diff --git a/openssl-3-add_EVP_DigestSqueeze_api.patch b/openssl-3-add_EVP_DigestSqueeze_api.patch index 58b4713..6773dcc 100644 --- a/openssl-3-add_EVP_DigestSqueeze_api.patch +++ b/openssl-3-add_EVP_DigestSqueeze_api.patch @@ -26,10 +26,10 @@ Date: Fri Jul 21 15:05:38 2023 +1000 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/21511) -Index: openssl-3.2.3/crypto/evp/digest.c +Index: openssl-3.2.4/crypto/evp/digest.c =================================================================== ---- openssl-3.2.3.orig/crypto/evp/digest.c -+++ openssl-3.2.3/crypto/evp/digest.c +--- openssl-3.2.4.orig/crypto/evp/digest.c ++++ openssl-3.2.4/crypto/evp/digest.c @@ -502,6 +502,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, return ret; } @@ -105,10 +105,10 @@ Index: openssl-3.2.3/crypto/evp/digest.c || (fncnt == 0 && md->digest == NULL)) { /* * In order to be a consistent set of functions we either need the -Index: openssl-3.2.3/crypto/evp/legacy_sha.c +Index: openssl-3.2.4/crypto/evp/legacy_sha.c =================================================================== ---- openssl-3.2.3.orig/crypto/evp/legacy_sha.c -+++ openssl-3.2.3/crypto/evp/legacy_sha.c +--- openssl-3.2.4.orig/crypto/evp/legacy_sha.c ++++ openssl-3.2.4/crypto/evp/legacy_sha.c @@ -37,7 +37,8 @@ static int nm##_update(EVP_MD_CTX *ctx, } \ static int nm##_final(EVP_MD_CTX *ctx, unsigned char *md) \ @@ -119,10 +119,10 @@ Index: openssl-3.2.3/crypto/evp/legacy_sha.c } #define IMPLEMENT_LEGACY_EVP_MD_METH_SHAKE(nm, fn, tag) \ static int nm##_init(EVP_MD_CTX *ctx) \ -Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +Index: openssl-3.2.4/crypto/sha/asm/keccak1600-armv4.pl =================================================================== ---- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv4.pl -+++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-armv4.pl ++++ openssl-3.2.4/crypto/sha/asm/keccak1600-armv4.pl @@ -966,6 +966,8 @@ SHA3_squeeze: stmdb sp!,{r6-r9} @@ -141,10 +141,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl mov r0,r14 @ original $A_flat bl KeccakF1600 -Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +Index: openssl-3.2.4/crypto/sha/asm/keccak1600-armv8.pl =================================================================== ---- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv8.pl -+++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-armv8.pl ++++ openssl-3.2.4/crypto/sha/asm/keccak1600-armv8.pl @@ -483,6 +483,8 @@ SHA3_squeeze: mov $out,x1 mov $len,x2 @@ -163,10 +163,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl mov x0,$A_flat bl KeccakF1600 mov x0,$A_flat -Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +Index: openssl-3.2.4/crypto/sha/asm/keccak1600-ppc64.pl =================================================================== ---- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-ppc64.pl -+++ openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-ppc64.pl ++++ openssl-3.2.4/crypto/sha/asm/keccak1600-ppc64.pl @@ -668,6 +668,8 @@ SHA3_squeeze: subi $out,r4,1 ; prepare for stbu mr $len,r5 @@ -184,10 +184,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl mr r3,$A_flat bl KeccakF1600 subi r3,$A_flat,8 ; prepare for ldu -Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +Index: openssl-3.2.4/crypto/sha/asm/keccak1600-x86_64.pl =================================================================== ---- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-x86_64.pl -+++ openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-x86_64.pl ++++ openssl-3.2.4/crypto/sha/asm/keccak1600-x86_64.pl @@ -503,12 +503,12 @@ SHA3_absorb: .size SHA3_absorb,.-SHA3_absorb ___ @@ -246,10 +246,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl mov $out,%rdi mov $len,%rcx .byte 0xf3,0xa4 # rep movsb -Index: openssl-3.2.3/crypto/sha/keccak1600.c +Index: openssl-3.2.4/crypto/sha/keccak1600.c =================================================================== ---- openssl-3.2.3.orig/crypto/sha/keccak1600.c -+++ openssl-3.2.3/crypto/sha/keccak1600.c +--- openssl-3.2.4.orig/crypto/sha/keccak1600.c ++++ openssl-3.2.4/crypto/sha/keccak1600.c @@ -13,7 +13,7 @@ size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, @@ -298,10 +298,10 @@ Index: openssl-3.2.3/crypto/sha/keccak1600.c } } #endif -Index: openssl-3.2.3/crypto/sha/sha3.c +Index: