From f18ebf3adf422fa61d0be54ef9ade8ae194fa2d3e10c1995c07e6ec93d632a31 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Thu, 23 Nov 2023 14:31:37 +0000 Subject: [PATCH] Accepting request 1128352 from home:ohollmann:branches:security:tls - Skip SHA1 test in 20-test_dgst.t when in FIPS mode * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch - FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch * bsc#1190652 - Provide a service to output module name/identifier and version - Sync patches with SLE: * Merge openssl-keep_EVP_KDF_functions_version.patch into openssl-1.1.1-evp-kdf.patch * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch * Remove openssl-no-date.patch OBS-URL: https://build.opensuse.org/request/show/1128352 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=152 --- openssl-1.1.1-evp-kdf.patch | 16 ++++++------- ...190652_release_num_in_version_string.patch | 23 ++++++++++++++++++ ...ps-bsc1215215_fips_in_version_string.patch | 6 ++--- openssl-1_1.changes | 14 +++++++++++ openssl-1_1.spec | 18 +++++++------- openssl-Skip_SHA1-test-in-FIPS-mode.patch | 15 ++++++++++++ openssl-keep_EVP_KDF_functions_version.patch | 24 ------------------- openssl-no-date.patch | 13 ---------- 8 files changed, 73 insertions(+), 56 deletions(-) create mode 100644 openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch create mode 100644 openssl-Skip_SHA1-test-in-FIPS-mode.patch delete mode 100644 openssl-keep_EVP_KDF_functions_version.patch delete mode 100644 openssl-no-date.patch diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 536e9c0..d4f407a 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -5228,14 +5228,14 @@ Index: openssl-1.1.1n/util/libcrypto.num FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: -+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION: -+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION: -+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION: -+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: -+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: -+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: ++EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION: ++EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION: ++EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION: ++EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: ++EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: ++EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: Index: openssl-1.1.1n/util/private.num =================================================================== --- openssl-1.1.1n.orig/util/private.num diff --git a/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch new file mode 100644 index 0000000..a3f4fd7 --- /dev/null +++ b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch @@ -0,0 +1,23 @@ +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index cbbfab1..7576de8 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -14,6 +14,9 @@ + extern "C" { + #endif + ++#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x ++#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x) ++ + /*- + * Numeric release version identifier: + * MNNFFPPS: major minor fix patch status +@@ -40,7 +43,7 @@ extern "C" { + * major minor fix final patch/beta) + */ + # define OPENSSL_VERSION_NUMBER 0x1010117fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch b/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch index 9591a53..cee3347 100644 --- a/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch +++ b/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch @@ -35,11 +35,11 @@ * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x1010117fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# ifdef OPENSSL_FIPS -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# else -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# endif /*- diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 662470a..5bf3ff8 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann + +- Skip SHA1 test in 20-test_dgst.t when in FIPS mode + * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch +- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch + * bsc#1190652 - Provide a service to output module name/identifier + and version +- Sync patches with SLE: + * Merge openssl-keep_EVP_KDF_functions_version.patch into + openssl-1.1.1-evp-kdf.patch + * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch + * Remove openssl-no-date.patch + ------------------------------------------------------------------- Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann diff --git a/openssl-1_1.spec b/openssl-1_1.spec index af01472..99df9ab 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -60,7 +60,6 @@ Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-riscv64-config.patch -Patch7: openssl-no-date.patch # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 Patch8: 0001-s390x-assembly-pack-perlasm-support.patch Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch @@ -95,7 +94,6 @@ Patch38: openssl-1.1.1-ssh-kdf.patch Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch -Patch43: openssl-keep_EVP_KDF_functions_version.patch Patch45: openssl-fips-add-SHA3-selftest.patch Patch46: openssl-fips_selftest_upstream_drbg.patch Patch47: openssl-unknown_dgst.patch @@ -126,15 +124,17 @@ Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch Patch73: openssl-FIPS-KAT-before-integrity-tests.patch # PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch +#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string +Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch # PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode -Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch +Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch # PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf -Patch76: openssl-1_1-use-include-directive.patch +Patch77: openssl-1_1-use-include-directive.patch # PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT -Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch -Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch -Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch -Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch +Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch +Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch +Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch +Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch # PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components Patch84: openssl-1_1-Zeroization.patch # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator @@ -188,6 +188,8 @@ Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.pat # PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or # checking excessively long X9.42 DH keys or parameters may be very slow Patch115: openssl-CVE-2023-5678.patch +# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode +Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) diff --git a/openssl-Skip_SHA1-test-in-FIPS-mode.patch b/openssl-Skip_SHA1-test-in-FIPS-mode.patch new file mode 100644 index 0000000..b8907d8 --- /dev/null +++ b/openssl-Skip_SHA1-test-in-FIPS-mode.patch @@ -0,0 +1,15 @@ +Index: openssl-1.1.1w/test/recipes/20-test_dgst.t +=================================================================== +--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t ++++ openssl-1.1.1w/test/recipes/20-test_dgst.t +@@ -104,8 +105,8 @@ SKIP: { + } + + SKIP: { +- skip "dgst with engine is not supported by this OpenSSL build", 1 +- if disabled("engine") || disabled("dynamic-engine"); ++ skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1 ++ if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE}); + + subtest "SHA1 generation by engine with `dgst` CLI" => sub { + plan tests => 1; diff --git a/openssl-keep_EVP_KDF_functions_version.patch b/openssl-keep_EVP_KDF_functions_version.patch deleted file mode 100644 index b3915a9..0000000 --- a/openssl-keep_EVP_KDF_functions_version.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: openssl-1.1.1d/util/libcrypto.num -=================================================================== ---- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-27 12:07:26.467151662 +0100 -+++ openssl-1.1.1d/util/libcrypto.num 2020-01-27 13:18:44.456778054 +0100 -@@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength - FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: - FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: - FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: --EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION: --EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION: --EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION: --EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION: --EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: --EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: --EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: --EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION: -+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION: -+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION: -+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION: -+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: -+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: -+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: -+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: diff --git a/openssl-no-date.patch b/openssl-no-date.patch deleted file mode 100644 index c910674..0000000 --- a/openssl-no-date.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-1.1.1-pre1/util/mkbuildinf.pl -=================================================================== ---- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 -+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 -@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; - */ - - #define PLATFORM "platform: $platform" --#define DATE "built on: $date" -+#define DATE "" - - /* - * Generate compiler_flags as an array of individual characters. This is a