pool/openssl-3
SHA256
12
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main pool:devel
...
pull from: pool:slfo-1.2
Branches Tags
pool:slfo-1.2 pool:slfo-main pool:factory pool:devel

1 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Adrian Schröter
be5aa8e361 Sync changes to SLFO-1.2 branch 2025-08-20 10:00:00 +02:00
15 changed files with 461 additions and 319 deletions
Expand all files Collapse all files

BIN
openssl-3.5.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssl-3.5.0.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmf1ITQACgkQIWCU39DL
ge+kyhAAjicxaMPBhcQqgnp3RyZhf4hOwVEzkUu3ouEjdIccz8NMxwV4Kf298ivL
DHF/0HZQuHzIjcO/vQLLG66XCeiS0bDDIxEj457iYDr/lbWvGOqKgH+e5u7fo4iG
f3aRZ/ACVuFXQ9LWjtR0M15HGJ/fKCCJQgIFwZ103tz4ptO6PBtUFK3PNGUpVjbV
00oJ0msl2NDwrKpymVNKp9gXva7RfzIggPDl6MC80m54T7aruXhqur4dxkcyD+pa
WmYKd4659jhCHRlXGZzz8XcLUsa3gQzP8W2RIqMZY8hdaaGnPEZY942s7KwRsdq0
Blr54GBTpK8TLAUfBuFkFejS5bSbGsCGgAt9lP8ZkscRiG5tGdBYV/KUcOD7a1Xa
VnsLlePtWlJGAWZt54JhQz5/dQtI51xJmhzbcHB5mTtDY0SZ7EnHNgTo1UY4cZZd
sI3QhEgCOEh9UCMBQrxpaR9+chFaTd4hlYfbJAZgfI6XZyx8uSvngl3K/22anJmR
Js1q8sE0G4hbtaSM5YecdX+RAMAwfujwqDY6BEM032kAO9eGe0PEnCRC8b23bRxF
Vqmuwv7VpUMxCjo0k5GUC4Bj502r3H9ArPTVTI/E9Elhrc2jGfrU6bPdMmaz3qAi
nKMjtRtsg81LwSlxg2ypi2L+liv6md2QkaQswMS6k+JGRaR5sVc=
=pAni
-----END PGP SIGNATURE-----

3
openssl-3.5.2.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec
size 53180161

16
openssl-3.5.2.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmiR9TgACgkQIWCU39DL
ge+F9Q//RUI2si/uXrElduJnTC5J1Yd+/gGqsUTU6/JXu66e9xRATCdvILFAuOV/
wfChf9IFP1YRO+qwJO47rFgMn90sV8zlmS3hFxWIxIzvTnT3+icHmJvxbbAuG6PS
1/5aY3Sntcnhx0mNfp249E7YemsBl2oIMtGiZQNUoObsUN+u0BFwnG5GiMkNfOiu
xsoOs89ZYWXZ3Qu2UNS0vIGuKKzll8Prh9B8GmO3I4/Fowdpc/++IPZgQAqVV6n6
2vI3fTY2LRRfYRdAzyRM/fxSEPPTSdYWlmCXeuOlbiCCorIB3jLAU9qcU0q4SGCS
bXtRep5Kl7Kqnu2M7YwvAzZU6u45H766p0oc69DePgqyD21/AxnspNeZEAsnGY15
gPjOBOK/0wBzwx8Ko+WvERGAOQ68oLVIwRJA0CUtoxc+4uNAgo0DEAC/iJdu7y+I
qrlGRsgurIkTXopnVkZzVvp/4ctJUg40zKmk4lCgJhCgnupeDtgmc3P0Xsdl14Zl
9D2z0NZi9KVcXtangt7YFz+QUZz3+UI6TU+zHyX9nQWmyBPVtRwdx1gk2VVwH0sx
G3kokS+GkzsZL+Dc605ER4Y0VCSfsh7B5KfNmDaQK7wMmbBM7Sy7MrvhOvnywkBp
oDmgGrE5waeIUVyhaa10jR+ErbYYeNti2kdc8QR1ptcEDch7Rck=
=oBWA
-----END PGP SIGNATURE-----

36
openssl-3.changes
View File

@@ -1,44 +1,8 @@
-------------------------------------------------------------------
Tue Aug 5 16:34:57 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
- Update to 3.5.2:
* Miscellaneous minor bug fixes.
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
- Rebase patches:
* openssl-FIPS-140-3-keychecks.patch
* openssl-FIPS-NO-DES-support.patch
* openssl-FIPS-enforce-EMS-support.patch
* openssl-disable-fipsinstall.patch
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES
-------------------------------------------------------------------
Wed Jul 30 09:17:24 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
- Disable LTO for userspace livepatching [jsc#PED-13245]
-------------------------------------------------------------------
Mon Jul 28 07:45:23 UTC 2025 - Andreas Schwab <schwab@suse.de>
- Use termios instead of obsolete termio
-------------------------------------------------------------------
Mon Jul 7 13:33:21 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
- Update to 3.5.1:
* Fix x509 application adds trusted use instead of rejected use.
[bsc#1243564, CVE-2025-4575]
- Remove patches:
* openssl-Fix-P384-on-P8-targets.patch
* openssl-CVE-2025-4575.patch
- Rebase patches:
* openssl-Allow-disabling-of-SHA1-signatures.patch
* openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
* openssl-FIPS-NO-DES-support.patch
- Fix a bogus warning caused by -Wfree-nonheap-object
* Add patch openssl-Fix-Wfree-nonheap-object-warning.patch
-------------------------------------------------------------------
Thu May 29 06:46:14 UTC 2025 - Pedro Monreal <pmonreal@suse.com>