openssl-3.2.4/crypto/sha/sha3.c =================================================================== ---- openssl-3.2.3.orig/crypto/sha/sha3.c -+++ openssl-3.2.3/crypto/sha/sha3.c +--- openssl-3.2.4.orig/crypto/sha/sha3.c ++++ openssl-3.2.4/crypto/sha/sha3.c @@ -10,12 +10,13 @@ #include #include "internal/sha3.h" @@ -440,10 +440,10 @@ Index: openssl-3.2.3/crypto/sha/sha3.c return 1; } -Index: openssl-3.2.3/doc/life-cycles/digest.dot +Index: openssl-3.2.4/doc/life-cycles/digest.dot =================================================================== ---- openssl-3.2.3.orig/doc/life-cycles/digest.dot -+++ openssl-3.2.3/doc/life-cycles/digest.dot +--- openssl-3.2.4.orig/doc/life-cycles/digest.dot ++++ openssl-3.2.4/doc/life-cycles/digest.dot @@ -6,28 +6,30 @@ digraph digest { initialised [label=initialised, fontcolor="#c94c4c"]; updated [label=updated, fontcolor="#c94c4c"]; @@ -486,10 +486,10 @@ Index: openssl-3.2.3/doc/life-cycles/digest.dot + color="#034f84", fontcolor="#034f84"]; } - -Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod +Index: openssl-3.2.4/doc/man3/EVP_DigestInit.pod =================================================================== ---- openssl-3.2.3.orig/doc/man3/EVP_DigestInit.pod -+++ openssl-3.2.3/doc/man3/EVP_DigestInit.pod +--- openssl-3.2.4.orig/doc/man3/EVP_DigestInit.pod ++++ openssl-3.2.4/doc/man3/EVP_DigestInit.pod @@ -12,6 +12,7 @@ EVP_MD_CTX_settable_params, EVP_MD_CTX_g EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit, @@ -548,10 +548,10 @@ Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod =head1 COPYRIGHT -Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +Index: openssl-3.2.4/doc/man7/EVP_MD-BLAKE2.pod =================================================================== ---- openssl-3.2.3.orig/doc/man7/EVP_MD-BLAKE2.pod -+++ openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +--- openssl-3.2.4.orig/doc/man7/EVP_MD-BLAKE2.pod ++++ openssl-3.2.4/doc/man7/EVP_MD-BLAKE2.pod @@ -25,6 +25,17 @@ Known names are "BLAKE2B-512" and "BLAKE =back @@ -570,10 +570,10 @@ Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod =head2 Gettable Parameters This implementation supports the common gettable parameters described -Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +Index: openssl-3.2.4/doc/man7/EVP_MD-SHAKE.pod =================================================================== ---- openssl-3.2.3.orig/doc/man7/EVP_MD-SHAKE.pod -+++ openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +--- openssl-3.2.4.orig/doc/man7/EVP_MD-SHAKE.pod ++++ openssl-3.2.4/doc/man7/EVP_MD-SHAKE.pod @@ -70,8 +70,21 @@ For backwards compatibility reasons the 32 (bytes) which results in a security strength of only 128 bits. To ensure the maximum security strength of 256 bits, the xoflen should be set to at least 64. @@ -596,10 +596,10 @@ Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod =head1 SEE ALSO L, L, L -Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod +Index: openssl-3.2.4/doc/man7/life_cycle-digest.pod =================================================================== ---- openssl-3.2.3.orig/doc/man7/life_cycle-digest.pod -+++ openssl-3.2.3/doc/man7/life_cycle-digest.pod +--- openssl-3.2.4.orig/doc/man7/life_cycle-digest.pod ++++ openssl-3.2.4/doc/man7/life_cycle-digest.pod @@ -32,6 +32,14 @@ additional input or generating output. =item finaled @@ -852,10 +852,10 @@ Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy -Index: openssl-3.2.3/doc/man7/provider-digest.pod +Index: openssl-3.2.4/doc/man7/provider-digest.pod =================================================================== ---- openssl-3.2.3.orig/doc/man7/provider-digest.pod -+++ openssl-3.2.3/doc/man7/provider-digest.pod +--- openssl-3.2.4.orig/doc/man7/provider-digest.pod ++++ openssl-3.2.4/doc/man7/provider-digest.pod @@ -198,8 +198,7 @@ This digest method can only handle one b =item B @@ -866,10 +866,10 @@ Index: openssl-3.2.3/doc/man7/provider-digest.pod =item B -Index: openssl-3.2.3/include/crypto/evp.h +Index: openssl-3.2.4/include/crypto/evp.h =================================================================== ---- openssl-3.2.3.orig/include/crypto/evp.h -+++ openssl-3.2.3/include/crypto/evp.h +--- openssl-3.2.4.orig/include/crypto/evp.h ++++ openssl-3.2.4/include/crypto/evp.h @@ -296,6 +296,7 @@ struct evp_md_st { OSSL_FUNC_digest_init_fn *dinit; OSSL_FUNC_digest_update_fn *dupdate; @@ -878,10 +878,10 @@ Index: openssl-3.2.3/include/crypto/evp.h OSSL_FUNC_digest_digest_fn *digest; OSSL_FUNC_digest_freectx_fn *freectx; OSSL_FUNC_digest_dupctx_fn *dupctx; -Index: openssl-3.2.3/include/internal/sha3.h +Index: openssl-3.2.4/include/internal/sha3.h =================================================================== ---- openssl-3.2.3.orig/include/internal/sha3.h -+++ openssl-3.2.3/include/internal/sha3.h +--- openssl-3.2.4.orig/include/internal/sha3.h ++++ openssl-3.2.4/include/internal/sha3.h @@ -22,23 +22,31 @@ typedef struct keccak_st KECCAK1600_CTX; @@ -927,10 +927,10 @@ Index: openssl-3.2.3/include/internal/sha3.h size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, size_t r); -Index: openssl-3.2.3/include/openssl/core_dispatch.h +Index: openssl-3.2.4/include/openssl/core_dispatch.h =================================================================== ---- openssl-3.2.3.orig/include/openssl/core_dispatch.h -+++ openssl-3.2.3/include/openssl/core_dispatch.h +--- openssl-3.2.4.orig/include/openssl/core_dispatch.h ++++ openssl-3.2.4/include/openssl/core_dispatch.h @@ -300,6 +300,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_t # define OSSL_FUNC_DIGEST_GETTABLE_PARAMS 11 # define OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS 12 @@ -949,10 +949,10 @@ Index: openssl-3.2.3/include/openssl/core_dispatch.h OSSL_CORE_MAKE_FUNC(int, digest_digest, (void *provctx, const unsigned char *in, size_t inl, unsigned char *out, size_t *outl, size_t outsz)) -Index: openssl-3.2.3/include/openssl/evp.h +Index: openssl-3.2.4/include/openssl/evp.h =================================================================== ---- openssl-3.2.3.orig/include/openssl/evp.h -+++ openssl-3.2.3/include/openssl/evp.h +--- openssl-3.2.4.orig/include/openssl/evp.h ++++ openssl-3.2.4/include/openssl/evp.h @@ -729,8 +729,10 @@ __owur int EVP_MD_CTX_copy(EVP_MD_CTX *o __owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); __owur int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, @@ -966,10 +966,10 @@ Index: openssl-3.2.3/include/openssl/evp.h __owur EVP_MD *EVP_MD_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, const char *properties); -Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +Index: openssl-3.2.4/providers/implementations/digests/sha3_prov.c =================================================================== ---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c -+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +--- openssl-3.2.4.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.4/providers/implementations/digests/sha3_prov.c @@ -33,10 +33,12 @@ static OSSL_FUNC_digest_update_fn keccak static OSSL_FUNC_digest_final_fn keccak_final; static OSSL_FUNC_digest_freectx_fn keccak_freectx; @@ -1229,16 +1229,16 @@ Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ SHAKE_FLAGS) -Index: openssl-3.2.3/test/build.info +Index: openssl-3.2.4/test/build.info =================================================================== ---- openssl-3.2.3.orig/test/build.info -+++ openssl-3.2.3/test/build.info +--- openssl-3.2.4.orig/test/build.info ++++ openssl-3.2.4/test/build.info @@ -63,7 +63,7 @@ IF[{- !$disabled{tests} -}] provfetchtest prov_config_test rand_test ca_internals_test \ bio_tfo_test membio_test bio_dgram_test list_test fips_version_test \ x509_test hpke_test pairwise_fail_test nodefltctxtest \ -- x509_load_cert_file_test -+ evp_xof_test x509_load_cert_file_test +- x509_load_cert_file_test bio_pw_callback_test ++ evp_xof_test x509_load_cert_file_test bio_pw_callback_test IF[{- !$disabled{'rpk'} -}] PROGRAMS{noinst}=rpktest @@ -1253,10 +1253,10 @@ Index: openssl-3.2.3/test/build.info SOURCE[evp_pkey_dparams_test]=evp_pkey_dparams_test.c INCLUDE[evp_pkey_dparams_test]=../include ../apps/include DEPEND[evp_pkey_dparams_test]=../libcrypto libtestutil.a -Index: openssl-3.2.3/test/evp_xof_test.c +Index: openssl-3.2.4/test/evp_xof_test.c =================================================================== --- /dev/null -+++ openssl-3.2.3/test/evp_xof_test.c ++++ openssl-3.2.4/test/evp_xof_test.c @@ -0,0 +1,492 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. @@ -1750,10 +1750,10 @@ Index: openssl-3.2.3/test/evp_xof_test.c + ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests)); + return 1; +} -Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t +Index: openssl-3.2.4/test/recipes/30-test_evp_xof.t =================================================================== --- /dev/null -+++ openssl-3.2.3/test/recipes/30-test_evp_xof.t ++++ openssl-3.2.4/test/recipes/30-test_evp_xof.