import openssl3-3.2.2-2.1.el8

5 months ago · 814ca724ca
parent 2e26a3def6
commit 814ca724ca
10 changed files with 168 additions and 282 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/openssl-3.2.1.tar.gz
+SOURCES/openssl-3.2.2.tar.gz
--- a/.openssl3.metadata
+++ b/.openssl3.metadata
@ -1 +1 @@
-070a0ae6df5de8536c215046f7e7065fafde6504  SOURCES/openssl-3.2.1.tar.gz
+b12311372a0277ca0eb218a68a7fd9f5ce66d162  SOURCES/openssl-3.2.2.tar.gz
--- a/SOURCES/0033-FIPS-embed-hmac.patch
+++ b/SOURCES/0033-FIPS-embed-hmac.patch
@ -383,8 +383,8 @@ index 18d9f3d204..71780d8caa 100644
 --- a/test/recipes/90-test_sslapi.t
 +++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
- use lib srctop_dir('Configurations');
+ setup("test_sslapi");
- use lib bldtop_dir('.');
+ }
 -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
--- a/SOURCES/0076-FIPS-140-3-DRBG.patch
+++ b/SOURCES/0076-FIPS-140-3-DRBG.patch
@ -198,6 +198,14 @@ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
 index 14999540ab..b05b84717b 100644
 --- a/crypto/rand/rand_lib.c
 +++ b/crypto/rand/rand_lib.c
@@ -11,6 +11,7 @@
 #define OPENSSL_SUPPRESS_DEPRECATED
 #include <openssl/err.h>
 +#include <openssl/evp.h>
 #include <openssl/opensslconf.h>
 #include <openssl/core_names.h>
 #include "internal/cryptlib.h"
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
         return ret;
     }
@ -215,3 +223,76 @@ index 14999540ab..b05b84717b 100644
                                         PRIMARY_RESEED_INTERVAL,
                                         PRIMARY_RESEED_TIME_INTERVAL, 1);
     /*
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
         if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
             return NULL;
 -        rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
 +        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
                              SECONDARY_RESEED_TIME_INTERVAL, 0);
         CRYPTO_THREAD_set_local(&dgbl->public, rand);
     }
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
         if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
                 && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
             return NULL;
 -        rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
 +        rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
                              SECONDARY_RESEED_TIME_INTERVAL, 0);
         CRYPTO_THREAD_set_local(&dgbl->private, rand);
     }
 diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
 --- openssl-3.2.1/test/drbgtest.c.xxx	2024-05-02 15:37:23.550979597 +0200
 +++ openssl-3.2.1/test/drbgtest.c	2024-05-02 15:45:37.189979881 +0200
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
         reseed_when = time(NULL);
     /* Generate random output from the public and private DRBG */
 -    before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
 +    before_reseed = 0;
     if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
                                 RANDOM_SIZE), expect_success)
         || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
      */
     /* Test whether reseeding succeeded as expected */
 -    if (!TEST_int_eq(state(primary), expected_state)
 -        || !TEST_int_eq(state(public), expected_state)
 +    if (/*!TEST_int_eq(state(primary), expected_state)
 +        ||*/ !TEST_int_eq(state(public), expected_state)
         || !TEST_int_eq(state(private), expected_state))
         return 0;
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
     if (expect_public_reseed >= 0) {
         /* Test whether public DRBG was reseeded as expected */
         if (!TEST_int_ge(reseed_counter(public), public_reseed)
 -                || !TEST_uint_ge(reseed_counter(public),
 -                                 reseed_counter(primary)))
 +                /*|| !TEST_uint_ge(reseed_counter(public),
 +                                 reseed_counter(primary))*/)
             return 0;
     }
     if (expect_private_reseed >= 0) {
         /* Test whether public DRBG was reseeded as expected */
         if (!TEST_int_ge(reseed_counter(private), private_reseed)
 -                || !TEST_uint_ge(reseed_counter(private),
 -                                 reseed_counter(primary)))
 +                /*|| !TEST_uint_ge(reseed_counter(private),
 +                                 reseed_counter(primary))*/)
             return 0;
     }
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
     if (!TEST_ptr_ne(public, private)
         || !TEST_ptr_ne(public, primary)
         || !TEST_ptr_ne(private, primary)
 -        || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
 -        || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
 +        /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
 +        || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
         return 0;
     /* Disable CRNG testing for the primary DRBG */
--- a/SOURCES/0078-KDF-Add-FIPS-indicators.patch
+++ b/SOURCES/0078-KDF-Add-FIPS-indicators.patch
@ -120,7 +120,7 @@ index dfa7786bde..f01e40ff5a 100644
     switch (ctx->mode) {
     case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
     default:
-@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
 {
     KDF_HKDF *ctx = (KDF_HKDF *)vctx;
     OSSL_PARAM *p;
@ -129,13 +129,20 @@ index dfa7786bde..f01e40ff5a 100644
     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
         size_t sz = kdf_hkdf_size(ctx);
 -        if (sz == 0)
 +        any_valid = 1;
-+
+         if (sz == 0)
-+        if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
+             return 0;
-+            return 0;
+         return OSSL_PARAM_set_size_t(p, sz);
-+    }
+     }
-+
+     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
 +        any_valid = 1;
         if (ctx->info == NULL || ctx->info_len == 0) {
             p->return_size = 0;
             return 1;
         }
         return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
     }
 -    return -2;
 +#ifdef FIPS_MODULE
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
 +            != NULL) {
@ -189,10 +196,8 @@ index dfa7786bde..f01e40ff5a 100644
 +            }
 +        }
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
-             return 0;
