|
|
%endif |
258 |
|
|
%ifarch sh3 sh4 |
259 |
|
|
sslarch=linux-generic32 |
260 |
|
|
%endif |
261 |
|
|
%ifarch ppc64 ppc64p7 |
262 |
|
|
sslarch=linux-ppc64 |
263 |
|
|
%endif |
264 |
|
|
%ifarch ppc64le |
265 |
|
|
sslarch="linux-ppc64le" |
266 |
|
|
sslflags=enable-ec_nistp_64_gcc_128 |
267 |
|
|
%endif |
268 |
|
|
%ifarch mips mipsel |
269 |
|
|
sslarch="linux-mips32 -mips32r2" |
270 |
|
|
%endif |
271 |
|
|
%ifarch mips64 mips64el |
272 |
|
|
sslarch="linux64-mips64 -mips64r2" |
273 |
|
|
%endif |
274 |
|
|
%ifarch mips64el |
275 |
|
|
sslflags=enable-ec_nistp_64_gcc_128 |
276 |
|
|
%endif |
277 |
|
|
%ifarch riscv64 |
278 |
|
|
sslarch=linux-generic64 |
279 |
|
|
%endif |
280 |
|
|
|
281 |
|
|
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be |
282 |
|
|
# marked as not requiring an executable stack. |
283 |
|
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not |
284 |
|
|
# want to depend on the uninitialized memory as a source of entropy anyway. |
285 |
|
|
#RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" |
286 |
|
|
#KOOZALI |
287 |
|
|
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS" |
288 |
|
|
|
289 |
|
|
export HASHBANGPERL=/usr/bin/perl |
290 |
|
|
|
291 |
|
|
%define fips %{version}-%{srpmhash} |
292 |
|
|
# ia64, x86_64, ppc are OK by default |
293 |
|
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults |
294 |
|
|
# usable on all platforms. The Configure script already knows to use -fPIC and |
295 |
|
|
# RPM_OPT_FLAGS, so we can skip specifiying them here. |
296 |
|
|
./Configure \ |
297 |
|
|
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ |
298 |
|
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ |
299 |
|
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ |
300 |
|
|
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ |
301 |
|
|
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ |
302 |
|
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' |
303 |
|
|
|
304 |
|
|
# Do not run this in a production package the FIPS symbols must be patched-in |
305 |
|
|
#util/mkdef.pl crypto update |
306 |
|
|
|
307 |
|
|
make %{?_smp_mflags} all |
308 |
|
|
|
309 |
|
|
# Clean up the .pc files |
310 |
|
|
for i in libcrypto.pc libssl.pc openssl.pc ; do |
311 |
|
|
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i |
312 |
|
|
done |
313 |
|
|
|
314 |
|
|
%check |
315 |
|
|
# Verify that what was compiled actually works. |
316 |
|
|
|
317 |
|
|
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check |
318 |
|
|
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ |
319 |
|
|
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && |
320 |
|
|
sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ |
321 |
|
|
touch -r configdata.pm configdata.pm.new && \ |
322 |
|
|
mv -f configdata.pm.new configdata.pm) |
323 |
|
|
|
324 |
|
|
# We must revert patch4 before tests otherwise they will fail |
325 |
|
|
patch -p1 -R < %{PATCH4} |
326 |
|
|
#We must disable default provider before tests otherwise they will fail |
327 |
|
|
patch -p1 < %{SOURCE14} |
328 |
|
|
|
329 |
|
|
OPENSSL_ENABLE_MD5_VERIFY= |
330 |
|
|
export OPENSSL_ENABLE_MD5_VERIFY |
331 |
|
|
OPENSSL_ENABLE_SHA1_SIGNATURES= |
332 |
|
|
export OPENSSL_ENABLE_SHA1_SIGNATURES |
333 |
|
|
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file |
334 |
|
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE |
335 |
|
|
#embed HMAC into fips provider for test run |
336 |
|
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac |
337 |
|
|
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac |
338 |
|
|
mv providers/fips.so.mac providers/fips.so |
339 |
|
|
#run tests itself |
340 |
|
|
make test HARNESS_JOBS=8 |
341 |
|
|
|
342 |
|
|
# Add generation of HMAC checksum of the final stripped library |
343 |
|
|
# We manually copy standard definition of __spec_install_post |
344 |
|
|
# and add hmac calculation/embedding to fips.so |
345 |
|
|
%define __spec_install_post \ |
346 |
|
|
%{?__debug_package:%{__debug_install_post}} \ |
347 |
|
|
%{__arch_install_post} \ |
348 |
|
|
%{__os_install_post} \ |
349 |
|
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ |