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. @@ -1767,10 +1767,10 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t +use OpenSSL::Test::Simple; + +simple_test("test_evp_xof", "evp_xof_test"); -Index: openssl-3.2.3/util/libcrypto.num +Index: openssl-3.2.4/util/libcrypto.num =================================================================== ---- openssl-3.2.3.orig/util/libcrypto.num -+++ openssl-3.2.3/util/libcrypto.num +--- openssl-3.2.4.orig/util/libcrypto.num ++++ openssl-3.2.4/util/libcrypto.num @@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: diff --git a/openssl-3.2.3.tar.gz b/openssl-3.2.3.tar.gz deleted file mode 100644 index 961fe1a..0000000 --- a/openssl-3.2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239 -size 17762604 diff --git a/openssl-3.2.3.tar.gz.asc b/openssl-3.2.3.tar.gz.asc deleted file mode 100644 index 4061984..0000000 --- a/openssl-3.2.3.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXBpkACgkQIWCU39DL -ge81Ww//d6tE9XznGxx/+xfBFADDTALPDaO8yogJtECMMxixXn1zuWYheH40z5zO -MTmIeHVLowXlfBl4YO8I+SDGbZy4CKFix3j+r/dojvteiPXrBKd83e67e0mDotAD -w3NYar1Gh8kXnq63zEV8JRBjRhLb2b7uJhi1UUtaCgOfK/wvRVWiBDWyVAkVjR0V -NGCQg6FXCjxXY9G01wyqBlZt4T/h/SxN+iZUWRRPrekTxVNAQxFsMLYupuULpeaz -uHvXXJ1Os/Mh4zD8a/SHrbdw3ncHb7JmCNZu4cPUkNVw0Dc0y64SP+Wviet1oOio -/pTnfq6ptUTpzkSFiI9ZmTS1eiqQ24BLdwu3J/6ss9hZUlFZPUozsH6HTVpRxWhI -edp5fa8rpQ5wX+ftGNxA1tRhWjCrR1VgFhdZX5T4rS5fU3OX5TXPwHKqaFyGlxQd -GV467+BgxixgEU5xMirkJ/WbYrcSEFS1i9EbL6HwJ2vO02jHNfK7Biy+krOZKnx1 -Oniv4DoPR1s2De+OinDI30Zo9STizpiFiv27vw+l8Wj6+SnCFoyAZMVYcdYXSAws -Im054SFCpw1cqhhHMBMOodqUv2CEMyBLuUyjjOF6oFteUp/VEe8JUrkQBA+LhDgX -kPNzpSTnX9lB/ALvaedOUyIQf8sV3IEGn7zWGOTBp1QLu6hiId8= -=1Xgs ------END PGP SIGNATURE----- diff --git a/openssl-3.2.4.tar.gz b/openssl-3.2.4.tar.gz new file mode 100644 index 0000000..0254d99 --- /dev/null +++ b/openssl-3.2.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716 +size 17782746 diff --git a/openssl-3.2.4.tar.gz.asc b/openssl-3.2.4.tar.gz.asc new file mode 100644 index 0000000..7f2bb7c --- /dev/null +++ b/openssl-3.2.4.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYbgACgkQIWCU39DL +ge+LMhAAmVXO6X5r3P5P8czf4kT8jFp9xRkp+jlzLZ7+Vt0GOc+8JZRJ/Fmi4fsD +6nMScDzpJAv/KxOsRCC3l+Fz7eIRWvf+qeSTQggCYAlUF+3Y9qXbnOcCj+8/HPYa +bAXq7S4hFi3T7NXFyOOx38KxUuhNpcC/tUvMEmYoR8HTm0n1Utf/h/IC9IVoc7at +raUOo2qTZqwMNFue8fXC7lj6wL81MRD3TYOjePNZAKe2tuPCLoyR+sN8twVbNOLH +9TDwMZLeCRaLebL9x14knhUOT4+/gsTGH84KS56Ry0YYSDGc2u+58HRaGFBbAEId +hy4DYrYMCRlcSofPYlzMaFAZ3PSar+6ZPvvEl+OrOzY9DPoXzj0gXQ/NCWqJu9lg +EQvE6/TnuhXEUxO25eWnIXGBWcmJtECut/rY1sV9OZwaOUPxDWZTxkDuv1dNDqug +EmrfJHM7KdYVwy7JONReF0ODnNIVAa4HoAZ0EF3K3oySA5KmbA3YkkDGo5aqhpAD +LZu4+fEmemq1fsEjAxdAk2Vmx4YUElcHEoQGQxSdPlIgl/z/KQ6ONuYoGIgXUXH8 +omXxceapMLP3DkHEpFxOYACCderAxDsZAjgFxM2Rlvp8afCq/C2wFYFDERU9XNIS +SIc4N+NAoDAxSk6ScGSzORO78lFIGzBIX3pLSCCIezGCyfeHtYo= +=HqP/ +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 4df872c..82db47c 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Feb 11 18:21:12 UTC 2025 - Lucas Mulling + +- Update to 3.2.4: + * Fixed RFC7250 handshakes with unauthenticated servers don't abort as + expected. [CVE-2024-12797] + * Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176] + * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic + curve parameters. [CVE-2024-9143] +- Remove patch openssl-CVE-2024-13176.patch +- Rebase patches: + * openssl-3-add_EVP_DigestSqueeze_api.patch + * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + * openssl-FIPS-RSA-encapsulate.patch + * openssl-disable-fipsinstall.patch + ------------------------------------------------------------------- Wed Jan 22 13:15:51 UTC 2025 - Lucas Mulling diff --git a/openssl-3.spec b/openssl-3.spec index 62a1093..53e90e9 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -25,7 +25,7 @@ %define livepatchable 1 Name: openssl-3 -Version: 3.2.3 +Version: 3.2.4 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 @@ -144,8 +144,6 @@ Patch64: openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch # PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280 Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch Patch66: openssl-3-fix-quic_multistream_test.patch -# PATCH-FIX-UPSTREAM: bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation -Patch67: openssl-CVE-2024-13176.patch BuildRequires: pkgconfig diff --git a/openssl-CVE-2024-13176.patch b/openssl-CVE-2024-13176.patch deleted file mode 100644 index 0d6e869..0000000 --- a/openssl-CVE-2024-13176.