41
openssl-3.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package openssl-3
#
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -38,7 +38,7 @@
%define livepatchable 1
Name: openssl-3
Version: 3.5.2
Version: 3.5.0
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0
@@ -124,8 +124,10 @@ Patch42: openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
Patch43: openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
# PATCH-FIX-FEDORA FIPS: Fix the speed command in FIPS mode for KMAC
Patch44: openssl-FIPS-Fix-openssl-speed-KMAC.patch
# PATCH-FIX-SUSE Fix a bogus warning caused by -Wfree-nonheap-object
Patch45: openssl-Fix-Wfree-nonheap-object-warning.patch
# PATCH-FIX-UPSTREAM bsc#1243564 CVE-2025-4575 The x509 application adds trusted use instead of rejected use
Patch45: openssl-CVE-2025-4575.patch
# PATCH-FIX-UPSTREAM bsc#1243014 Fix P-384 curve on lower-than-P9 PPC64 targets
Patch46: openssl-Fix-P384-on-P8-targets.patch
# ulp-macros is available according to SUSE version.
%ifarch x86_64
@@ -252,7 +254,7 @@ export MACHINE=armv6l
-Wa,--noexecstack \
-Wl,-z,relro,-z,now \
-fno-common \
-DTERMIOS \
-DTERMIO \
-DPURIFY \
-D_GNU_SOURCE \
-DOPENSSL_PEDANTIC_ZEROIZATION \
@@ -325,11 +327,6 @@ rm -f %{buildroot}%{_libdir}/*.a
rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
# Remove unneeded NOTES files
for file in NOTES-ANDROID.md NOTES-DJGPP.md NOTES-NONSTOP.md NOTES-VMS.md NOTES-WINDOWS.md ; do
rm -f %{_datadir}/packages/libopenssl-3-devel/${file}
done
# Make a copy of the default openssl.cnf file
cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
@@ -393,21 +390,9 @@ fi
%{_libdir}/ossl-modules/legacy.so
%{_libdir}/.libssl.so.%{sover}.hmac
%{_libdir}/.libcrypto.so.%{sover}.hmac
%dir %{ssletcdir}
%attr(700,root,root) %{ssletcdir}/private
%config %{ssletcdir}/openssl-orig.cnf
%config (noreplace) %{ssletcdir}/openssl.cnf
%config (noreplace) %{ssletcdir}/ct_log_list.cnf
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%dir %{_localstatedir}/lib/ca-certificates/
%dir %{_localstatedir}/lib/ca-certificates/openssl
%files -n libopenssl-3-fips-provider
%{_libdir}/ossl-modules/fips.so
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
%config %{ssletcdir}/fips_local.cnf
%endif
%files -n libopenssl-3-devel
%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
@@ -428,6 +413,18 @@ fi
%files
%license LICENSE.txt
%doc CHANGES.md NEWS.md README.md
%dir %{ssletcdir}
%config %{ssletcdir}/openssl-orig.cnf
%config (noreplace) %{ssletcdir}/openssl.cnf
%config (noreplace) %{ssletcdir}/ct_log_list.cnf
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
%config %{ssletcdir}/fips_local.cnf
%endif
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%dir %{_localstatedir}/lib/ca-certificates/
%dir %{_localstatedir}/lib/ca-certificates/openssl
%{_bindir}/%{_rname}
%{_bindir}/c_rehash
%{_mandir}/man1/*

