Accepting request 1139750 from security:tls:unstable

OBS-URL: https://build.opensuse.org/request/show/1139750 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=85
2024-01-18 15:17:04 +00:00 · 2024-01-18 15:17:04 +00:00 · 7957f2e845
commit 7957f2e845
parent dd8139948c
6 changed files with 416 additions and 14 deletions
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -5,6 +5,29 @@ Tue Jan 16 09:45:24 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>
  * Limit the execution time of RSA public key check
  * Add openssl-CVE-2023-6237.patch

+-------------------------------------------------------------------
+Sun Jan 14 13:36:33 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch
+  to openssl-crypto-policies.patch
+
+-------------------------------------------------------------------
+Sat Jan 13 23:59:27 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch
+
+-------------------------------------------------------------------
+Sat Jan 13 22:52:50 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Define SUSE_OPENSSL_FIPS_VERSION for the FIPS provider
+  * Add openssl-FIPS-SUSE-version.patch
+
+-------------------------------------------------------------------
+Sat Jan 13 22:31:15 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Load FIPS the provider and set FIPS properties implicitly (bsc#1218091)
+  * Add openssl-Force-FIPS.patch
+
 -------------------------------------------------------------------
 Thu Jan 11 08:07:48 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -44,7 +44,7 @@ Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 # Add crypto-policies support
 Patch6:         openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
-Patch7:         openssl-Override-default-paths-for-the-CA-directory-tree.patch
+Patch7:         openssl-crypto-policies-support.patch
 # PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618
 # Makefile: Call mknum.pl on 'make ordinals' only if needed
 Patch8:         openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
@ -57,8 +57,14 @@ Patch11:        openssl-Fix_test_symbol_presence.patch
 Patch12:        openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
 # PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC
 Patch13:        openssl-CVE-2023-6129.patch
+# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly
+Patch14:        openssl-Force-FIPS.patch
+# PATCH-FIX-OPENSUSE Define SUSE_OPENSSL_FIPS_VERSION for the FIPS provider
+#Patch15:        openssl-FIPS-SUSE-version.patch
+# PATCH-FIX-FEDORA Embed the FIPS hmac
+Patch16:        openssl-FIPS-embed-hmac.patch
 # PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys
-Patch14:        openssl-CVE-2023-6237.patch
+Patch17:        openssl-CVE-2023-6237.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Requires:       libopenssl3 = %{version}-%{release}
@ -142,7 +148,7 @@ export MACHINE=armv5el
 export MACHINE=armv6l
 %endif

-./config \
+./Configure \
    no-mdc2 no-ec2m no-sm2 no-sm4 \
    enable-rfc3779 enable-camellia enable-seed \
 %ifarch x86_64 aarch64 ppc64le
@ -165,7 +171,8 @@ export MACHINE=armv6l
    $(getconf LFS_CFLAGS) \
    -Wall \
    --with-rand-seed=getrandom \
-    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
+    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+    -DSUSE_OPENSSL_FIPS_VERSION=%{release}

 # Show build configuration
 perl configdata.pm --dump
@ -181,12 +188,33 @@ perl configdata.pm --dump
 # Revert patch7 before running tests
 patch -p1 -R < %{PATCH7}
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
-
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-#export HARNESS_VERBOSE=yes
+# export HARNESS_VERBOSE=yes
+# Embed HMAC into fips provider for test run
+OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
+
+# Run the tests in non FIPS mode
 LD_LIBRARY_PATH="$PWD" make test -j16