350 |
|
|
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ |
351 |
|
|
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ |
352 |
|
|
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ |
353 |
|
|
%{nil} |
354 |
|
|
|
355 |
|
|
%define __provides_exclude_from %{_libdir}/openssl |
356 |
|
|
|
357 |
|
|
%install |
358 |
|
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT |
359 |
|
|
# Install OpenSSL. |
360 |
|
|
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} |
361 |
|
|
%make_install |
362 |
|
|
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} |
363 |
|
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do |
364 |
|
|
chmod 755 ${lib} |
365 |
|
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` |
366 |
|
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} |
367 |
|
|
done |
368 |
|
|
|
369 |
|
|
# Remove static libraries |
370 |
|
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do |
371 |
|
|
rm -f ${lib} |
372 |
|
|
done |
373 |
|
|
|
374 |
|
|
# Install a makefile for generating keys and self-signed certs, and a script |
375 |
|
|
# for generating them on the fly. |
376 |
|
|
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs |
377 |
|
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate |
378 |
|
|
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert |
379 |
|
|
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert |
380 |
|
|
|
381 |
|
|
# Move runable perl scripts to bindir |
382 |
|
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir} |
383 |
|
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir} |
384 |
|
|
|
385 |
|
|
# Rename man pages so that they don't conflict with other system man pages. |
386 |
|
|
pushd $RPM_BUILD_ROOT%{_mandir} |
387 |
|
|
mv man5/config.5ossl man5/openssl.cnf.5 |
388 |
|
|
popd |
389 |
|
|
|
390 |
|
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA |
391 |
|
|
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private |
392 |
|
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs |
393 |
|
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl |
394 |
|
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts |
395 |
|
|
|
396 |
|
|
# Ensure the config file timestamps are identical across builds to avoid |
397 |
|
|
# mulitlib conflicts and unnecessary renames on upgrade |
398 |
|
|
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf |
399 |
|
|
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf |
400 |
|
|
|
401 |
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist |
402 |
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist |
403 |
|
|
#we don't use native fipsmodule.cnf because FIPS module is loaded automatically |
404 |
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf |
405 |
|
|
|
406 |
|
|
# Determine which arch opensslconf.h is going to try to #include. |
407 |
|
|
basearch=%{_arch} |
408 |
|
|
%ifarch %{ix86} |
409 |
|
|
basearch=i386 |
410 |
|
|
%endif |
411 |
|
|
%ifarch sparcv9 |
412 |
|
|
basearch=sparc |
413 |
|
|
%endif |
414 |
|
|
%ifarch sparc64 |
415 |
|
|
basearch=sparc64 |
416 |
|
|
%endif |
417 |
|
|
|
418 |
|
|
# Next step of gradual disablement of SSL3. |
419 |
|
|
# Make SSL3 disappear to newly built dependencies. |
420 |
|
|
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ |
421 |
|
|
#ifndef OPENSSL_NO_SSL3\ |
422 |
|
|
# define OPENSSL_NO_SSL3\ |
423 |
|
|
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h |
424 |
|
|
|
425 |
|
|
%ifarch %{multilib_arches} |
426 |
|
|
# Do an configuration.h switcheroo to avoid file conflicts on systems where you |
427 |
|
|
# can have both a 32- and 64-bit version of the library, and they each need |
428 |
|
|
# their own correct-but-different versions of opensslconf.h to be usable. |
429 |
|
|
install -m644 %{SOURCE10} \ |
430 |
|
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h |
431 |
|
|
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ |
432 |
|
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h |
433 |
|
|
install -m644 %{SOURCE9} \ |
434 |
|
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h |
435 |
|
|
%endif |
436 |
|
|
|
437 |
|