118
openssl-Allow-disabling-of-SHA1-signatures.patch
View File

@@ -1,7 +1,7 @@
Index: openssl-3.5.1/crypto/context.c
Index: openssl-3.5.0/crypto/context.c
===================================================================
--- openssl-3.5.1.orig/crypto/context.c
+++ openssl-3.5.1/crypto/context.c
--- openssl-3.5.0.orig/crypto/context.c
+++ openssl-3.5.0/crypto/context.c
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
#endif
STACK_OF(SSL_COMP) *comp_methods;
@@ -35,7 +35,7 @@ Index: openssl-3.5.1/crypto/context.c
static void context_deinit_objs(OSSL_LIB_CTX *ctx);
static int context_init(OSSL_LIB_CTX *ctx)
@@ -235,6 +254,10 @@ static int context_init(OSSL_LIB_CTX *ct
@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ct
goto err;
#endif
@@ -46,7 +46,7 @@ Index: openssl-3.5.1/crypto/context.c
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -382,6 +405,11 @@ static void context_deinit_objs(OSSL_LIB
@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB
}
#endif
@@ -58,7 +58,7 @@ Index: openssl-3.5.1/crypto/context.c
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -660,6 +688,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
@@ -68,7 +68,7 @@ Index: openssl-3.5.1/crypto/context.c
default:
return NULL;
}
@@ -714,3 +745,44 @@ void OSSL_LIB_CTX_set_conf_diagnostics(O
@@ -714,3 +747,44 @@ void OSSL_LIB_CTX_set_conf_diagnostics(O
return;
libctx->conf_diagnostics = value;
}
@@ -113,10 +113,10 @@ Index: openssl-3.5.1/crypto/context.c
+ ldsigs->allowed = allow;
+ return 1;
+}
Index: openssl-3.5.1/crypto/evp/evp_cnf.c
Index: openssl-3.5.0/crypto/evp/evp_cnf.c
===================================================================
--- openssl-3.5.1.orig/crypto/evp/evp_cnf.c
+++ openssl-3.5.1/crypto/evp/evp_cnf.c
--- openssl-3.5.0.orig/crypto/evp/evp_cnf.c
+++ openssl-3.5.0/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
@@ -144,10 +144,10 @@ Index: openssl-3.5.1/crypto/evp/evp_cnf.c
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
Index: openssl-3.5.1/crypto/evp/m_sigver.c
Index: openssl-3.5.0/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.5.1.orig/crypto/evp/m_sigver.c
+++ openssl-3.5.1/crypto/evp/m_sigver.c
--- openssl-3.5.0.orig/crypto/evp/m_sigver.c
+++ openssl-3.5.0/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
@@ -156,7 +156,7 @@ Index: openssl-3.5.1/crypto/evp/m_sigver.c
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
@@ -320,6 +321,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
}
}
@@ -173,12 +173,12 @@ Index: openssl-3.5.1/crypto/evp/m_sigver.c
+ }
+
if (ver) {
if (ctx->pctx->pmeth->verifyctx_init) {
if (ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx) <= 0)
Index: openssl-3.5.1/crypto/evp/pmeth_lib.c
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
Index: openssl-3.5.0/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-3.5.1.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.5.1/crypto/evp/pmeth_lib.c
--- openssl-3.5.0.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.5.0/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
#include "internal/ffc.h"
#include "internal/numbers.h"
@@ -187,7 +187,7 @@ Index: openssl-3.5.1/crypto/evp/pmeth_lib.c
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
return -2;
}
@@ -208,10 +208,10 @@ Index: openssl-3.5.1/crypto/evp/pmeth_lib.c
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
Index: openssl-3.5.1/doc/man5/config.pod
Index: openssl-3.5.0/doc/man5/config.pod
===================================================================
--- openssl-3.5.1.orig/doc/man5/config.pod
+++ openssl-3.5.1/doc/man5/config.pod
--- openssl-3.5.0.orig/doc/man5/config.pod
+++ openssl-3.5.0/doc/man5/config.pod
@@ -315,6 +315,21 @@ Within the algorithm properties section,
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
@@ -234,10 +234,10 @@ Index: openssl-3.5.1/doc/man5/config.pod
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
Index: openssl-3.5.1/include/crypto/context.h
Index: openssl-3.5.0/include/crypto/context.h
===================================================================
--- openssl-3.5.1.orig/include/crypto/context.h
+++ openssl-3.5.1/include/crypto/context.h
--- openssl-3.5.0.orig/include/crypto/context.h
+++ openssl-3.5.0/include/crypto/context.h
@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void)
#if defined(OPENSSL_THREADS)
void ossl_threads_ctx_free(void *);
@@ -250,10 +250,10 @@ Index: openssl-3.5.1/include/crypto/context.h
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+#endif
+
Index: openssl-3.5.1/include/internal/cryptlib.h
Index: openssl-3.5.0/include/internal/cryptlib.h
===================================================================
--- openssl-3.5.1.orig/include/internal/cryptlib.h
+++ openssl-3.5.1/include/internal/cryptlib.h
--- openssl-3.5.0.orig/include/internal/cryptlib.h
+++ openssl-3.5.0/include/internal/cryptlib.h
@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
# define OSSL_LIB_CTX_COMP_METHODS 21
@@ -264,10 +264,10 @@ Index: openssl-3.5.1/include/internal/cryptlib.h
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
Index: openssl-3.5.1/include/internal/sslconf.h
Index: openssl-3.5.0/include/internal/sslconf.h
===================================================================
--- openssl-3.5.1.orig/include/internal/sslconf.h
+++ openssl-3.5.1/include/internal/sslconf.h
--- openssl-3.5.0.orig/include/internal/sslconf.h
+++ openssl-3.5.0/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name,
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
@@ -277,20 +277,20 @@ Index: openssl-3.5.1/include/internal/sslconf.h
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig);
#endif
Index: openssl-3.5.1/providers/common/include/prov/securitycheck.h
Index: openssl-3.5.0/providers/common/include/prov/securitycheck.h
===================================================================
--- openssl-3.5.1.orig/providers/common/include/prov/securitycheck.h
+++ openssl-3.5.1/providers/common/include/prov/securitycheck.h
--- openssl-3.5.0.orig/providers/common/include/prov/securitycheck.h
+++ openssl-3.5.0/providers/common/include/prov/securitycheck.h
@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const E
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
Index: openssl-3.5.1/providers/common/securitycheck.c
Index: openssl-3.5.0/providers/common/securitycheck.c
===================================================================
--- openssl-3.5.1.orig/providers/common/securitycheck.c
+++ openssl-3.5.1/providers/common/securitycheck.c
--- openssl-3.5.0.orig/providers/common/securitycheck.c
+++ openssl-3.5.0/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
@@ -316,10 +316,10 @@ Index: openssl-3.5.1/providers/common/securitycheck.c
+
+ return mdnid;
+}
Index: openssl-3.5.1/providers/common/securitycheck_default.c
Index: openssl-3.5.0/providers/common/securitycheck_default.c
===================================================================
--- openssl-3.5.1.orig/providers/common/securitycheck_default.c
+++ openssl-3.5.1/providers/common/securitycheck_default.c
--- openssl-3.5.0.orig/providers/common/securitycheck_default.c
+++ openssl-3.5.0/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
@@ -328,10 +328,10 @@ Index: openssl-3.5.1/providers/common/securitycheck_default.c
/* Disable the security checks in the default provider */
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
Index: openssl-3.5.1/providers/implementations/signature/dsa_sig.c
Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.5.1.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.5.1/providers/implementations/signature/dsa_sig.c
--- openssl-3.5.0.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/dsa_sig.c
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
@@ -340,10 +340,10 @@ Index: openssl-3.5.1/providers/implementations/signature/dsa_sig.c
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
Index: openssl-3.5.1/providers/implementations/signature/ecdsa_sig.c
Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.5.1.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.1/providers/implementations/signature/ecdsa_sig.c
--- openssl-3.5.0.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
goto err;
}
@@ -362,10 +362,10 @@ Index: openssl-3.5.1/providers/implementations/signature/ecdsa_sig.c
/* XOF digests don't work */
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
Index: openssl-3.5.1/providers/implementations/signature/rsa_sig.c
Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.5.1.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.1/providers/implementations/signature/rsa_sig.c
--- openssl-3.5.0.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
@@ -419,10 +419,10 @@ Index: openssl-3.5.1/providers/implementations/signature/rsa_sig.c
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
Index: openssl-3.5.1/ssl/t1_lib.c
Index: openssl-3.5.0/ssl/t1_lib.c
===================================================================
--- openssl-3.5.1.orig/ssl/t1_lib.c
+++ openssl-3.5.1/ssl/t1_lib.c
--- openssl-3.5.0.orig/ssl/t1_lib.c
+++ openssl-3.5.0/ssl/t1_lib.c
@@ -21,6 +21,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
@@ -431,7 +431,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
@@ -439,7 +439,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
if (ctx == NULL)
goto err;
@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
@@ -447,7 +447,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
@@ -459,10 +459,10 @@ Index: openssl-3.5.1/ssl/t1_lib.c
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].available = 0;
Index: openssl-3.5.1/util/libcrypto.num
Index: openssl-3.5.0/util/libcrypto.num
===================================================================
--- openssl-3.5.1.orig/util/libcrypto.num
+++ openssl-3.5.1/util/libcrypto.num
--- openssl-3.5.0.orig/util/libcrypto.num
+++ openssl-3.5.0/util/libcrypto.num
@@ -5925,3 +5925,5 @@ OSSL_AA_DIST_POINT_free
OSSL_AA_DIST_POINT_new 6052 3_5_0 EXIST::FUNCTION:
OSSL_AA_DIST_POINT_it 6053 3_5_0 EXIST::FUNCTION:

61
openssl-CVE-2025-4575.patch Normal file
View File

@@ -0,0 +1,61 @@
From 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 20 May 2025 16:34:10 +0200
Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
of rejection
Fixes CVE-2025-4575
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/27672)
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
apps/x509.c | 2 +-
test/recipes/25-test_x509.t | 12 +++++++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
Index: openssl-3.5.0/apps/x509.c
===================================================================
--- openssl-3.5.0.orig/apps/x509.c
+++ openssl-3.5.0/apps/x509.c
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
prog, opt_arg());
goto opthelp;
}
- if (!sk_ASN1_OBJECT_push(trust, objtmp))
+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
goto end;
trustout = 1;
break;
Index: openssl-3.5.0/test/recipes/25-test_x509.t
===================================================================
--- openssl-3.5.0.orig/test/recipes/25-test_x509.t
+++ openssl-3.5.0/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
setup("test_x509");
-plan tests => 134;
+plan tests => 138;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "
&& run(app(["openssl", "verify", "-no_check_time",
"-trusted", $ca, "-partial_chain", $caout])));
+# test trust decoration
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
+ "-out", "ca-trusted.pem"])));
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
+ 1, 'trusted use - E-mail Protection');
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
+ "-out", "ca-rejected.pem"])));
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
+ 1, 'rejected use - E-mail Protection');
+
subtest 'x509 -- x.509 v1 certificate' => sub {
tconversion( -type => 'x509', -prefix => 'x509v1',
-in => srctop_file("test", "testx509.pem") );

60
openssl-FIPS-140-3-keychecks.patch
View File

@@ -9,11 +9,11 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
2 files changed, 61 insertions(+), 4 deletions(-)
Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/rsa_kmgmt.c
===================================================================
--- openssl-3.5.2.orig/providers/implementations/keymgmt/rsa_kmgmt.c
+++ openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -451,6 +451,7 @@ struct rsa_gen_ctx {
--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/rsa_kmgmt.c
+++ openssl-3.5.0-beta1/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
@@ -21,7 +21,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
#endif
};
@@ -464,6 +465,12 @@ static int rsa_gencb(int p, int n, BN_GE
@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GE
return gctx->cb(params, gctx->cbarg);
}
@@ -34,7 +34,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
{
@@ -491,6 +498,10 @@ static void *gen_init(void *provctx, int
@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int
if (!rsa_gen_set_params(gctx, params))
goto err;
@@ -45,7 +45,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
return gctx;
err:
@@ -647,6 +658,11 @@ static void *rsa_gen(void *genctx, OSSL_
@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_
rsa = rsa_tmp;
rsa_tmp = NULL;
@@ -57,7 +57,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
@@ -662,6 +678,8 @@ static void rsa_gen_cleanup(void *genctx
@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
@@ -66,10 +66,10 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c
#endif
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
Index: openssl-3.5.2/providers/implementations/signature/rsa_sig.c
Index: openssl-3.5.0-beta1/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.5.2.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.2/providers/implementations/signature/rsa_sig.c
--- openssl-3.5.0-beta1.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.0-beta1/providers/implementations/signature/rsa_sig.c
@@ -35,7 +35,7 @@
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
@@ -152,10 +152,10 @@ Index: openssl-3.5.2/providers/implementations/signature/rsa_sig.c
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
Index: openssl-3.5.2/crypto/dh/dh_key.c
Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
===================================================================
--- openssl-3.5.2.orig/crypto/dh/dh_key.c
+++ openssl-3.5.2/crypto/dh/dh_key.c
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_key.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k
BN_MONT_CTX *mont = NULL;
BIGNUM *z = NULL, *pminus1;
@@ -204,7 +204,7 @@ Index: openssl-3.5.2/crypto/dh/dh_key.c
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh, 0) <= 0) {
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ abort();
+ }
+#endif
@@ -212,10 +212,10 @@ Index: openssl-3.5.2/crypto/dh/dh_key.c
dh->dirty_cnt++;
ok = 1;
err:
Index: openssl-3.5.2/providers/implementations/exchange/ecdh_exch.c
Index: openssl-3.5.0-beta1/providers/implementations/exchange/ecdh_exch.c
===================================================================
--- openssl-3.5.2.orig/providers/implementations/exchange/ecdh_exch.c
+++ openssl-3.5.2/providers/implementations/exchange/ecdh_exch.c
--- openssl-3.5.0-beta1.orig/providers/implementations/exchange/ecdh_exch.c
+++ openssl-3.5.0-beta1/providers/implementations/exchange/ecdh_exch.c
@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
#endif
@@ -242,11 +242,11 @@ Index: openssl-3.5.2/providers/implementations/exchange/ecdh_exch.c
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/ec_kmgmt.c
===================================================================
--- openssl-3.5.2.orig/providers/implementations/keymgmt/ec_kmgmt.c
+++ openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
@@ -1010,9 +1010,18 @@ struct ec_gen_ctx {
--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/ec_kmgmt.c
+++ openssl-3.5.0-beta1/providers/implementations/keymgmt/ec_kmgmt.c
@@ -993,9 +993,18 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
@@ -265,7 +265,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
@@ -1032,6 +1041,10 @@ static void *ec_gen_init(void *provctx,
@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx,
gctx = NULL;
}
}
@@ -276,7 +276,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
return gctx;
}
@@ -1343,6 +1356,12 @@ static void *ec_gen(void *genctx, OSSL_C
@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_C
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@@ -289,7 +289,7 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
@@ -1413,7 +1432,10 @@ static void ec_gen_cleanup(void *genctx)
@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@@ -301,10 +301,10 @@ Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
Index: openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c
Index: openssl-3.5.0-beta1/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.5.2.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c
--- openssl-3.5.0-beta1.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.0-beta1/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
#include "prov/der_ec.h"
#include "crypto/ec.h"
@@ -332,7 +332,7 @@ Index: openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c
{
PROV_ECDSA_CTX *ctx;
@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx
@@ -604,7 +604,7 @@ int ecdsa_digest_verify_final(void *vctx
return ok;
}
@@ -341,7 +341,7 @@ Index: openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_
@@ -853,6 +853,35 @@ static const OSSL_PARAM *ecdsa_settable_
return EVP_MD_settable_ctx_params(ctx->md);
}

