From 1bd2a0cee30459d7ff3b9d4401a80f9ee4e161db Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 20 Mar 2023 20:09:04 +0100 Subject: [PATCH] Add missing patchfile, fix gettable params Add the patchfile that was committed but not referenced in the spec file. Fix the patch to apply on openssl 3.0.7 and fix the gettable FIPS indicator parameter for the RSA asymmetric cipher implementation. Resolves: rhbz#2179379 Signed-off-by: Clemens Lang --- ...hers-kem-Add-explicit-FIPS-indicator.patch | 24 +++++++++---------- openssl.spec | 10 +++++++- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 4cda828..23777c1 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -29,10 +29,10 @@ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h -@@ -469,6 +469,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" +@@ -477,6 +477,7 @@ extern "C" { + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* @@ -99,16 +99,14 @@ index 568452ec56..0a9adb4056 100644 return 1; } -@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), +@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+#ifdef FIPS_MODULE + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ + #endif /* FIPS_MODULE */ OSSL_PARAM_END }; - diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c @@ -120,8 +118,7 @@ index 882cf16125..b4cc0f9237 100644 +#ifdef FIPS_MODULE + OSSL_PARAM *p; +#endif /* defined(FIPS_MODULE) */ - -- return ctx != NULL; ++ + if (ctx == NULL) + return 0; + @@ -143,7 +140,8 @@ index 882cf16125..b4cc0f9237 100644 + return 0; + } +#endif /* defined(FIPS_MODULE) */ -+ + +- return ctx != NULL; + return 1; } diff --git a/openssl.spec b/openssl.spec index a3b1f73..b335440 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -175,6 +175,8 @@ Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2175145 Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -505,6 +507,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11 +- Add missing reference to patchfile to add explicit FIPS indicator to RSA + encryption and RSASVE and fix the gettable parameter list for the RSA + asymmetric cipher implementation. + Resolves: rhbz#2179379 + * Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 - Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379