|
# Transformation for openssl3 |
438 |
|
|
# see openssl11.spec |
439 |
|
|
mkdir -p $RPM_BUILD_ROOT{%{_libdir},%{_includedir}}/%{name}/ |
440 |
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf |
441 |
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf |
442 |
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/*.so |
443 |
|
|
mv -f $RPM_BUILD_ROOT%{_includedir}/{openssl,%{name}/openssl}/ |
444 |
|
|
mv -f $RPM_BUILD_ROOT%{_bindir}/{openssl,%{name}} |
445 |
|
|
|
446 |
|
|
for pc in libcrypto libssl openssl; do |
447 |
|
|
sed -e 's@\(Libs: -L${libdir}\)@\1 -L${libdir}/%{name}@' \ |
448 |
|
|
-e 's@\(Cflags: -I${includedir}\)@\1 -I${includedir}/%{name}@' \ |
449 |
|
|
-e 's@\(Requires.*:.*\)\(libssl\)@\1\23@g' \ |
450 |
|
|
-e 's@\(Requires.*:.*\)\(libcrypto\)@\1\23@g' \ |
451 |
|
|
$RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc |
452 |
|
|
touch -c -r $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc |
453 |
|
|
rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc |
454 |
|
|
done |
455 |
|
|
|
456 |
|
|
ln -s ../libcrypto.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libcrypto.so |
457 |
|
|
ln -s ../libssl.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libssl.so |
458 |
|
|
|
459 |
|
|
pushd $RPM_BUILD_ROOT%{_mandir} |
460 |
|
|
for manpage in man*/* ; do |
461 |
|
|
[ "${manpage}" = "man1/%{name}.1" ] && continue |
462 |
|
|
if [ -L ${manpage} ]; then |
463 |
|
|
TARGET=`ls -l ${manpage} | awk '{ print $NF }'` |
464 |
|
|
ln -snf ${TARGET}11 ${manpage} |
465 |
|
|
rm -f ${manpage} |
466 |
|
|
else |
467 |
|
|
mv -f ${manpage} ${manpage}3 |
468 |
|
|
fi |
469 |
|
|
done |
470 |
|
|
popd |
471 |
|
|
|
472 |
|
|
# No openssl3-perl, because it wouldn't be really different or newer |
473 |
|
|
rm -rf $RPM_BUILD_ROOT{%{_sysconfdir}/pki/CA/,{%{_bindir},%{_mandir}/man1}/{CA.pl,c_rehash,*tsget}*} |
474 |
|
|
|
475 |
|
|
# Remove dummy cert tools |
476 |
|
|
rm -f $RPM_BUILD_ROOT%{_bindir}/{make,renew}-dummy-cert |
477 |
|
|
|
478 |
|
|
%files |
479 |
|
|
%{!?_licensedir:%global license %%doc} |
480 |
|
|
%license LICENSE.txt |
481 |
|
|
%doc NEWS.md README.md |
482 |
|
|
%{_bindir}/%{name} |
483 |
|
|
%{_mandir}/man1/* |
484 |
|
|
%{_mandir}/man5/* |
485 |
|
|
%{_mandir}/man7/* |
486 |
|
|
%{_pkgdocdir}/Makefile.certificate |
487 |
|
|
|
488 |
|
|
%files libs |
489 |
|
|
%{!?_licensedir:%global license %%doc} |
490 |
|
|
%license LICENSE.txt |
491 |
|
|
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} |
492 |
|
|
%{_libdir}/libcrypto.so.%{soversion} |
493 |
|
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{version} |
494 |
|
|
%{_libdir}/libssl.so.%{soversion} |
495 |
|
|
%attr(0755,root,root) %{_libdir}/engines-%{soversion} |
496 |
|
|
%attr(0755,root,root) %{_libdir}/ossl-modules |
497 |
|
|
|
498 |
|
|
%files devel |
499 |
|
|
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el |
500 |
|
|
%{_prefix}/include/%{name} |
501 |
|
|
%{_libdir}/%{name}/*.so |
502 |
|
|
%{_mandir}/man3/* |
503 |
|
|
%{_libdir}/pkgconfig/*.pc |
504 |
|
|
|
505 |
|
|
%ldconfig_scriptlets libs |
506 |
|
|
|
507 |
|
|
%changelog |
508 |
|
|
* Thu Feb 09 2023 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.7-5.1 |
509 |
|
|
- Merge c9s openssl changes to pick up CVE fixes |
510 |
|
|
- Back out f2a49ef424f831aac988356fc8b2b910e443dc42 as that caused test failures |
511 |
|
|
|
512 |
|
|
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5 |
513 |
|
|
- Fixed X.509 Name Constraints Read Buffer Overflow |
514 |
|
|
Resolves: CVE-2022-4203 |
515 |
|
|
- Fixed Timing Oracle in RSA Decryption |
516 |
|
|
Resolves: CVE-2022-4304 |
517 |
|
|
- Fixed Double free after calling PEM_read_bio_ex |
518 |
|
|
Resolves: CVE-2022-4450 |
519 |
|
|
- Fixed Use-after-free following BIO_new_NDEF |
520 |
|
|
Resolves: CVE-2023-0215 |
521 |
|
|
- Fixed Invalid pointer dereference in d2i_PKCS7 functions |
522 |
|
|
Resolves: CVE-2023-0216 |
523 |
|
|
- Fixed NULL dereference validating DSA public key |
524 |
|
|
Resolves: CVE-2023-0217 |
525 |
|
|
- Fixed X.400 address type confusion in X.509 GeneralName |
526 |
|
|
Resolves: CVE-2023-0286 |
527 |
|
|