34
openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
View File

@@ -10,10 +10,10 @@ Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
test/recipes/25-test_verify.t | 7 ++--
4 files changed, 79 insertions(+), 18 deletions(-)
Index: openssl-3.5.1/crypto/x509/x509_vfy.c
Index: openssl-3.5.0/crypto/x509/x509_vfy.c
===================================================================
--- openssl-3.5.1.orig/crypto/x509/x509_vfy.c
+++ openssl-3.5.1/crypto/x509/x509_vfy.c
--- openssl-3.5.0.orig/crypto/x509/x509_vfy.c
+++ openssl-3.5.0/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
@@ -54,10 +54,10 @@ Index: openssl-3.5.1/crypto/x509/x509_vfy.c
+
return secbits >= minbits_table[level - 1];
}
Index: openssl-3.5.1/ssl/t1_lib.c
Index: openssl-3.5.0/ssl/t1_lib.c
===================================================================
--- openssl-3.5.1.orig/ssl/t1_lib.c
+++ openssl-3.5.1/ssl/t1_lib.c
--- openssl-3.5.0.orig/ssl/t1_lib.c
+++ openssl-3.5.0/ssl/t1_lib.c
@@ -21,6 +21,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
@@ -66,7 +66,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -2809,19 +2810,27 @@ int tls12_check_peer_sigalg(SSL_CONNECTI
@@ -2807,19 +2808,27 @@ int tls12_check_peer_sigalg(SSL_CONNECTI
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
@@ -107,7 +107,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -3393,6 +3402,14 @@ static int tls12_sigalg_allowed(const SS
@@ -3391,6 +3400,14 @@ static int tls12_sigalg_allowed(const SS
}
}
@@ -122,7 +122,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -4383,6 +4400,8 @@ static int ssl_security_cert_sig(SSL_CON
@@ -4381,6 +4398,8 @@ static int ssl_security_cert_sig(SSL_CON
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
@@ -131,7 +131,7 @@ Index: openssl-3.5.1/ssl/t1_lib.c
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
@@ -4392,6 +4411,25 @@ static int ssl_security_cert_sig(SSL_CON
@@ -4390,6 +4409,25 @@ static int ssl_security_cert_sig(SSL_CON
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
@@ -157,20 +157,20 @@ Index: openssl-3.5.1/ssl/t1_lib.c
if (s != NULL)
return ssl_security(s, op, secbits, nid, x);
else
Index: openssl-3.5.1/test/recipes/25-test_verify.t
Index: openssl-3.5.0/test/recipes/25-test_verify.t
===================================================================
--- openssl-3.5.1.orig/test/recipes/25-test_verify.t
+++ openssl-3.5.1/test/recipes/25-test_verify.t
@@ -30,7 +30,7 @@ sub verify {
--- openssl-3.5.0.orig/test/recipes/25-test_verify.t
+++ openssl-3.5.0/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 203;
+plan tests => 202;
-plan tests => 194;
+plan tests => 193;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -485,8 +485,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root
@@ -484,8 +484,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");

55
openssl-FIPS-NO-DES-support.patch
View File

@@ -12,11 +12,11 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
test/recipes/80-test_cms.t | 2 +-
5 files changed, 14 insertions(+), 13 deletions(-)
Index: openssl-3.5.2/providers/fips/fipsprov.c
Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
===================================================================
--- openssl-3.5.2.orig/providers/fips/fipsprov.c
+++ openssl-3.5.2/providers/fips/fipsprov.c
@@ -360,7 +360,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
+++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
@@ -358,7 +358,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
@@ -26,11 +26,28 @@ Index: openssl-3.5.2/providers/fips/fipsprov.c
ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
#endif /* OPENSSL_NO_DES */
Index: openssl-3.5.2/providers/fips/self_test_data.inc
Index: openssl-3.5.0-beta1/providers/fips/self_test_data.inc
===================================================================
--- openssl-3.5.2.orig/providers/fips/self_test_data.inc
+++ openssl-3.5.2/providers/fips/self_test_data.inc
@@ -293,6 +293,7 @@ static const ST_KAT_CIPHER st_kat_cipher
--- openssl-3.5.0-beta1.orig/providers/fips/self_test_data.inc
+++ openssl-3.5.0-beta1/providers/fips/self_test_data.inc
@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest
/*- CIPHER TEST DATA */
/* DES3 test data */
+#if 0
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
-
+#endif
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher
CIPHER_MODE_DECRYPT,
ITM(aes_128_ecb_key)
},
@@ -38,7 +55,7 @@ Index: openssl-3.5.2/providers/fips/self_test_data.inc
#ifndef OPENSSL_NO_DES
{
{
@@ -305,6 +306,7 @@ static const ST_KAT_CIPHER st_kat_cipher
@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher
ITM(tdes_key)
}
#endif
@@ -46,10 +63,10 @@ Index: openssl-3.5.2/providers/fips/self_test_data.inc
};
static const char hkdf_digest[] = "SHA256";
Index: openssl-3.5.2/test/evp_libctx_test.c
Index: openssl-3.5.0-beta1/test/evp_libctx_test.c
===================================================================
--- openssl-3.5.2.orig/test/evp_libctx_test.c
+++ openssl-3.5.2/test/evp_libctx_test.c
--- openssl-3.5.0-beta1.orig/test/evp_libctx_test.c
+++ openssl-3.5.0-beta1/test/evp_libctx_test.c
@@ -831,7 +831,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
@@ -61,10 +78,10 @@ Index: openssl-3.5.2/test/evp_libctx_test.c
#endif
return 1;
}
Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evpciph_des3_common.txt
===================================================================
--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@@ -14,7 +14,7 @@
Title = DES3 Tests
@@ -114,16 +131,16 @@ Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
# Test that DES3 ECB mode encryption is not FIPS approved
-Availablein = fips
-Availablein = fipss
-FIPSversion = >=3.4.0
+Availablein = none
Cipher = DES-EDE3-ECB
Operation = ENCRYPT
Unapproved = 1
Index: openssl-3.5.2/test/recipes/80-test_cms.t
Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.5.2.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.2/test/recipes/80-test_cms.t
--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
\&final_compare
],

