pool/openssl-3
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

merge into: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2 testing:main testing:factory
...
pull from: testing:main
Branches Tags
testing:main testing:factory pool:factory pool:slfo-main pool:slfo-1.2

3 Commits
slfo-1.2 ... main

Author SHA256 Message Date
Daniel Garcia
5f909683e2 Merge pull request 'Factory' (#1) from factory into main 2025-10-08 12:57:06 +02:00
Ana Guerrero
00ea7ab7f6 Accepting request 1305335 from security:tls 
- Update to 3.5.3:
  * Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/request/show/1305335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=46
 2025-09-18 19:07:54 +00:00
Pedro Monreal Gonzalez
f6c710bc56 - Update to 3.5.3: 
* Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=155
 2025-09-17 09:11:46 +00:00
9 changed files with 128 additions and 117 deletions
Expand all files Collapse all files

BIN
openssl-3.5.2.tar.gz LFS
View File

Binary file not shown.

16
openssl-3.5.2.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmiR9TgACgkQIWCU39DL
ge+F9Q//RUI2si/uXrElduJnTC5J1Yd+/gGqsUTU6/JXu66e9xRATCdvILFAuOV/
wfChf9IFP1YRO+qwJO47rFgMn90sV8zlmS3hFxWIxIzvTnT3+icHmJvxbbAuG6PS
1/5aY3Sntcnhx0mNfp249E7YemsBl2oIMtGiZQNUoObsUN+u0BFwnG5GiMkNfOiu
xsoOs89ZYWXZ3Qu2UNS0vIGuKKzll8Prh9B8GmO3I4/Fowdpc/++IPZgQAqVV6n6
2vI3fTY2LRRfYRdAzyRM/fxSEPPTSdYWlmCXeuOlbiCCorIB3jLAU9qcU0q4SGCS
bXtRep5Kl7Kqnu2M7YwvAzZU6u45H766p0oc69DePgqyD21/AxnspNeZEAsnGY15
gPjOBOK/0wBzwx8Ko+WvERGAOQ68oLVIwRJA0CUtoxc+4uNAgo0DEAC/iJdu7y+I
qrlGRsgurIkTXopnVkZzVvp/4ctJUg40zKmk4lCgJhCgnupeDtgmc3P0Xsdl14Zl
9D2z0NZi9KVcXtangt7YFz+QUZz3+UI6TU+zHyX9nQWmyBPVtRwdx1gk2VVwH0sx
G3kokS+GkzsZL+Dc605ER4Y0VCSfsh7B5KfNmDaQK7wMmbBM7Sy7MrvhOvnywkBp
oDmgGrE5waeIUVyhaa10jR+ErbYYeNti2kdc8QR1ptcEDch7Rck=
=oBWA
-----END PGP SIGNATURE-----

BIN
openssl-3.5.3.tar.gz LFS Normal file
View File

Binary file not shown.

16
openssl-3.5.3.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmjJU0kACgkQIWCU39DL
ge+Wrw//b+8N4fLG4Q914hf8n76oRNROq7Z0Y4vY9oZPIb828YrMwg9DsTmyv0/f
BJw7tnrch0e0FA2T8evBwrnER2rcjRLq6g8m84uMV//Ok/FI11fqN0Wph/0wnwo1
PBjjd5fehaU6bSnwbZTLIxYvN9EOoVvP2DRNnYUlTWzvDd0s+3IZIBU5fIbdfRN3
knFqNojcJES5JXr736BUZUH0axrlzQikNU/HTfzihPrVK5G/zl2ywOBijUi7lWJO
WP6t8YRKwvkQllijo9jE8cstpTDqxvuOKJa2FZjeJovNugxSRMDQCtCdsIklVLY9
IusJsO3mmcnQzxRIJkfi5n49A8Hb4QRD63yUc74U4BBXrSr1QjzrThzFfYg8TJnb
h+mOerfV/I6A7jUXGSu1TAJpwJ7KoFAD2vvzk+U2+A93UZyjSZAHdMHsv61mpV0X
ObnDsTiR5wl/y2NfH9KjvSz/ur1RCB50YNq3dbdaMXJUDY7j00t9W3RgAeotXxyL
dzXyFd4ZyE2J3A7l8bi7uES9DvQ8TlUeC2q/EjoeXreauN9Upj9bwgGE/mUwoUwT
Pf1ZY6465KE5i54utbMswui9wEfRR0vKlHe+hJ+ycUVl36fY7nXpOwJKVKbPjoMd
2LO3ywmPxO3hUx2UXdPynZwxtkMdE+SAqGsvXP7WElzmEgd7WE0=
=KeII
-----END PGP SIGNATURE-----