+# Run the tests also in FIPS mode
+OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make test -j16 || :
+
+# Add generation of HMAC checksum of the final stripped library
+# We manually copy standard definition of __spec_install_post
+# and add hmac calculation/embedding to fips.so
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
+    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
+    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
+    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
+%{nil}
+
 # show ciphers
 gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
--- a/openssl-FIPS-SUSE-version.patch
+++ b/openssl-FIPS-SUSE-version.patch
@ -0,0 +1,40 @@
+Index: openssl-3.2.0/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.2.0.orig/providers/fips/fipsprov.c
+++ openssl-3.2.0/providers/fips/fipsprov.c
+@@ -199,7 +199,7 @@ static int fips_get_params(void *provctx
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE OpenSSL FIPS Provider"))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+     if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+Index: openssl-3.2.0/include/openssl/opensslv.h.in
+===================================================================
+--- openssl-3.2.0.orig/include/openssl/opensslv.h.in
+++ openssl-3.2.0/include/openssl/opensslv.h.in
+@@ -17,6 +17,9 @@
+ extern "C" {
+ # endif
+ 
+#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
+#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
+
+ /*
+  * SECTION 1: VERSION DATA.  These will change for each release
+  */
+@@ -87,7 +90,11 @@ extern "C" {
+  * SECTION 4: BACKWARD COMPATIBILITY
+  */
+ 
+-# define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}"
+# ifndef FIPS_MODULE
+#  define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}"
+# else
+#  define OPENSSL_VERSION_TEXT "OpenSSL {- $config{full_version} -}-fips {- $config{release_date} -} SUSE release SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_FIPS_VERSION)"
+# endif
+ 
+ /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
+ # ifdef OPENSSL_VERSION_PRE_RELEASE
--- a/openssl-FIPS-embed-hmac.patch
+++ b/openssl-FIPS-embed-hmac.patch
@ -0,0 +1,250 @@
+From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 19 Oct 2023 13:12:40 +0200
+Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
+
+Patch-name: 0033-FIPS-embed-hmac.patch
+Patch-id: 33
+Patch-status: |
+    # # Embed HMAC into the fips.so
+From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
+---
+ providers/fips/self_test.c            | 70 ++++++++++++++++++++++++---
+ test/fipsmodule.cnf                   |  2 +
+ test/recipes/00-prep_fipsmodule_cnf.t |  2 +-
+ test/recipes/01-test_fipsmodule_cnf.t |  2 +-
+ test/recipes/03-test_fipsinstall.t    |  2 +-
+ test/recipes/30-test_defltfips.t      |  2 +-
+ test/recipes/80-test_ssl_new.t        |  2 +-
+ test/recipes/90-test_sslapi.t         |  2 +-
+ 8 files changed, 71 insertions(+), 13 deletions(-)
+ create mode 100644 test/fipsmodule.cnf
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index b8dc9817b2..e3a629018a 100644
+--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
+@@ -230,11 +230,27 @@ err:
+     return ok;
+ }
+ 
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
+ /*
+  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
+  * the result matches the expected value.
+  * Return 1 if verified, or 0 if it fails.
+  */
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
+ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+                             unsigned char *expected, size_t expected_len,
+                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+     EVP_MAC *mac = NULL;
+     EVP_MAC_CTX *ctx = NULL;
+     OSSL_PARAM params[2], *p = params;
+    Dl_info info;
+    void *extra_info = NULL;
+    struct link_map *lm = NULL;
+    unsigned long paddr;
+    unsigned long off = 0;
+ 
+     if (!integrity_self_test(ev, libctx))
+         goto err;
+ 
+     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ 
+    if (!dladdr1 ((const void *)fips_hmac_container,
+                &info, &extra_info, RTLD_DL_LINKMAP))
+        goto err;
+    lm = extra_info;
+    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
+     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+     if (mac == NULL)
+         goto err;
+@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+         goto err;
+ 
+-    while (1) {
+-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+        if (status != 1)
+            break;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+	off += bytes_read;
+    }
+
+    if (off + INTEGRITY_BUF_SIZE > paddr) {
+        int delta = paddr - off;
+        status = read_ex_cb(bio, buf, delta, &bytes_read);
+        if (status != 1)
+            goto err;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+	off += bytes_read;
+
+        status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+        memset(buf, 0, HMAC_LEN);
+        if (status != 1)
+            goto err;
+        if (!EVP_MAC_update(ctx, buf, bytes_read))
+            goto err;
+	off += bytes_read;
+    }
+
+    while (bytes_read > 0) {
+        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+         if (status != 1)
+             break;
+         if (!EVP_MAC_update(ctx, buf, bytes_read))
+             goto err;
+	off += bytes_read;
+     }
+
+     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+         goto err;
+ 
+@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+         goto err;
+     ret = 1;
+ err:
+    OPENSSL_cleanse(out, sizeof(out));
+     OSSL_SELF_TEST_onend(ev, ret);