- Fixed NULL dereference during PKCS7 data verification |
528 |
|
|
Resolves: CVE-2023-0401 |
529 |
|
|
|
530 |
|
|
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4 |
531 |
|
|
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode |
532 |
|
|
Resolves: rhbz#2142121 |
533 |
|
|
|
534 |
|
|
* Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3 |
535 |
|
|
- Refactor OpenSSL fips module MAC verification |
536 |
|
|
Resolves: rhbz#2157965 |
537 |
|
|
|
538 |
|
|
* Thu Nov 24 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-2 |
539 |
|
|
- Various provider-related imrovements necessary for PKCS#11 provider correct operations |
540 |
|
|
Resolves: rhbz#2142517 |
541 |
|
|
- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream |
542 |
|
|
Resolves: rhbz#2133809 |
543 |
|
|
- Removed recommended package for openssl-libs |
544 |
|
|
Resolves: rhbz#2093804 |
545 |
|
|
- Adjusting include for the FIPS_mode macro |
546 |
|
|
Resolves: rhbz#2083879 |
547 |
|
|
- Backport of ppc64le Montgomery multiply enhancement |
548 |
|
|
Resolves: rhbz#2130708 |
549 |
|
|
- Fix explicit indicator for PSS salt length in FIPS mode when used with |
550 |
|
|
negative magic values |
551 |
|
|
Resolves: rhbz#2142087 |
552 |
|
|
- Update change to default PSS salt length with patch state from upstream |
553 |
|
|
Related: rhbz#2142087 |
554 |
|
|
|
555 |
|
|
* Tue Nov 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-1 |
556 |
|
|
- Rebasing to OpenSSL 3.0.7 |
557 |
|
|
Resolves: rhbz#2129063 |
558 |
|
|
|
559 |
|
|
* Mon Nov 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-44 |
560 |
|
|
- SHAKE-128/256 are not allowed with RSA in FIPS mode |
561 |
|
|
Resolves: rhbz#2144010 |
562 |
|
|
- Avoid memory leaks in TLS |
563 |
|
|
Resolves: rhbz#2144008 |
564 |
|
|
- FIPS RSA CRT tests must use correct parameters |
565 |
|
|
Resolves: rhbz#2144006 |
566 |
|
|
- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC |
567 |
|
|
Resolves: rhbz#2144017 |
568 |
|
|
- Remove support for X9.31 signature padding in FIPS mode |
569 |
|
|
Resolves: rhbz#2144015 |
570 |
|
|
- Add explicit indicator for SP 800-108 KDFs with short key lengths |
571 |
|
|
Resolves: rhbz#2144019 |
572 |
|
|
- Add explicit indicator for HMAC with short key lengths |
573 |
|
|
Resolves: rhbz#2144000 |
574 |
|
|
- Set minimum password length for PBKDF2 in FIPS mode |
575 |
|
|
Resolves: rhbz#2144003 |
576 |
|
|
- Add explicit indicator for PSS salt length in FIPS mode |
577 |
|
|
Resolves: rhbz#2144012 |
578 |
|
|
- Clamp default PSS salt length to digest size for FIPS 186-4 compliance |
579 |
|
|
Related: rhbz#2144012 |
580 |
|
|
- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode |
581 |
|
|
Resolves: rhbz#2145170 |
582 |
|
|
|
583 |
|
|
* Tue Nov 01 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-43.1 |
584 |
|
|
- Merge c9s openssl changes to pick up CVE fixes |
585 |
|
|
|
586 |
|
|
* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-43 |
587 |
|
|
- CVE-2022-3602: X.509 Email Address Buffer Overflow |
588 |
|
|
- CVE-2022-3786: X.509 Email Address Buffer Overflow |
589 |
|
|
Resolves: CVE-2022-3602 |
590 |
|
|
|
591 |
|
|
* Wed Oct 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-42 |
592 |
|
|
- CVE-2022-3602: X.509 Email Address Buffer Overflow |
593 |
|
|
Resolves: CVE-2022-3602 (rhbz#2137723) |
594 |
|
|
|
595 |
|
|
* Tue Sep 27 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-41.1 |
596 |
|
|
- Merge c9s openssl changes to pick up CVE fixes |
597 |
|
|
|
598 |
|
|
* Thu Aug 11 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-41 |
599 |
|
|
- Zeroize public keys as required by FIPS 140-3 |
600 |
|
|
Related: rhbz#2102542 |
601 |
|
|
- Add FIPS indicator for HKDF |
602 |
|
|
Related: rhbz#2114772 |
603 |
|
|
|
604 |
|
|
* Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40 |
605 |
|
|
- Deal with DH keys in FIPS mode according FIPS-140-3 requirements |
606 |
|
|
Related: rhbz#2102536 |
607 |
|
|
- Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements |
608 |
|
|
Related: rhbz#2102537 |
609 |
|
|
- Use signature for RSA pairwise test according FIPS-140-3 requirements |