91
openssl-FIPS-enforce-EMS-support.patch
View File

@@ -19,11 +19,11 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
test/sslapitest.c | 2 +-
9 files changed, 46 insertions(+), 5 deletions(-)
Index: openssl-3.5.2/doc/man3/SSL_CONF_cmd.pod
===================================================================
--- openssl-3.5.2.orig/doc/man3/SSL_CONF_cmd.pod
+++ openssl-3.5.2/doc/man3/SSL_CONF_cmd.pod
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended ma
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index e2c1e69847..009b683b27 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
@@ -33,11 +33,11 @@ Index: openssl-3.5.2/doc/man3/SSL_CONF_cmd.pod
B<CANames>: use CA names extension, enabled by
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
Index: openssl-3.5.2/doc/man5/fips_config.pod
===================================================================
--- openssl-3.5.2.orig/doc/man5/fips_config.pod
+++ openssl-3.5.2/doc/man5/fips_config.pod
@@ -11,6 +11,19 @@ automatically loaded when the system is
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 15748c5756..34cbfbb2ad 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
for more information.
@@ -56,12 +56,12 @@ Index: openssl-3.5.2/doc/man5/fips_config.pod
+
=head1 COPYRIGHT
Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
Index: openssl-3.5.2/include/openssl/ssl.h.in
===================================================================
--- openssl-3.5.2.orig/include/openssl/ssl.h.in
+++ openssl-3.5.2/include/openssl/ssl.h.in
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0b2232b01c..99b2ad4eb3 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
* interoperability with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
@@ -69,10 +69,10 @@ Index: openssl-3.5.2/include/openssl/ssl.h.in
/*
* Disable RFC8879 certificate compression
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
Index: openssl-3.5.2/providers/fips/include/fips_indicator_params.inc
===================================================================
--- openssl-3.5.2.orig/providers/fips/include/fips_indicator_params.inc
+++ openssl-3.5.2/providers/fips/include/fips_indicator_params.inc
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index c1b029de86..47d1cf2d01 100644
--- a/providers/fips/include/fips_indicator_params.inc
+++ b/providers/fips/include/fips_indicator_params.inc
@@ -1,5 +1,5 @@
OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
@@ -80,11 +80,11 @@ Index: openssl-3.5.2/providers/fips/include/fips_indicator_params.inc
OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
Index: openssl-3.5.2/ssl/ssl_conf.c
===================================================================
--- openssl-3.5.2.orig/ssl/ssl_conf.c
+++ openssl-3.5.2/ssl/ssl_conf.c
@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cct
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 946d20be52..b52c1675fd 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
@@ -92,10 +92,10 @@ Index: openssl-3.5.2/ssl/ssl_conf.c
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
Index: openssl-3.5.2/ssl/statem/extensions_srvr.c
===================================================================
--- openssl-3.5.2.orig/ssl/statem/extensions_srvr.c
+++ openssl-3.5.2/ssl/statem/extensions_srvr.c
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index dd771207f6..48db802b1f 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -12,6 +12,7 @@
#include "statem_local.h"
#include "internal/cryptlib.h"
@@ -104,7 +104,7 @@ Index: openssl-3.5.2/ssl/statem/extensions_srvr.c
#define COOKIE_STATE_FORMAT_VERSION 1
@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CO
@@ -1874,8 +1875,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
unsigned int context,
X509 *x, size_t chainidx)
{
@@ -119,10 +119,10 @@ Index: openssl-3.5.2/ssl/statem/extensions_srvr.c
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
Index: openssl-3.5.2/ssl/t1_enc.c
===================================================================
--- openssl-3.5.2.orig/ssl/t1_enc.c
+++ openssl-3.5.2/ssl/t1_enc.c
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 474ea7bf5b..e0e595e989 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -21,6 +21,7 @@
#include <openssl/obj_mac.h>
#include <openssl/core_names.h>
@@ -148,11 +148,11 @@ Index: openssl-3.5.2/ssl/t1_enc.c
else
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
EVP_KDF_CTX_free(kctx);
Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
===================================================================
--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ openssl-3.5.2/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
index 50944328cb..edb2e81273 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
@@ -169,11 +169,11 @@ Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
FIPSversion = <=3.1.0
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
Index: openssl-3.5.2/test/sslapitest.c
===================================================================
--- openssl-3.5.2.orig/test/sslapitest.c
+++ openssl-3.5.2/test/sslapitest.c
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(vo
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 16155afccb..93766fae23 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -182,3 +182,6 @@ Index: openssl-3.5.2/test/sslapitest.c
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
2.49.0

