rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to openssl 3.0.2 

Related: rhbz#2064453
This commit is contained in:
Dmitry Belyavskiy 2022-03-18 10:41:13 +01:00
parent b9f33d724e
commit a0bd929a42
7 changed files with 2250 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -53,3 +53,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1j-hobbled.tar.xz
/openssl-1.1.1k-hobbled.tar.xz
/openssl-3.0.0-hobbled.tar.xz
/openssl-3.0.2-hobbled.tar.gz

8
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
sk_SSL_CIPHER_free(cipherstack);
+ OPENSSL_free(co_list);
return NULL;
}
}
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;

80
0012-Disable-explicit-ec.patch Normal file
View File

@ -0,0 +1,80 @@
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100
@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
goto err;
}
} else {
- ret_group = (EC_GROUP *)group;
+ goto err;
}
EC_GROUP_free(dup);
return ret_group;
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100
@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
int flags = EC_KEY_get_flags(eck);
- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
- else
- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
}
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
return 0;
}
+ if (EC_GROUP_get_curve_name(group) == NID_undef) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
+ return 0;
+ }
return EC_KEY_set_group(ec, group) > 0;
}
diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100
@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
- if (ossl_securitycheck_enabled(ctx)) {
- int nid, strength;
- const char *curve_name;
- const EC_GROUP *group = EC_KEY_get0_group(ec);
+ int nid, strength;
+ const char *curve_name;
+ const EC_GROUP *group = EC_KEY_get0_group(ec);
- if (group == NULL) {
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
- return 0;
- }
- nid = EC_GROUP_get_curve_name(group);
- if (nid == NID_undef) {
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
- "Explicit curves are not allowed in fips mode");
- return 0;
- }
+ if (group == NULL) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
+ return 0;
+ }
+ nid = EC_GROUP_get_curve_name(group);
+ if (nid == NID_undef) {
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
+ "Explicit curves are not allowed in this build");
+ return 0;
+ }
+ if (ossl_securitycheck_enabled(ctx)) {
curve_name = EC_curve_nid2nist(nid);
if (curve_name == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,

2151
0051-Support-different-R_BITS-lengths-for-KBKDF.patch Normal file
View File

File diff suppressed because it is too large Load Diff

4
ectest.c
View File

@ -2300,8 +2300,8 @@ int setup_tests(void)
ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
ADD_ALL_TESTS(custom_generator_test, crv_len);
ADD_ALL_TESTS(custom_params_test, crv_len);
/* ADD_ALL_TESTS(custom_generator_test, crv_len);
ADD_ALL_TESTS(custom_params_test, crv_len); */
return 1;
}

19
openssl.spec
View File

@ -14,13 +14,13 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.0
Release: 2%{?dist}
Version: 3.0.2
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-hobbled.tar.xz
Source: openssl-%{version}-hobbled.tar.gz
Source1: hobble-openssl
Source2: Makefile.certificate
Source3: genpatches
@ -52,8 +52,12 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
Patch12: 0012-Disable-explicit-ec.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# Backport of patch for RHEL for Edge rhbz #2027261
Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -177,6 +181,10 @@ sslflags=enable-ec_nistp_64_gcc_128
%ifarch riscv64
sslarch=linux-generic64
%endif
ktlsopt=enable-ktls
%ifarch armv7hl
ktlsopt=disable-ktls
%endif
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
@ -194,7 +202,7 @@ export HASHBANGPERL=/usr/bin/perl
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 \
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
@ -376,6 +384,9 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Fri Mar 18 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.2-1
- Rebase to upstream version 3.0.2
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27
SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5