11
openssl-3.changes
View File

@@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Sep 17 00:56:31 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
- Update to 3.5.3:
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
* openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
* openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
* openssl-FIPS-limit-rsa-encrypt.patch
-------------------------------------------------------------------
Tue Aug 5 16:34:57 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>

2
openssl-3.spec
View File

@@ -38,7 +38,7 @@
%define livepatchable 1
Name: openssl-3
Version: 3.5.2
Version: 3.5.3
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0

76
openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
View File

@@ -38,10 +38,10 @@ NOTE: Dropped changes in test/recipes/80-test_cms.t
test/recipes/80-test_ssl_old.t | 3 +
11 files changed, 116 insertions(+), 18 deletions(-)
Index: openssl-3.5.0-beta1/crypto/dh/dh_backend.c
Index: openssl-3.5.3/crypto/dh/dh_backend.c
===================================================================
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_backend.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_backend.c
--- openssl-3.5.3.orig/crypto/dh/dh_backend.c
+++ openssl-3.5.3/crypto/dh/dh_backend.c
@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, cons
if (!dh_ffc_params_fromdata(dh, params))
return 0;
@@ -59,11 +59,11 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_backend.c
param_priv_len =
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
Index: openssl-3.5.0-beta1/crypto/dh/dh_check.c
Index: openssl-3.5.3/crypto/dh/dh_check.c
===================================================================
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_check.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *r
--- openssl-3.5.3.orig/crypto/dh/dh_check.c
+++ openssl-3.5.3/crypto/dh/dh_check.c
@@ -58,13 +58,15 @@ int DH_check_params(const DH *dh, int *r
nid = DH_get_nid((DH *)dh);
if (nid != NID_undef)
return 1;
@@ -84,10 +84,10 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_check.c
}
#else
int DH_check_params(const DH *dh, int *ret)
Index: openssl-3.5.0-beta1/crypto/dh/dh_gen.c
Index: openssl-3.5.3/crypto/dh/dh_gen.c
===================================================================
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_gen.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_gen.c
--- openssl-3.5.3.orig/crypto/dh/dh_gen.c
+++ openssl-3.5.3/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
@@ -117,10 +117,10 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_gen.c
if (ret > 0)
dh->dirty_cnt++;
return ret;
Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
Index: openssl-3.5.3/crypto/dh/dh_key.c
===================================================================
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_key.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_key.c
--- openssl-3.5.3.orig/crypto/dh/dh_key.c
+++ openssl-3.5.3/crypto/dh/dh_key.c
@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
goto err;
} else {
@@ -135,8 +135,8 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
+ goto err;
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
/* secret exponent length, must satisfy 2^l < (p-1)/2 */
@@ -360,9 +364,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@@ -147,7 +147,7 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
@@ -378,6 +380,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
@@ -155,10 +155,10 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
}
}
Index: openssl-3.5.0-beta1/crypto/dh/dh_pmeth.c
Index: openssl-3.5.3/crypto/dh/dh_pmeth.c
===================================================================
--- openssl-3.5.0-beta1.orig/crypto/dh/dh_pmeth.c
+++ openssl-3.5.0-beta1/crypto/dh/dh_pmeth.c
--- openssl-3.5.3.orig/crypto/dh/dh_pmeth.c
+++ openssl-3.5.3/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_
prime_len, subprime_len, &res,
pcb);
@@ -180,11 +180,11 @@ Index: openssl-3.5.0-beta1/crypto/dh/dh_pmeth.c
if (rv <= 0) {
DH_free(ret);
return NULL;
Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/dh_kmgmt.c
Index: openssl-3.5.3/providers/implementations/keymgmt/dh_kmgmt.c
===================================================================
--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/dh_kmgmt.c
+++ openssl-3.5.0-beta1/providers/implementations/keymgmt/dh_kmgmt.c
@@ -420,6 +420,11 @@ static int dh_validate(const void *keyda
--- openssl-3.5.3.orig/providers/implementations/keymgmt/dh_kmgmt.c
+++ openssl-3.5.3/providers/implementations/keymgmt/dh_kmgmt.c
@@ -422,6 +422,11 @@ static int dh_validate(const void *keyda
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
@@ -196,10 +196,10 @@ Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/dh_kmgmt.c
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
/*
* Both of these functions check parameters. DH_check_params_ex()
Index: openssl-3.5.0-beta1/test/endecode_test.c
Index: openssl-3.5.3/test/endecode_test.c
===================================================================
--- openssl-3.5.0-beta1.orig/test/endecode_test.c
+++ openssl-3.5.0-beta1/test/endecode_test.c
--- openssl-3.5.3.orig/test/endecode_test.c
+++ openssl-3.5.3/test/endecode_test.c
@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const cha
* for testing only. Use a minimum key size of 2048 for security purposes.
*/
@@ -213,10 +213,10 @@ Index: openssl-3.5.0-beta1/test/endecode_test.c
# endif
/*
Index: openssl-3.5.0-beta1/test/evp_libctx_test.c
Index: openssl-3.5.3/test/evp_libctx_test.c
===================================================================
--- openssl-3.5.0-beta1.orig/test/evp_libctx_test.c
+++ openssl-3.5.0-beta1/test/evp_libctx_test.c
--- openssl-3.5.3.orig/test/evp_libctx_test.c
+++ openssl-3.5.3/test/evp_libctx_test.c
@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid,
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
@@ -226,10 +226,10 @@ Index: openssl-3.5.0-beta1/test/evp_libctx_test.c
goto err;
if (expected) {
Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.c
Index: openssl-3.5.3/test/helpers/predefined_dhparams.c
===================================================================
--- openssl-3.5.0-beta1.orig/test/helpers/predefined_dhparams.c
+++ openssl-3.5.0-beta1/test/helpers/predefined_dhparams.c
--- openssl-3.5.3.orig/test/helpers/predefined_dhparams.c
+++ openssl-3.5.3/test/helpers/predefined_dhparams.c
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libct
dhx512_q, sizeof(dhx512_q));
}
@@ -299,10 +299,10 @@ Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.c
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.h
Index: openssl-3.5.3/test/helpers/predefined_dhparams.h
===================================================================
--- openssl-3.5.0-beta1.orig/test/helpers/predefined_dhparams.h
+++ openssl-3.5.0-beta1/test/helpers/predefined_dhparams.h
--- openssl-3.5.3.orig/test/helpers/predefined_dhparams.h
+++ openssl-3.5.3/test/helpers/predefined_dhparams.h
@@ -12,6 +12,7 @@
#ifndef OPENSSL_NO_DH
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
@@ -311,10 +311,10 @@ Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.h
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.3/test/recipes/80-test_ssl_old.t
@@ -458,6 +458,9 @@ sub testssl {
skip "skipping dhe1024dsa test", 1
if ($no_dh);