125
openssl-Fix-P384-on-P8-targets.patch Normal file
View File

@@ -0,0 +1,125 @@
From a72f753cc5a43e58087358317975f6be46c15e01 Mon Sep 17 00:00:00 2001
From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
Date: Thu, 17 Apr 2025 08:51:53 -0500
Subject: [PATCH] Fix P-384 curve on lower-than-P9 PPC64 targets
The change adding an asm implementation of p384_felem_reduce incorrectly
uses the accelerated version on both targets that support the intrinsics
*and* targets that don't, instead of falling back to the generics on older
targets. This results in crashes when trying to use P-384 on < Power9.
Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com>
Closes: #27350
Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC")
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27429)
(cherry picked from commit 29864f2b0f1046177e8048a5b17440893d3f9425)
---
crypto/ec/ecp_nistp384.c | 54 ++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 21 deletions(-)
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index 2ceb94fe33b7e..9d682f5a02cce 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -684,6 +684,22 @@ static void felem_reduce_ref(felem out, const widefelem in)
out[i] = acc[i];
}
+static ossl_inline void felem_square_reduce_ref(felem out, const felem in)
+{
+ widefelem tmp;
+
+ felem_square_ref(tmp, in);
+ felem_reduce_ref(out, tmp);
+}
+
+static ossl_inline void felem_mul_reduce_ref(felem out, const felem in1, const felem in2)
+{
+ widefelem tmp;
+
+ felem_mul_ref(tmp, in1, in2);
+ felem_reduce_ref(out, tmp);
+}
+
#if defined(ECP_NISTP384_ASM)
static void felem_square_wrapper(widefelem out, const felem in);
static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2);
@@ -695,10 +711,18 @@ static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
+static void (*felem_square_reduce_p)(felem out, const felem in) =
+ felem_square_reduce_ref;
+static void (*felem_mul_reduce_p)(felem out, const felem in1, const felem in2) =
+ felem_mul_reduce_ref;
+
void p384_felem_square(widefelem out, const felem in);
void p384_felem_mul(widefelem out, const felem in1, const felem in2);
void p384_felem_reduce(felem out, const widefelem in);
+void p384_felem_square_reduce(felem out, const felem in);
+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
+
# if defined(_ARCH_PPC64)
# include "crypto/ppc_arch.h"
# endif
@@ -710,6 +734,8 @@ static void felem_select(void)
felem_square_p = p384_felem_square;
felem_mul_p = p384_felem_mul;
felem_reduce_p = p384_felem_reduce;
+ felem_square_reduce_p = p384_felem_square_reduce;
+ felem_mul_reduce_p = p384_felem_mul_reduce;
return;
}
@@ -718,7 +744,9 @@ static void felem_select(void)
/* Default */
felem_square_p = felem_square_ref;
felem_mul_p = felem_mul_ref;
- felem_reduce_p = p384_felem_reduce;
+ felem_reduce_p = felem_reduce_ref;
+ felem_square_reduce_p = felem_square_reduce_ref;
+ felem_mul_reduce_p = felem_mul_reduce_ref;
}
static void felem_square_wrapper(widefelem out, const felem in)
@@ -737,31 +765,15 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
# define felem_mul felem_mul_p
# define felem_reduce felem_reduce_p
-void p384_felem_square_reduce(felem out, const felem in);
-void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
-
-# define felem_square_reduce p384_felem_square_reduce
-# define felem_mul_reduce p384_felem_mul_reduce
+# define felem_square_reduce felem_square_reduce_p
+# define felem_mul_reduce felem_mul_reduce_p
#else
# define felem_square felem_square_ref
# define felem_mul felem_mul_ref
# define felem_reduce felem_reduce_ref
-static ossl_inline void felem_square_reduce(felem out, const felem in)
-{
- widefelem tmp;
-
- felem_square(tmp, in);
- felem_reduce(out, tmp);
-}
-
-static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2)
-{
- widefelem tmp;
-
- felem_mul(tmp, in1, in2);
- felem_reduce(out, tmp);
-}
+# define felem_square_reduce felem_square_reduce_ref
+# define felem_mul_reduce felem_mul_reduce_ref
#endif
/*-

34
openssl-Fix-Wfree-nonheap-object-warning.patch
View File

@@ -1,34 +0,0 @@
Index: openssl-3.5.0/crypto/bn/bn_exp.c
===================================================================
--- openssl-3.5.0.orig/crypto/bn/bn_exp.c
+++ openssl-3.5.0/crypto/bn/bn_exp.c
@@ -166,6 +166,20 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *
return ret;
}
+/* As per limitations of C, the compiler cannot determine statically that in the
+ * case of BN_RECP_CTX_free, the BN_RECP_CTX.flag will not have a value of
+ * BN_FLG_MALLOCED, thus we hit a warning (-Wfree-nonheap-object) in
+ * BN_mod_exp_recp. Fix that by omiting the check for BN_FLG_MALLOCED.
+ */
+void BN_RECP_CTX_free_static(BN_RECP_CTX *recp)
+{
+ if (recp == NULL)
+ return;
+
+ BN_free(&recp->N);
+ BN_free(&recp->Nr);
+}
+
int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx)
{
@@ -304,7 +318,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIG
ret = 1;
err:
BN_CTX_end(ctx);
- BN_RECP_CTX_free(&recp);
+ BN_RECP_CTX_free_static(&recp);
bn_check_top(r);
return ret;
}