610 |
|
|
Related: rhbz#2102540 |
611 |
|
|
- Reseed all the parent DRBGs in chain on reseeding a DRBG |
612 |
|
|
Related: rhbz#2102541 |
613 |
|
|
|
614 |
|
|
* Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39 |
615 |
|
|
- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test |
616 |
|
|
- Use Use digest_sign & digest_verify in FIPS signature self test |
617 |
|
|
- Use FFDHE2048 in Diffie-Hellman FIPS self-test |
618 |
|
|
Resolves: rhbz#2102535 |
619 |
|
|
|
620 |
|
|
* Thu Jul 14 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-38 |
621 |
|
|
- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously |
622 |
|
|
initialized. |
623 |
|
|
Resolves: rhbz#2103289 |
624 |
|
|
- Improve AES-GCM performance on Power9 and Power10 ppc64le |
625 |
|
|
Resolves: rhbz#2051312 |
626 |
|
|
- Improve ChaCha20 performance on Power10 ppc64le |
627 |
|
|
Resolves: rhbz#2051312 |
628 |
|
|
|
629 |
|
|
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37 |
630 |
|
|
- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 |
631 |
|
|
Resolves: CVE-2022-2097 |
632 |
|
|
|
633 |
|
|
* Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36 |
634 |
|
|
- Ciphersuites with RSAPSK KX should be filterd in FIPS mode |
635 |
|
|
- Related: rhbz#2085088 |
636 |
|
|
- FIPS provider should block RSA encryption for key transport. |
637 |
|
|
- Other RSA encryption options should still be available if key length is enough |
638 |
|
|
- Related: rhbz#2053289 |
639 |
|
|
- Improve diagnostics when passing unsupported groups in TLS |
640 |
|
|
- Related: rhbz#2070197 |
641 |
|
|
- Fix PPC64 Montgomery multiplication bug |
642 |
|
|
- Related: rhbz#2098199 |
643 |
|
|
- Strict certificates validation shouldn't allow explicit EC parameters |
644 |
|
|
- Related: rhbz#2058663 |
645 |
|
|
- CVE-2022-2068: the c_rehash script allows command injection |
646 |
|
|
- Related: rhbz#2098277 |
647 |
|
|
|
648 |
|
|
* Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35 |
649 |
|
|
- Add explicit indicators for signatures in FIPS mode and mark signature |
650 |
|
|
primitives as unapproved. |
651 |
|
|
Resolves: rhbz#2087147 |
652 |
|
|
|
653 |
|
|
* Fri Jun 03 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-34 |
654 |
|
|
- Some OpenSSL test certificates are expired, updating |
655 |
|
|
- Resolves: rhbz#2092456 |
656 |
|
|
|
657 |
|
|
* Thu May 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-33 |
658 |
|
|
- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory |
659 |
|
|
- Resolves: rhbz#2089444 |
660 |
|
|
- CVE-2022-1343 openssl: Signer certificate verification returned |
661 |
|
|
inaccurate response when using OCSP_NOCHECKS |
662 |
|
|
- Resolves: rhbz#2087911 |
663 |
|
|
- CVE-2022-1292 openssl: c_rehash script allows command injection |
664 |
|
|
- Resolves: rhbz#2090362 |
665 |
|
|
- Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode" |
666 |
|
|
Related: rhbz#2087147 |
667 |
|
|
- Use KAT for ECDSA signature tests, s390 arch |
668 |
|
|
- Resolves: rhbz#2069235 |
669 |
|
|
|
670 |
|
|
* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32 |
671 |
|
|
- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode |
672 |
|
|
- Resolves: rhbz#2083240 |
673 |
|
|
- Ciphersuites with RSA KX should be filterd in FIPS mode |
674 |
|
|
- Related: rhbz#2085088 |
675 |
|
|
- In FIPS mode, signature verification works with keys of arbitrary size |
676 |
|
|
above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys |
677 |
|
|
below 2048 bits |
678 |
|
|
- Resolves: rhbz#2077884 |
679 |
|
|
|
680 |
|
|
* Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31 |
681 |
|
|
- Disable SHA-1 signature verification in FIPS mode |
682 |
|
|
- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode |
683 |
|
|
Resolves: rhbz#2087147 |
684 |
|
|
|
685 |
|
|
* Mon May 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-30 |
686 |
|
|
- Use KAT for ECDSA signature tests |
687 |
|
|
- Resolves: rhbz#2069235 |
688 |
|
|
|
689 |
|
|
* Thu May 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-29 |
690 |
|
|
- `-config` argument of openssl app should work properly in FIPS mode |