+     EVP_MAC_CTX_free(ctx);
+     EVP_MAC_free(mac);
+@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+         return 0;
+     }
+ 
+-    if (st == NULL
+-            || st->module_checksum_data == NULL) {
+    if (st == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
+         goto end;
+     }
+@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     if (ev == NULL)
+         goto end;
+ 
+-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+-                                         &checksum_len);
+    module_checksum = fips_hmac_container;
+    checksum_len = sizeof(fips_hmac_container);
+
+     if (module_checksum == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
+         goto end;
+@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+ end:
+     EVP_RAND_free(testrand);
+     OSSL_SELF_TEST_free(ev);
+-    OPENSSL_free(module_checksum);
+     OPENSSL_free(indicator_checksum);
+ 
+     if (st != NULL) {
+diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
+new file mode 100644
+index 0000000000..f05d0dedbe
+--- /dev/null
+++ b/test/fipsmodule.cnf
+@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
+diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
+index 4e3a6d85e8..e8255ba974 100644
+--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
+@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
+my $no_check = 1;
+ plan skip_all => "FIPS module config file only supported in a fips build"
+     if $no_check;
+ 
+diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
+index ce594817d5..00cebacff8 100644
+--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
+@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
+my $no_check = 1;
+ plan skip_all => "Test only supported in a fips build"
+     if $no_check;
+ plan tests => 1;
+diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
+index b8b136d110..8242f4ebc3 100644
+--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
+@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
+ 
+ # Compatible options for pedantic FIPS compliance
+ my @pedantic_okay =
+diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
+index c8f145405b..56a2ec5dc4 100644
+--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "Configuration loading is turned off"
+     if disabled("autoload-config");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+ plan tests =>
+     ($no_fips ? 1 : 5);
+diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
+index 0c6d6402d9..e45f9cb560 100644
+--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
+@@ -27,7 +27,7 @@ setup("test_ssl_new");
+ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+ $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
+ 
+diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
+index 9e9e32b51e..1a1a7159b5 100644
+--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
+@@ -17,7 +17,7 @@ setup("test_sslapi");
+ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ my $fipsmodcfg_filename = "fipsmodule.cnf";
+ my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
+ 
+-- 
+2.41.0
+
--- a/openssl-Force-FIPS.patch
+++ b/openssl-Force-FIPS.patch
@ -0,0 +1,68 @@
+From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:59:02 +0200
+Subject: [PATCH 16/48] 0032-Force-fips.patch
+
+Patch-name: 0032-Force-fips.patch
+Patch-id: 32
+Patch-status: |
+    # We load FIPS provider and set FIPS properties implicitly
+---
+ crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
+index 058fb58837..5274265a70 100644
+--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
+@@ -10,6 +10,8 @@
+ #include <string.h>
+ #include <openssl/trace.h>
+ #include <openssl/err.h>
+#include <openssl/evp.h>
+#include <unistd.h>
+ #include <openssl/conf.h>
+ #include <openssl/safestack.h>
+ #include <openssl/provider.h>
+@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+         if (path != NULL)
+             ossl_provider_set_module_path(prov, path);
+ 
+-        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
+ 
+         if (ok) {
+             if (!ossl_provider_activate(prov, 1, 0)) {
+@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+             return 0;
+     }
+ 
+    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
+        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
+#  define FIPS_LOCAL_CONF           OPENSSLDIR "/fips_local.cnf"
+
+        if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
+            CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
+            if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
+                return 0;
+
+            if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
+                NCONF_free(fips_conf);
+                return 0;
+            }
+            NCONF_free(fips_conf);
+        } else {
+            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+                return 0;
+        }
+        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+            return 0;
+        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
+            return 0;
+    }
+
+     return 1;
+ }
+ 
+-- 
+2.41.0
--- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch
@ -1,14 +1,7 @@
-From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Thu, 24 Sep 2020 09:17:26 +0200
-Subject: Override default paths for the CA directory tree
-
-Also add default section to load crypto-policies configuration
-for TLS.
+Add default section to load crypto-policies configuration for TLS.

 It needs to be reverted before running tests.

-(was openssl-1.1.1-conf-paths.patch)
 ---
 apps/openssl.cnf | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)