87
openssl-disable-fipsinstall.patch
View File

@@ -23,10 +23,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
Index: openssl-3.5.2/apps/fipsinstall.c
Index: openssl-3.5.0-beta1/apps/fipsinstall.c
===================================================================
--- openssl-3.5.2.orig/apps/fipsinstall.c
+++ openssl-3.5.2/apps/fipsinstall.c
--- openssl-3.5.0-beta1.orig/apps/fipsinstall.c
+++ openssl-3.5.0-beta1/apps/fipsinstall.c
@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **ar
EVP_MAC *mac = NULL;
CONF *conf = NULL;
@@ -37,15 +37,14 @@ Index: openssl-3.5.2/apps/fipsinstall.c
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
Index: openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in
Index: openssl-3.5.0-beta1/doc/man1/openssl-fipsinstall.pod.in
===================================================================
--- openssl-3.5.2.orig/doc/man1/openssl-fipsinstall.pod.in
+++ openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in
@@ -7,485 +7,9 @@ openssl-fipsinstall - perform FIPS confi
--- openssl-3.5.0-beta1.orig/doc/man1/openssl-fipsinstall.pod.in
+++ openssl-3.5.0-beta1/doc/man1/openssl-fipsinstall.pod.in
@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS confi
=head1 SYNOPSIS
-B<openssl fipsinstall>
B<openssl fipsinstall>
-[B<-help>]
-[B<-in> I<configfilename>]
-[B<-out> I<configfilename>]
@@ -275,7 +274,9 @@ Index: openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in
-
-=item B<-hkdf_digest_check>
-
-This option is deprecated.
-Configure the module to enable a run-time digest check when deriving a key by
-HKDF.
-See NIST SP 800-56Cr2 for details.
-
-=item B<-tls13_kdf_digest_check>
-
@@ -297,7 +298,9 @@ Index: openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in
-
-=item B<-sskdf_digest_check>
-
-This option is deprecated.
-Configure the module to enable a run-time digest check when deriving a key by
-SSKDF.
-See NIST SP 800-56Cr2 for details.
-
-=item B<-x963kdf_digest_check>
-
@@ -530,11 +533,11 @@ Index: openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in
=head1 COPYRIGHT
Index: openssl-3.5.2/doc/man1/openssl.pod
Index: openssl-3.5.0-beta1/doc/man1/openssl.pod
===================================================================
--- openssl-3.5.2.orig/doc/man1/openssl.pod
+++ openssl-3.5.2/doc/man1/openssl.pod
@@ -139,10 +139,6 @@ Engine (loadable module) information and
--- openssl-3.5.0-beta1.orig/doc/man1/openssl.pod
+++ openssl-3.5.0-beta1/doc/man1/openssl.pod
@@ -137,10 +137,6 @@ Engine (loadable module) information and
Error Number to Error String Conversion.
@@ -545,10 +548,10 @@ Index: openssl-3.5.2/doc/man1/openssl.pod
=item B<gendsa>
Generation of DSA Private Key from Parameters. Superseded by
Index: openssl-3.5.2/doc/man5/config.pod
Index: openssl-3.5.0-beta1/doc/man5/config.pod
===================================================================
--- openssl-3.5.2.orig/doc/man5/config.pod
+++ openssl-3.5.2/doc/man5/config.pod
--- openssl-3.5.0-beta1.orig/doc/man5/config.pod
+++ openssl-3.5.0-beta1/doc/man5/config.pod
@@ -582,7 +582,6 @@ configuration files using that syntax wi
=head1 SEE ALSO
@@ -557,11 +560,11 @@ Index: openssl-3.5.2/doc/man5/config.pod
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
Index: openssl-3.5.2/doc/man5/fips_config.pod
Index: openssl-3.5.0-beta1/doc/man5/fips_config.pod
===================================================================
--- openssl-3.5.2.orig/doc/man5/fips_config.pod
+++ openssl-3.5.2/doc/man5/fips_config.pod
@@ -6,224 +6,10 @@ fips_config - OpenSSL FIPS configuration
--- openssl-3.5.0-beta1.orig/doc/man5/fips_config.pod
+++ openssl-3.5.0-beta1/doc/man5/fips_config.pod
@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
@@ -621,11 +624,17 @@ Index: openssl-3.5.2/doc/man5/fips_config.pod
-
-=item B<install-status>
-
-This field is deprecated and is no longer used.
-An indicator that the self-tests were successfully run.
-This should only be written after the module has
-successfully passed its self tests during installation.
-If this field is not present, then the self tests will run when the module
-loads.
-
-=item B<install-mac>
-
-This field is deprecated and is no longer used.
-A MAC of the value of the B<install-status> option, to prevent accidental
-changes to that value.
-It is written-to at the same time as B<install-status> is updated.
-
-=back
-
@@ -665,7 +674,7 @@ Index: openssl-3.5.2/doc/man5/fips_config.pod
-
-=item B<hkdf-digest-check>
-
-This option is deprecated.
-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
-
-=item B<tls13-kdf-digest-check>
-
@@ -681,7 +690,7 @@ Index: openssl-3.5.2/doc/man5/fips_config.pod
-
-=item B<sskdf-digest-check>
-
-This option is deprecated.
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
-
-=item B<x963kdf-digest-check>
-
@@ -790,11 +799,11 @@ Index: openssl-3.5.2/doc/man5/fips_config.pod
=head1 COPYRIGHT
Index: openssl-3.5.2/doc/man7/OSSL_PROVIDER-FIPS.pod
Index: openssl-3.5.0-beta1/doc/man7/OSSL_PROVIDER-FIPS.pod
===================================================================
--- openssl-3.5.2.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ openssl-3.5.2/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -570,7 +570,6 @@ process.
--- openssl-3.5.0-beta1.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ openssl-3.5.0-beta1/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -575,7 +575,6 @@ want to operate in a FIPS approved manne
=head1 SEE ALSO
@@ -802,10 +811,10 @@ Index: openssl-3.5.2/doc/man7/OSSL_PROVIDER-FIPS.pod
L<fips_config(5)>,
L<OSSL_SELF_TEST_set_callback(3)>,
L<OSSL_SELF_TEST_new(3)>,
Index: openssl-3.5.2/test/recipes/00-prep_fipsmodule_cnf.t
Index: openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t
===================================================================
--- openssl-3.5.2.orig/test/recipes/00-prep_fipsmodule_cnf.t
+++ openssl-3.5.2/test/recipes/00-prep_fipsmodule_cnf.t
--- openssl-3.5.0-beta1.orig/test/recipes/00-prep_fipsmodule_cnf.t
+++ openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t
@@ -29,8 +29,10 @@ my $fipsmoduleconf = bldtop_file('test',
plan tests => 1;
@@ -821,10 +830,10 @@ Index: openssl-3.5.2/test/recipes/00-prep_fipsmodule_cnf.t
+# '-module', $fipsmodule, '-provider_name', 'fips',
+# '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
+# "fips install");
Index: openssl-3.5.2/test/recipes/01-test_fipsmodule_cnf.t
Index: openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t
===================================================================
--- openssl-3.5.2.orig/test/recipes/01-test_fipsmodule_cnf.t
+++ openssl-3.5.2/test/recipes/01-test_fipsmodule_cnf.t
--- openssl-3.5.0-beta1.orig/test/recipes/01-test_fipsmodule_cnf.t
+++ openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t
@@ -31,7 +31,8 @@ plan tests => 1;
my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
@@ -837,10 +846,10 @@ Index: openssl-3.5.2/test/recipes/01-test_fipsmodule_cnf.t
+#ok(run(app(['openssl', 'fipsinstall',
+# '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
+# "fipsinstall verify");
Index: openssl-3.5.2/test/recipes/03-test_fipsinstall.t
Index: openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t
===================================================================
--- openssl-3.5.2.orig/test/recipes/03-test_fipsinstall.t
+++ openssl-3.5.2/test/recipes/03-test_fipsinstall.t
--- openssl-3.5.0-beta1.orig/test/recipes/03-test_fipsinstall.t
+++ openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t
@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;