691 |
|
|
- Resolves: rhbz#2083274 |
692 |
|
|
- openssl req defaults on PKCS#8 encryption changed to AES-256-CBC |
693 |
|
|
- Resolves: rhbz#2063947 |
694 |
|
|
|
695 |
|
|
* Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28 |
696 |
|
|
- OpenSSL should not accept custom elliptic curve parameters |
697 |
|
|
- Resolves rhbz#2066412 |
698 |
|
|
- OpenSSL should not accept explicit curve parameters in FIPS mode |
699 |
|
|
- Resolves rhbz#2058663 |
700 |
|
|
|
701 |
|
|
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27 |
702 |
|
|
- Change FIPS module version to include hash of specfile, patches and sources |
703 |
|
|
Resolves: rhbz#2070550 |
704 |
|
|
|
705 |
|
|
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26 |
706 |
|
|
- OpenSSL FIPS module should not build in non-approved algorithms |
707 |
|
|
- Resolves: rhbz#2081378 |
708 |
|
|
|
709 |
|
|
* Mon May 02 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-25 |
710 |
|
|
- FIPS provider should block RSA encryption for key transport. |
711 |
|
|
- Other RSA encryption options should still be available |
712 |
|
|
- Resolves: rhbz#2053289 |
713 |
|
|
|
714 |
|
|
* Thu Apr 28 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-24 |
715 |
|
|
- Fix regression in evp_pkey_name2type caused by tr_TR locale fix |
716 |
|
|
Resolves: rhbz#2071631 |
717 |
|
|
|
718 |
|
|
* Wed Apr 20 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-23 |
719 |
|
|
- Fix openssl curl error with LANG=tr_TR.utf8 |
720 |
|
|
- Resolves: rhbz#2071631 |
721 |
|
|
|
722 |
|
|
* Mon Mar 28 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-22 |
723 |
|
|
- FIPS provider should block RSA encryption for key transport |
724 |
|
|
- Resolves: rhbz#2053289 |
725 |
|
|
|
726 |
|
|
* Tue Mar 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-21 |
727 |
|
|
- Fix occasional internal error in TLS when DHE is used |
728 |
|
|
- Resolves: rhbz#2004915 |
729 |
|
|
|
730 |
|
|
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20 |
731 |
|
|
- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when |
732 |
|
|
no OpenSSL library context is set |
733 |
|
|
- Resolves: rhbz#2065400 |
734 |
|
|
|
735 |
|
|
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19 |
736 |
|
|
- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes |
737 |
|
|
- Resolves: rhbz#2065400 |
738 |
|
|
|
739 |
|
|
* Wed Mar 16 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-18.1 |
740 |
|
|
- Merge c9s openssl changes to pick up CVE-2022-0778 fix |
741 |
|
|
|
742 |
|
|
* Wed Mar 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-18 |
743 |
|
|
- CVE-2022-0778 fix |
744 |
|
|
- Resolves: rhbz#2062315 |
745 |
|
|
|
746 |
|
|
* Thu Mar 10 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-17 |
747 |
|
|
- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before |
748 |
|
|
setting an allowed digest with EVP_PKEY_CTX_set_signature_md() |
749 |
|
|
- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch |
750 |
|
|
- Resolves: rhbz#2062640 |
751 |
|
|
|
752 |
|
|
* Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15 |
753 |
|
|
- Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes |
754 |
|
|
- Resolves: rhbz#2060510 |
755 |
|
|
|
756 |
|
|
* Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14 |
757 |
|
|
- Prevent use of SHA1 with ECDSA |
758 |
|
|
- Resolves: rhbz#2031742 |
759 |
|
|
|
760 |
|
|
* Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13 |
761 |
|
|
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters |
762 |
|
|
- Resolves: rhbz#1977867 |
763 |
|
|
|
764 |
|
|
* Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12 |
765 |
|
|
- Support KBKDF (NIST SP800-108) with an R value of 8bits |
766 |
|
|
- Resolves: rhbz#2027261 |
767 |
|
|
|
768 |
|
|
* Wed Feb 23 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-11 |
769 |
|
|
- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures |
770 |
|
|
- Resolves: rhbz#2031742 |
771 |
|
|
|
772 |
|
|
* Wed Feb 23 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-10 |
773 |
|
|
- rebuilt |
774 |
|
|
|
775 |
|
|
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-9 |
