Sync from SUSE:SLFO:Main openssl-3 revision 2934ba4f330b70a5f3eff3c14baddc13

openssl-3.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Mar 21 17:19:40 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- FIPS: Mark SHA-1 as non-approved in the SLI. [jsc#PED-12224]
+  * Add openssl-FIPS-Mark-SHA1-as-nonapproved.patch
+
+-------------------------------------------------------------------
+Wed Mar  5 18:18:52 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Introduce --without lto. When %{optflags} contains -flto=*, tests cases are
+  also built using -flto=* which significantly increases build times, this
+  option disables lto which improve iteration times when developing.
+
 -------------------------------------------------------------------
 Tue Feb 11 18:21:12 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
 

openssl-3.spec

@@ -21,6 +21,11 @@
 %define _rname openssl
 %define man_suffix 3ssl
 
+%bcond_without lto
+%if %{without lto}
+%define _lto_cflags %{nil}
+%endif
+
 # Enable userspace livepatching.
 %define livepatchable 1
 
@@ -144,6 +149,8 @@ Patch64:        openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
 # PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280
 Patch65:        openssl-3-fix-sha3-squeeze-ppc64.patch
 Patch66:        openssl-3-fix-quic_multistream_test.patch
+# PATCH-FIX-SUSE jsc#PED-12224 FIPS: Mark SHA1 as nonapproved in the SLI
+Patch67:        openssl-FIPS-Mark-SHA1-as-nonapproved.patch
 
 # ulp-macros is available according to SUSE version.
 %ifarch x86_64

openssl-FIPS-Mark-SHA1-as-nonapproved.patch

@@ -0,0 +1,25 @@
+Index: openssl-3.2.4/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.2.4.orig/providers/fips/fipsprov.c
++++ openssl-3.2.4/providers/fips/fipsprov.c
+@@ -278,7 +278,7 @@ static int fips_self_test(void *provctx)
+  */
+ static const OSSL_ALGORITHM fips_digests[] = {
+     /* Our primary name:NiST name[:our older names] */
+-    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
++    { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
+     { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
+     { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
+     { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
+@@ -355,9 +355,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
+     ALG(PROV_NAMES_AES_256_WRAP_PAD_INV, ossl_aes256wrappadinv_functions),
+     ALG(PROV_NAMES_AES_192_WRAP_PAD_INV, ossl_aes192wrappadinv_functions),
+     ALG(PROV_NAMES_AES_128_WRAP_PAD_INV, ossl_aes128wrappadinv_functions),
+-    ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
++    UNAPPROVED_ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha1),
+-    ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
++    UNAPPROVED_ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha1),
+     ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA256, ossl_aes128cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),