Accepting request 1130033 from security:tls

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/1130033 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=55
2023-12-01 20:24:50 +00:00 · 2023-12-01 20:24:50 +00:00 · b7632f2b6b
commit b7632f2b6b
parent 2e9c11df10 f18ebf3adf
8 changed files with 73 additions and 56 deletions
--- a/openssl-1.1.1-evp-kdf.patch
+++ b/openssl-1.1.1-evp-kdf.patch
@ -5228,14 +5228,14 @@ Index: openssl-1.1.1n/util/libcrypto.num
 FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
 FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
-+EVP_KDF_CTX_new_id                      6590	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_CTX_free                        6591	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_reset                           6592	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_ctrl                            6593	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_vctrl                           6594	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_ctrl_str                        6595	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_size                            6596	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_derive                          6597	1_1_1b	EXIST::FUNCTION:
+EVP_KDF_CTX_new_id                      6590	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_CTX_free                        6591	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_reset                           6592	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_ctrl                            6593	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_vctrl                           6594	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_ctrl_str                        6595	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_size                            6596	1_1_1d	EXIST::FUNCTION:
+EVP_KDF_derive                          6597	1_1_1d	EXIST::FUNCTION:
 Index: openssl-1.1.1n/util/private.num
 ===================================================================
 --- openssl-1.1.1n.orig/util/private.num
--- a/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
+++ b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
@ -0,0 +1,23 @@
+diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
+index cbbfab1..7576de8 100644
+--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
+@@ -14,6 +14,9 @@
+ extern "C" {
+ #endif
+ 
+#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
+#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
+
+ /*-
+  * Numeric release version identifier:
+  * MNNFFPPS: major minor fix patch status
+@@ -40,7 +43,7 @@ extern "C" {
+  *  major minor fix final patch/beta)
+  */
+ # define OPENSSL_VERSION_NUMBER  0x1010117fL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
+ 
+ /*-
+  * The macros below are to be used for shared library (.so, .dll, ...)
--- a/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
+++ b/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
@ -35,11 +35,11 @@
  *  major minor fix final patch/beta)
  */
 # define OPENSSL_VERSION_NUMBER  0x1010117fL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# ifdef OPENSSL_FIPS
-+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w-fips  11 Sep 2023"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w-fips  11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# else
-+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# endif
 
 /*-
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
+  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
+- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
+  * bsc#1190652 - Provide a service to output module name/identifier
+    and version
+- Sync patches with SLE:
+  * Merge openssl-keep_EVP_KDF_functions_version.patch into
+    openssl-1.1.1-evp-kdf.patch
+  * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
+  * Remove openssl-no-date.patch
+
 -------------------------------------------------------------------
 Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -60,7 +60,6 @@ Patch3:         openssl-pkgconfig.patch
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-riscv64-config.patch
-Patch7:         openssl-no-date.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
 Patch8:         0001-s390x-assembly-pack-perlasm-support.patch
 Patch9:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@ -95,7 +94,6 @@ Patch38:        openssl-1.1.1-ssh-kdf.patch
 Patch40:        openssl-fips-selftests_in_nonfips_mode.patch
 Patch41:        openssl-fips-clearerror.patch
 Patch42:        openssl-fips-ignore_broken_atexit_test.patch
-Patch43:        openssl-keep_EVP_KDF_functions_version.patch
 Patch45:        openssl-fips-add-SHA3-selftest.patch
 Patch46:        openssl-fips_selftest_upstream_drbg.patch
 Patch47:        openssl-unknown_dgst.patch
@ -126,15 +124,17 @@ Patch72:        openssl-1_1-Optimize-AES-GCM-uarchs.patch
 Patch73:        openssl-FIPS-KAT-before-integrity-tests.patch
 # PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
 Patch74:        openssl-1_1-FIPS-fix-error-reason-codes.patch
+#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
+Patch75:        openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
 # PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
-Patch75:        openssl-1_1-paramgen-default_to_rfc7919.patch
+Patch76:        openssl-1_1-paramgen-default_to_rfc7919.patch
 # PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
-Patch76:        openssl-1_1-use-include-directive.patch
+Patch77:        openssl-1_1-use-include-directive.patch
 # PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
-Patch77:        openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
-Patch78:        bsc1185319-FIPS-KAT-for-ECDSA.patch
-Patch79:        bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
-Patch81:        openssl-1_1-shortcut-test_afalg_aes_cbc.patch
+Patch78:        openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
+Patch79:        bsc1185319-FIPS-KAT-for-ECDSA.patch
+Patch80:        bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
+Patch82:        openssl-1_1-shortcut-test_afalg_aes_cbc.patch
 # PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
 Patch84:        openssl-1_1-Zeroization.patch
 # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
@ -188,6 +188,8 @@ Patch114:       openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.pat
 # PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
 # checking excessively long X9.42 DH keys or parameters may be very slow
 Patch115:       openssl-CVE-2023-5678.patch
+# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode
+Patch116:       openssl-Skip_SHA1-test-in-FIPS-mode.patch
 BuildRequires:  jitterentropy-devel >= 3.4.0
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
--- a/openssl-Skip_SHA1-test-in-FIPS-mode.patch
+++ b/openssl-Skip_SHA1-test-in-FIPS-mode.patch
@ -0,0 +1,15 @@
+Index: openssl-1.1.1w/test/recipes/20-test_dgst.t
+===================================================================
+--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t
+++ openssl-1.1.1w/test/recipes/20-test_dgst.t
+@@ -104,8 +105,8 @@ SKIP: {
+ }
+ 
+ SKIP: {
+-    skip "dgst with engine is not supported by this OpenSSL build", 1
+-        if disabled("engine") || disabled("dynamic-engine");
+    skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1
+        if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE});
+ 
+     subtest "SHA1 generation by engine with `dgst` CLI" => sub {
+         plan tests => 1;
--- a/openssl-keep_EVP_KDF_functions_version.patch
+++ b/openssl-keep_EVP_KDF_functions_version.patch
@ -1,24 +0,0 @@
-Index: openssl-1.1.1d/util/libcrypto.num
-===================================================================
--- openssl-1.1.1d.orig/util/libcrypto.num	2020-01-27 12:07:26.467151662 +0100
-+++ openssl-1.1.1d/util/libcrypto.num	2020-01-27 13:18:44.456778054 +0100
-@@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength
- FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
- FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
- FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
-EVP_KDF_CTX_new_id                      6590	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_CTX_free                        6591	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_reset                           6592	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_ctrl                            6593	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_vctrl                           6594	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_ctrl_str                        6595	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_size                            6596	1_1_1b	EXIST::FUNCTION:
-EVP_KDF_derive                          6597	1_1_1b	EXIST::FUNCTION:
-+EVP_KDF_CTX_new_id                      6590	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_CTX_free                        6591	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_reset                           6592	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_ctrl                            6593	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_vctrl                           6594	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_ctrl_str                        6595	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_size                            6596	1_1_1d	EXIST::FUNCTION:
-+EVP_KDF_derive                          6597	1_1_1d	EXIST::FUNCTION:
--- a/openssl-no-date.patch
+++ b/openssl-no-date.patch
@ -1,13 +0,0 @@
-Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
-===================================================================
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl	2018-02-13 16:31:28.011389734 +0100
-+++ openssl-1.1.1-pre1/util/mkbuildinf.pl	2018-02-13 16:31:51.539764582 +0100
-@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
-  */
- 
- #define PLATFORM "platform: $platform"
-#define DATE "built on: $date"
-+#define DATE ""
- 
- /*
-  * Generate compiler_flags as an array of individual characters. This is a