68
openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
View File

@@ -1,7 +1,7 @@
Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
Index: openssl-3.5.3/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/dsa_sig.c
--- openssl-3.5.3.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.5.3/providers/implementations/signature/dsa_sig.c
@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
}
#ifdef FIPS_MODULE
@@ -13,10 +13,10 @@ Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
Index: openssl-3.5.3/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
--- openssl-3.5.3.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.5.3/providers/implementations/signature/ecdsa_sig.c
@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
#ifdef FIPS_MODULE
@@ -28,10 +28,10 @@ Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
Index: openssl-3.5.3/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.5.0.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.0/providers/implementations/signature/rsa_sig.c
--- openssl-3.5.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.5.3/providers/implementations/signature/rsa_sig.c
@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
}
#ifdef FIPS_MODULE
@@ -59,10 +59,10 @@ Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
}
if (pmgf1mdname != NULL
Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
===================================================================
--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
Title = ECDSA tests
@@ -133,12 +133,12 @@ Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-Result = KEYOP_MISMATCH
+Result = PKEY_CTRL_ERROR
Title = XOF disallowed
Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
FIPSversion = >=3.6.0
Sign = P-256
Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
===================================================================
--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
Title = ECDSA tests
@@ -260,10 +260,10 @@ Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
Input = "0123456789ABCDEF1234"
-Result = KEYOP_MISMATCH
+Result = KEYOP_INIT_ERROR
Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
===================================================================
--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -96,6 +96,7 @@ NDL6WCBbets=
Title = RSA tests
@@ -616,10 +616,10 @@ Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Availablein = fips
FIPSversion = >=3.4.0
Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa.txt
Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa.txt
===================================================================
--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa.txt
--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa.txt
@@ -268,8 +268,8 @@ TwIDAQAB
PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT
@@ -933,11 +933,11 @@ Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa.txt
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Index: openssl-3.5.0/test/recipes/80-test_cms.t
Index: openssl-3.5.3/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.5.0.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.0/test/recipes/80-test_cms.t
@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
--- openssl-3.5.3.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.3/test/recipes/80-test_cms.t
@@ -183,7 +183,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
"-signer", $smrsa1, "-out", "{output}.cms" ],
@@ -946,7 +946,7 @@ Index: openssl-3.5.0/test/recipes/80-test_cms.t
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
@@ -191,7 +191,7 @@ my @smime_pkcs7_tests = (
[ "signed zero-length content S/MIME format, RSA key SHA1",
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
@@ -955,10 +955,10 @@ Index: openssl-3.5.0/test/recipes/80-test_cms.t
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&zero_compare
],
Index: openssl-3.5.0/test/recipes/80-test_ssl_old.t
Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.5.0.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.0/test/recipes/80-test_ssl_old.t
--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.3/test/recipes/80-test_ssl_old.t
@@ -465,6 +465,9 @@ sub testssl {
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
@@ -977,10 +977,10 @@ Index: openssl-3.5.0/test/recipes/80-test_ssl_old.t
SKIP: {
skip "No IPv4 available on this machine", 4
Index: openssl-3.5.0/apps/openssl.cnf
Index: openssl-3.5.3/apps/openssl.cnf
===================================================================
--- openssl-3.5.0.orig/apps/openssl.cnf
+++ openssl-3.5.0/apps/openssl.cnf
--- openssl-3.5.3.orig/apps/openssl.cnf
+++ openssl-3.5.3/apps/openssl.cnf
@@ -119,7 +119,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for