776 |
|
|
- Allow SHA1 usage in HMAC in TLS |
777 |
|
|
- Resolves: rhbz#2031742 |
778 |
|
|
|
779 |
|
|
* Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8 |
780 |
|
|
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters |
781 |
|
|
- Resolves: rhbz#1977867 |
782 |
|
|
- pkcs12 export broken in FIPS mode |
783 |
|
|
- Resolves: rhbz#2049265 |
784 |
|
|
|
785 |
|
|
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8 |
786 |
|
|
- Disable SHA1 signature creation and verification by default |
787 |
|
|
- Set rh-allow-sha1-signatures = yes to re-enable |
788 |
|
|
- Resolves: rhbz#2031742 |
789 |
|
|
|
790 |
|
|
* Thu Feb 03 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-7 |
791 |
|
|
- s_server: correctly handle 2^14 byte long records |
792 |
|
|
- Resolves: rhbz#2042011 |
793 |
|
|
|
794 |
|
|
* Tue Feb 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-6 |
795 |
|
|
- Adjust FIPS provider version |
796 |
|
|
- Related: rhbz#2026445 |
797 |
|
|
|
798 |
|
|
* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5 |
799 |
|
|
- On the s390x, zeroize all the copies of TLS premaster secret |
800 |
|
|
- Related: rhbz#2040448 |
801 |
|
|
|
802 |
|
|
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4 |
803 |
|
|
- rebuilt |
804 |
|
|
|
805 |
|
|
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3 |
806 |
|
|
- KATS tests should be executed before HMAC verification |
807 |
|
|
- Restoring fips=yes for SHA1 |
808 |
|
|
- Related: rhbz#2026445, rhbz#2041994 |
809 |
|
|
|
810 |
|
|
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2 |
811 |
|
|
- Add enable-buildtest-c++ to the configure options. |
812 |
|
|
- Related: rhbz#1990814 |
813 |
|
|
|
814 |
|
|
* Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1 |
815 |
|
|
- Rebase to upstream version 3.0.1 |
816 |
|
|
- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl |
817 |
|
|
- Resolves: rhbz#2038910, rhbz#2035148 |
818 |
|
|
|
819 |
|
|
* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7 |
820 |
|
|
- Remove algorithms we don't plan to certify from fips module |
821 |
|
|
- Remove native fipsmodule.cnf |
822 |
|
|
- Related: rhbz#2026445 |
823 |
|
|
|
824 |
|
|
* Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6 |
825 |
|
|
- openssl speed should run in FIPS mode |
826 |
|
|
- Related: rhbz#1977318 |
827 |
|
|
|
828 |
|
|
* Wed Nov 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-5 |
829 |
|
|
- rebuilt for spec cleanup |
830 |
|
|
- Related: rhbz#1985362 |
831 |
|
|
|
832 |
|
|
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4 |
833 |
|
|
- Embed FIPS HMAC in fips.so |
834 |
|
|
- Enforce loading FIPS provider when FIPS kernel flag is on |
835 |
|
|
- Related: rhbz#1985362 |
836 |
|
|
|
837 |
|
|
* Wed Nov 17 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.0.0-3.1 |
838 |
|
|
- Fork c9s' openssl to openssl3 for epel8 (and possibly Fedora <= 35) |
839 |
|
|
|
840 |
|
|
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3 |
841 |
|
|
- Fix memory leak in s_client |
842 |
|
|
- Related: rhbz#1996092 |
843 |
|
|
|
844 |
|
|
* Mon Sep 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-2 |
845 |
|
|
- Avoid double-free on error seeding the RNG. |
846 |
|
|
- KTLS and FIPS may interfere, so tests need to be tuned |
847 |
|
|
- Resolves: rhbz#1952844, rhbz#1961643 |
848 |
|
|
|
849 |
|
|
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1 |
850 |
|
|
- Rebase to upstream version 3.0.0 |
851 |
|
|
- Related: rhbz#1990814 |
852 |
|
|
|
853 |
|
|
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7 |
854 |
|
|
- Removes the dual-abi build as it not required anymore. The mass rebuild |
855 |
|
|
was completed and all packages are rebuilt against Beta version. |
856 |
|
|
- Resolves: rhbz#1984097 |
857 |
|
|
|
858 |
|
|
* Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6 |
859 |
|
|
- Correctly process CMS reading from /dev/stdin |
860 |
|
|
- Resolves: rhbz#1986315 |
861 |
|
|
|
862 |
|
|
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5 |
863 |
|
|
- Add instruction for loading legacy provider in openssl.cnf |
864 |
|
|
- Resolves: rhbz#1975836 |
865 |
|