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 15 Jan 2025 18:27:02 +0100 -Subject: [PATCH] Fix timing side-channel in ECDSA signature computation - -There is a timing signal of around 300 nanoseconds when the top word of -the inverted ECDSA nonce value is zero. This can happen with significant -probability only for some of the supported elliptic curves. In particular -the NIST P-521 curve is affected. To be able to measure this leak, the -attacker process must either be located in the same physical computer or -must have a very fast network connection with low latency. - -Attacks on ECDSA nonce are also known as Minerva attack. - -Fixes CVE-2024-13176 - -Reviewed-by: Tim Hudson -Reviewed-by: Neil Horman -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/26429) - -(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203) -(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902) ---- - crypto/bn/bn_exp.c | 21 +++++++++++++++------ - crypto/ec/ec_lib.c | 7 ++++--- - include/crypto/bn.h | 3 +++ - 3 files changed, 22 insertions(+), 9 deletions(-) - -diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c -index b876edbfac36e..af52e2ced6914 100644 ---- a/crypto/bn/bn_exp.c -+++ b/crypto/bn/bn_exp.c -@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - * out by Colin Percival, - * http://www.daemonology.net/hyperthreading-considered-harmful/) - */ --int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) - { -@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - unsigned int t4 = 0; - #endif - -- bn_check_top(a); -- bn_check_top(p); -- bn_check_top(m); -- - if (!BN_is_odd(m)) { - ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); - return 0; -@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - goto err; - } else - #endif -- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) -+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) - goto err; - ret = 1; - err: -@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - return ret; - } - -+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont) -+{ -+ bn_check_top(a); -+ bn_check_top(p); -+ bn_check_top(m); -+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) -+ return 0; -+ bn_correct_top(rr); -+ return 1; -+} -+ - int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - { -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index c92b4dcb0ac45..a79fbb98cf6fa 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -21,6 +21,7 @@ - #include - #include - #include "crypto/ec.h" -+#include "crypto/bn.h" - #include "internal/nelem.h" - #include "ec_local.h" - -@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, - if (!BN_sub(e, group->order, e)) - goto err; - /*- -- * Exponent e is public. -- * No need for scatter-gather or BN_FLG_CONSTTIME. -+ * Although the exponent is public we want the result to be -+ * fixed top. - */ -- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) -+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) - goto err; - - ret = 1; -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 302f031c2ff1d..499e1d10efab0 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); - */ - int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx); -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont); - int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, - BN_CTX *ctx); - int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, diff --git a/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch index 17f8da2..fcc1663 100644 --- a/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +++ b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -21,11 +21,11 @@ Patch-id: 93 test/recipes/80-test_ssl_old.t | 3 + 12 files changed, 118 insertions(+), 20 deletions(-) -diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c -index 726843fd30..24c65ca84f 100644 ---- a/crypto/dh/dh_backend.c -+++ b/crypto/dh/dh_backend.c -@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) +Index: openssl-3.2.4/crypto/dh/dh_backend.c +=================================================================== +--- openssl-3.2.4.orig/crypto/dh/dh_backend.c ++++ openssl-3.2.4/crypto/dh/dh_backend.c +@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, cons if (!dh_ffc_params_fromdata(dh, params)) return 0; @@ -42,11 +42,11 @@ index 726843fd30..24c65ca84f 100644 param_priv_len = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); if (param_priv_len != NULL -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 0b391910d6..75581ca347 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) +Index: openssl-3.2.4/crypto/dh/dh_check.c +=================================================================== +--- openssl-3.2.4.orig/crypto/dh/dh_check.c ++++ openssl-3.2.4/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *r nid = DH_get_nid((DH *)dh); if (nid != NID_undef) return 1; @@ -67,11 +67,11 @@ index 0b391910d6..75581ca347 100644 } #else int DH_check_params(const DH *dh, int *ret) -diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index 204662a81c..9961f21920 100644 ---- a/crypto/dh/dh_gen.c -+++ b/crypto/dh/dh_gen.c -@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, +Index: openssl-3.2.4/crypto/dh/dh_gen.c +=================================================================== +--- openssl-3.2.4.orig/crypto/dh/dh_gen.c ++++ openssl-3.2.4/crypto/dh/dh_gen.c +@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, BN_GENCB *cb) { @@ -100,11 +100,11 @@ index 204662a81c..9961f21920 100644 if (ret > 0) dh->dirty_cnt++; return ret; -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 83773cceea..7e988368d3 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -321,8 +321,12 @@ static int generate_key(DH *dh) +Index: openssl-3.2.4/crypto/dh/dh_key.c +=================================================================== +--- openssl-3.2.4.orig/crypto/dh/dh_key.c ++++ openssl-3.2.4/crypto/dh/dh_key.c +@@ -336,8 +336,12 @@ static int generate_key(DH *dh) goto err; } else { #ifdef FIPS_MODULE @@ -119,7 +119,7 @@ index 83773cceea..7e988368d3 100644 #else if (dh->params.q == NULL) { /* secret exponent length, must satisfy 2^(l-1) <= p */ -@@ -343,9 +347,7 @@ static int generate_key(DH *dh) +@@ -358,9 +362,7 @@ static int generate_key(DH *dh) if (!BN_clear_bit(priv_key, 0)) goto err; } @@ -130,7 +130,7 @@ index 83773cceea..7e988368d3 100644 /* Do a partial check for invalid p, q, g */ if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, FFC_PARAM_TYPE_DH, NULL)) -@@ -361,6 +363,7 @@ static int generate_key(DH *dh) +@@ -376,6 +378,7 @@ static int generate_key(DH *dh) priv_key)) goto err; } @@ -138,11 +138,11 @@ index 83773cceea..7e988368d3 100644 } } -diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index f201eede0d..30f90d15be 100644 ---- a/crypto/dh/dh_pmeth.c -+++ b/crypto/dh/dh_pmeth.c -@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, +Index: openssl-3.2.4/crypto/dh/dh_pmeth.c +=================================================================== +--- openssl-3.2.4.orig/crypto/dh/dh_pmeth.c ++++ openssl-3.2.4/crypto/dh/dh_pmeth.c +@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_ prime_len, subprime_len, &res, pcb); else @@ -163,11 +163,11 @@ index f201eede0d..30f90d15be 100644 if (rv <= 0) { DH_free(ret); return NULL; -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 9a7dde7c66..b3e7bca5ac 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) +Index: openssl-3.2.4/providers/implementations/keymgmt/dh_kmgmt.c +=================================================================== +--- openssl-3.2.4.orig/providers/implementations/keymgmt/dh_kmgmt.c ++++ openssl-3.2.4/providers/implementations/keymgmt/dh_kmgmt.c +@@ -417,6 +417,11 @@ static int dh_validate(const void *keyda if ((selection & DH_POSSIBLE_SELECTIONS) == 0) return 1; /* nothing to validate */ @@ -179,11 +179,11 @@ index 9a7dde7c66..b3e7bca5ac 100644 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { /* * Both of these functions check parameters. DH_check_params_ex() -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 53385028fc..169f3ccd73 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) +Index: openssl-3.2.4/test/endecode_test.c +=================================================================== +--- openssl-3.2.4.orig/test/endecode_test.c ++++ openssl-3.2.4/test/endecode_test.c +@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const cha * for testing only. Use a minimum key size of 2048 for security purposes. */ if (strcmp(type, "DH") == 0) @@ -196,11 +196,11 @@ index 53385028fc..169f3ccd73 100644 # endif /* -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index a7913cda4c..96a35ac1cc 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c -@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) +Index: openssl-3.2.4/test/evp_libctx_test.c +=================================================================== +--- openssl-3.2.4.orig/test/evp_libctx_test.c ++++ openssl-3.2.4/test/evp_libctx_test.c +@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) @@ -209,11 +209,11 @@ index a7913cda4c..96a35ac1cc 100644 goto err; if (expected) { -diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c -index 4bdadc4143..e5186e4b4a 100644 ---- a/test/helpers/predefined_dhparams.c -+++ b/test/helpers/predefined_dhparams.c -@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) +Index: openssl-3.2.4/test/helpers/predefined_dhparams.c +=================================================================== +--- openssl-3.2.4.orig/test/helpers/predefined_dhparams.c ++++ openssl-3.2.4/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libct dhx512_q, sizeof(dhx512_q)); } @@ -282,10 +282,10 @@ index 4bdadc4143..e5186e4b4a 100644 EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) { static unsigned char dh1024_p[] = { -diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h -index f0e8709062..2ff6d6e721 100644 ---- a/test/helpers/predefined_dhparams.h -+++ b/test/helpers/predefined_dhparams.h +Index: openssl-3.2.4/test/helpers/predefined_dhparams.h +=================================================================== +--- openssl-3.2.4.orig/test/helpers/predefined_dhparams.h ++++ openssl-3.2.4/test/helpers/predefined_dhparams.h @@ -12,6 +12,7 @@ #ifndef OPENSSL_NO_DH EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); @@ -294,27 +294,27 @@ index f0e8709062..2ff6d6e721 100644 EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 2a459856f0..afac836fa3 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( - ], - - [ "enveloped content test streaming S/MIME format, X9.42 DH", -- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, -+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, - "-stream", "-out", "{output}.cms", - "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], -- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), -+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), - "-in", "{output}.cms", "-out", "{output}.txt" ], - \&final_compare - ] -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 527abcea6e..e1d38b1e62 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t +Index: openssl-3.2.4/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.4.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.4/test/recipes/80-test_cms.t +@@ -647,10 +647,10 @@ if ($no_fips || $old_fips) { + # Only SHA1 supported in dh_cms_encrypt() + push(@smime_cms_param_tests, + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +Index: openssl-3.2.4/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.4.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.4/test/recipes/80-test_ssl_old.t @@ -390,6 +390,9 @@ sub testssl { skip "skipping dhe1024dsa test", 1 if ($no_dh); @@ -325,6 +325,3 @@ index 527abcea6e..e1d38b1e62 100644 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } --- -2.41.0 - diff --git a/openssl-FIPS-RSA-encapsulate.patch b/openssl-FIPS-RSA-encapsulate.patch index 3e87529..70b3cbb 100644 --- a/openssl-FIPS-RSA-encapsulate.patch +++ b/openssl-FIPS-RSA-encapsulate.patch @@ -9,15 +9,14 @@ Patch-id: 91 providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c -index 365ae3d7d6..8a6f585d0b 100644 ---- a/providers/implementations/kem/rsa_kem.c -+++ b/providers/implementations/kem/rsa_kem.c -@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, - *secretlen = nlen; - return 1; +Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c +=================================================================== +--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c ++++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c +@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX + return 0; } -+ + +#ifdef FIPS_MODULE + if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); @@ -28,7 +27,7 @@ index 365ae3d7d6..8a6f585d0b 100644 /* * Step (2): Generate a random byte string z of nlen bytes where * 1 < z < n - 1 -@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, +@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX * return 1; } @@ -39,9 +38,6 @@ index 365ae3d7d6..8a6f585d0b 100644 + } +#endif + - /* Step (2): check the input ciphertext 'inlen' matches the nlen */ - if (inlen != nlen) { - ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); --- -2.41.0 - + /* + * Step (2): check the input ciphertext 'inlen' matches the nlen + * and that outlen is at least nlen bytes diff --git a/openssl-disable-fipsinstall.patch b/openssl-disable-fipsinstall.patch index b5f0593..d9ed160 100644 --- a/openssl-disable-fipsinstall.patch +++ b/openssl-disable-fipsinstall.patch @@ -17,11 +17,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - 6 files changed, 10 insertions(+), 375 deletions(-) -Index: openssl-3.1.4/apps/fipsinstall.c +Index: openssl-3.2.4/apps/fipsinstall.c =================================================================== ---- openssl-3.1.4.orig/apps/fipsinstall.c -+++ openssl-3.1.4/apps/fipsinstall.c -@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar +--- openssl-3.2.4.orig/apps/fipsinstall.c ++++ openssl-3.2.4/apps/fipsinstall.c +@@ -374,6 +374,9 @@ int fipsinstall_main(int argc, char **ar EVP_MAC *mac = NULL; CONF *conf = NULL; @@ -31,10 +31,10 @@ Index: openssl-3.1.4/apps/fipsinstall.c if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +Index: openssl-3.2.4/doc/man1/openssl-fipsinstall.pod.in =================================================================== ---- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in -+++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +--- openssl-3.2.4.orig/doc/man1/openssl-fipsinstall.pod.in ++++ openssl-3.2.4/doc/man1/openssl-fipsinstall.pod.in @@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi =head1 SYNOPSIS @@ -312,13 +312,13 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +Please consult the SUSE/openSUSE documentation to learn how to correctly +enable FIPS mode. - =head1 COPYRIGHT + =head1 HISTORY -Index: openssl-3.1.4/doc/man1/openssl.pod +Index: openssl-3.2.4/doc/man1/openssl.pod =================================================================== ---- openssl-3.1.4.orig/doc/man1/openssl.pod -+++ openssl-3.1.4/doc/man1/openssl.pod -@@ -135,10 +135,6 @@ Engine (loadable module) information and +--- openssl-3.2.4.orig/doc/man1/openssl.pod ++++ openssl-3.2.4/doc/man1/openssl.pod +@@ -137,10 +137,6 @@ Engine (loadable module) information and Error Number to Error String Conversion. @@ -329,10 +329,10 @@ Index: openssl-3.1.4/doc/man1/openssl.pod =item B Generation of DSA Private Key from Parameters. Superseded by -Index: openssl-3.1.4/doc/man5/config.pod +Index: openssl-3.2.4/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod +--- openssl-3.2.4.orig/doc/man5/config.pod ++++ openssl-3.2.4/doc/man5/config.pod @@ -565,7 +565,6 @@ configuration files using that syntax wi =head1 SEE ALSO @@ -341,10 +341,10 @@ Index: openssl-3.1.4/doc/man5/config.pod L, L, L, -Index: openssl-3.1.4/doc/man5/fips_config.pod +Index: openssl-3.2.4/doc/man5/fips_config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/fips_config.pod -+++ openssl-3.1.4/doc/man5/fips_config.pod +--- openssl-3.2.4.orig/doc/man5/fips_config.pod ++++ openssl-3.2.4/doc/man5/fips_config.pod @@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration =head1 DESCRIPTION @@ -456,11 +456,11 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod =head1 HISTORY -Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod +Index: openssl-3.2.4/doc/man7/OSSL_PROVIDER-FIPS.pod =================================================================== ---- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod -+++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod -@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne +--- openssl-3.2.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ openssl-3.2.4/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -489,7 +489,6 @@ want to operate in a FIPS approved manne =head1 SEE ALSO