50
openssl-FIPS-limit-rsa-encrypt.patch
View File

@@ -18,10 +18,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
6 files changed, 164 insertions(+), 43 deletions(-)
mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
Index: openssl-3.5.0-beta1/providers/common/securitycheck.c
Index: openssl-3.5.3/providers/common/securitycheck.c
===================================================================
--- openssl-3.5.0-beta1.orig/providers/common/securitycheck.c
+++ openssl-3.5.0-beta1/providers/common/securitycheck.c
--- openssl-3.5.3.orig/providers/common/securitycheck.c
+++ openssl-3.5.3/providers/common/securitycheck.c
@@ -64,6 +64,7 @@ int ossl_rsa_key_op_get_protect(const RS
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
@@ -30,10 +30,10 @@ Index: openssl-3.5.0-beta1/providers/common/securitycheck.c
int ossl_rsa_check_key_size(const RSA *rsa, int protect)
{
int sz = RSA_bits(rsa);
Index: openssl-3.5.0-beta1/providers/fips/include/fips_indicator_params.inc
Index: openssl-3.5.3/providers/fips/include/fips_indicator_params.inc
===================================================================
--- openssl-3.5.0-beta1.orig/providers/fips/include/fips_indicator_params.inc
+++ openssl-3.5.0-beta1/providers/fips/include/fips_indicator_params.inc
--- openssl-3.5.3.orig/providers/fips/include/fips_indicator_params.inc
+++ openssl-3.5.3/providers/fips/include/fips_indicator_params.inc
@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKD
OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
@@ -43,13 +43,13 @@ Index: openssl-3.5.0-beta1/providers/fips/include/fips_indicator_params.inc
OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
Index: openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
Index: openssl-3.5.3/providers/implementations/asymciphers/rsa_enc.c
===================================================================
--- openssl-3.5.0-beta1.orig/providers/implementations/asymciphers/rsa_enc.c
+++ openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, u
--- openssl-3.5.3.orig/providers/implementations/asymciphers/rsa_enc.c
+++ openssl-3.5.3/providers/implementations/asymciphers/rsa_enc.c
@@ -174,6 +174,18 @@ static int rsa_encrypt(void *vprsactx, u
return 0;
}
#endif
+# ifdef FIPS_MODULE
+ if (prsactx->pad_mode == RSA_NO_PADDING) {
@@ -64,9 +64,9 @@ Index: openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
+# endif
+
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, u
*outlen = len;
return 1;
@@ -235,6 +247,20 @@ static int rsa_decrypt(void *vprsactx, u
if (!ossl_prov_is_running())
return 0;
@@ -87,10 +87,10 @@ Index: openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
if (out == NULL) {
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
===================================================================
--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
@@ -910,11 +910,11 @@ Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
Index: openssl-3.5.3/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
--- openssl-3.5.3.orig/test/recipes/80-test_cms.t
+++ openssl-3.5.3/test/recipes/80-test_cms.t
@@ -267,7 +267,7 @@ my @smime_pkcs7_tests = (
if ($no_fips || $old_fips) {
push(@smime_pkcs7_tests,
@@ -923,7 +923,7 @@ Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1267,6 +1267,9 @@ sub check_availability {
@@ -1284,6 +1284,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
@@ -933,10 +933,10 @@ Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
return "";
}
Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.5.3/test/recipes/80-test_ssl_old.t
@@ -561,6 +561,18 @@ sub testssl {
# the default choice if TLSv1.3 enabled
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;