|
|
866 |
|
|
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4 |
867 |
|
|
- Adds support for IDEA encryption. |
868 |
|
|
- Resolves: rhbz#1990602 |
869 |
|
|
|
870 |
|
|
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3 |
871 |
|
|
- Fixes core dump in openssl req -modulus |
872 |
|
|
- Fixes 'openssl req' to not ask for password when non-encrypted private key |
873 |
|
|
is used |
874 |
|
|
- cms: Do not try to check binary format on stdin and -rctform fix |
875 |
|
|
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137 |
876 |
|
|
|
877 |
|
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1 |
878 |
|
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags |
879 |
|
|
Related: rhbz#1991688 |
880 |
|
|
|
881 |
|
|
* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2 |
882 |
|
|
- When signature_algorithm extension is omitted, use more relevant alerts |
883 |
|
|
- Resolves: rhbz#1965017 |
884 |
|
|
|
885 |
|
|
* Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1 |
886 |
|
|
- Rebase to upstream version beta2 |
887 |
|
|
- Related: rhbz#1903209 |
888 |
|
|
|
889 |
|
|
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5 |
890 |
|
|
- Prevents creation of duplicate cert entries in PKCS #12 files |
891 |
|
|
- Resolves: rhbz#1978670 |
892 |
|
|
|
893 |
|
|
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4 |
894 |
|
|
- NVR bump to update to OpenSSL 3.0 Beta1 |
895 |
|
|
|
896 |
|
|
* Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3 |
897 |
|
|
- Update patch dual-abi.patch to add the #define macros in implementation |
898 |
|
|
files instead of public header files |
899 |
|
|
|
900 |
|
|
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2 |
901 |
|
|
- Removes unused patch dual-abi.patch |
902 |
|
|
|
903 |
|
|
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1 |
904 |
|
|
- Update to Beta1 version |
905 |
|
|
- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16 |
906 |
|
|
|
907 |
|
|
* Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7 |
908 |
|
|
- Fixes override of openssl_conf in openssl.cnf |
909 |
|
|
- Use AI_ADDRCONFIG only when explicit host name is given |
910 |
|
|
- Temporarily remove fipsmodule.cnf for arch i686 |
911 |
|
|
- Fixes segmentation fault in BN_lebin2bn |
912 |
|
|
- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855 |
913 |
|
|
|
914 |
|
|
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6 |
915 |
|
|
- Adds FIPS mode compatibility patch (sahana@redhat.com) |
916 |
|
|
- Related: rhbz#1977318 |
917 |
|
|
|
918 |
|
|
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5 |
919 |
|
|
- Fixes system hang issue when booted in FIPS mode (sahana@redhat.com) |
920 |
|
|
- Temporarily disable downstream FIPS patches |
921 |
|
|
- Related: rhbz#1977318 |
922 |
|
|
|
923 |
|
|
* Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4 |
924 |
|
|
- Speeding up building openssl (dbelyavs@redhat.com) |
925 |
|
|
Resolves: rhbz#1903209 |
926 |
|
|
|
927 |
|
|
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3 |
928 |
|
|
- Fix reading SPKAC data from stdin |
929 |
|
|
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448 |
930 |
|
|
- Return 0 after cleanup in OPENSSL_init_crypto() |
931 |
|
|
- Cleanup the peer point formats on regotiation |
932 |
|
|
- Fix default digest to SHA256 |
933 |
|
|
|
934 |
|
|
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2 |
935 |
|
|
- Enable FIPS via config options |
936 |
|
|
|
937 |
|
|
* Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1 |
938 |
|
|
- Update to alpha 16 version |
939 |
|
|
Resolves: rhbz#1952901 openssl sends alert after orderly connection close |
940 |
|
|
|
941 |
|
|
* Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1 |
942 |
|
|
- Update to alpha 15 version |
943 |
|
|
Resolves: rhbz#1903209, rhbz#1952598, |
944 |
|
|
|
945 |
|
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1 |
946 |
|
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 |
947 |
|
|
|
948 |
|
|
* Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1 |
949 |
|
|
- Update to new major release OpenSSL 3.0.0 alpha 13 |
950 |
|
|
Resolves: rhbz#1903209 |