+            return 0;
-        return OSSL_PARAM_set_size_t(p, sz);
+    }
     }
 -    return -2;
 +#endif /* defined(FIPS_MODULE) */
 +
 +    if (!any_valid)
@ -203,9 +208,9 @@ index dfa7786bde..f01e40ff5a 100644
 static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
--- a/SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch
+++ b/SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch
@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644
 +    }
     if (garg->gidcnt == garg->gidmax) {
         uint16_t *tmp =
-             OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
+             OPENSSL_realloc(garg->gid_arr,
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
     gid = tls1_group_name2id(garg->ctx, etmp);
@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644
         return 0;
     if (len > (int)(sizeof(etmp) - 1))
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
-                 break;
+                     break;
                 }
             }
 -            if (i == OSSL_NELEM(sigalg_lookup_tbl))
 -                return 0;
 +            if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
 +                /* Ignore unknown algorithms if ignore_unknown */
 +                return ignore_unknown;
 +            }
         }
 -        if (i == OSSL_NELEM(sigalg_lookup_tbl))
 -            return 0;
 +        if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
 +            /* Ignore unknown algorithms if ignore_unknown */
 +            return ignore_unknown;
 +        }
     } else {
         *p = 0;
         p++;
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
             return 0;
         get_sigorhash(&sig_alg, &hash_alg, etmp);
@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644
     }
     return 1;
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
-     sig.sigalgcnt = 0;
+     }
     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
         return 0;
 +    if (sig.sigalgcnt == 0) {
--- a/SOURCES/0118-no-crl-memleak.patch
+++ b/SOURCES/0118-no-crl-memleak.patch
@ -1,80 +0,0 @@
 From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
 From: Dmitry Belyavskiy <beldmit@gmail.com>
 Date: Tue, 27 Feb 2024 15:22:58 +0100
 Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
 Patch-name: 0118-no-crl-memleak.patch
 Patch-id: 118
 Patch-status: |
    # https://github.com/openssl/openssl/issues/23770
 ---
 crypto/x509/by_file.c                      | 2 ++
 test/recipes/60-test_x509_load_cert_file.t | 3 ++-
 test/x509_load_cert_file_test.c            | 8 +++++++-
 3 files changed, 11 insertions(+), 2 deletions(-)
 diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
 index 5073c137a2..85923804ac 100644
 --- a/crypto/x509/by_file.c
 +++ b/crypto/x509/by_file.c
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
                 goto err;
             }
             count++;
 +            X509_CRL_free(x);
 +            x = NULL;
         }
     } else if (type == X509_FILETYPE_ASN1) {
         x = d2i_X509_CRL_bio(in, NULL);
 diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
 index 75aeac362c..e329d7675c 100644
 --- a/test/recipes/60-test_x509_load_cert_file.t
 +++ b/test/recipes/60-test_x509_load_cert_file.t
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
 plan tests => 1;
 -ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
 +ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
 +             srctop_file("test", "certs", "cyrillic_crl.pem")])));
 diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
 index 4a736071ae..c07d329915 100644
 --- a/test/x509_load_cert_file_test.c
 +++ b/test/x509_load_cert_file_test.c
@@ -12,6 +12,7 @@
 #include "testutil.h"
 static const char *chain;
 +static const char *crl;
 static int test_load_cert_file(void)
 {
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
         && TEST_int_eq(sk_X509_num(certs), 4))
         ret = 1;
 +    if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
 +        ret = 0;
 +
     OSSL_STACK_OF_X509_free(certs);
     X509_STORE_free(store);
     return ret;
 }
 -OPT_TEST_DECLARE_USAGE("cert.pem...\n")
 +OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
 int setup_tests(void)
 {
@@ -45,6 +49,8 @@ int setup_tests(void)
     if (chain == NULL)
         return 0;
 +    crl = test_get_argument(1);
 +
     ADD_TEST(test_load_cert_file);
     return 1;
 }
 -- 
 2.44.0
--- a/SOURCES/0119-provider-sigalgs-in-signaturealgorithms-conf.patch
+++ b/SOURCES/0119-provider-sigalgs-in-signaturealgorithms-conf.patch
@ -1,170 +0,0 @@
 From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
 From: Dmitry Belyavskiy <dbelyavs@redhat.com>
 Date: Fri, 8 Mar 2024 11:18:12 +0100
 Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
 Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
 Patch-id: 119
 Patch-status: |
    # https://github.com/openssl/openssl/issues/22779
 ---
 ssl/s3_lib.c    |  8 ++++----
 ssl/ssl_lib.c   |  2 +-
 ssl/ssl_local.h |  2 +-
 ssl/t1_lib.c    | 45 ++++++++++++++++++++++++++++++++++-----------
 4 files changed, 40 insertions(+), 17 deletions(-)
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
 index e8ec98c221..48a1aa0e61 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         return tls1_set_sigalgs(sc->cert, parg, larg, 0);
     case SSL_CTRL_SET_SIGALGS_LIST:
 -        return tls1_set_sigalgs_list(sc->cert, parg, 0);
 +        return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
     case SSL_CTRL_SET_CLIENT_SIGALGS:
         return tls1_set_sigalgs(sc->cert, parg, larg, 1);
     case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
 -        return tls1_set_sigalgs_list(sc->cert, parg, 1);
 +        return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
     case SSL_CTRL_GET_CLIENT_CERT_TYPES:
         {
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
     case SSL_CTRL_SET_SIGALGS_LIST:
 -        return tls1_set_sigalgs_list(ctx->cert, parg, 0);
 +        return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
     case SSL_CTRL_SET_CLIENT_SIGALGS:
         return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
     case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
 -        return tls1_set_sigalgs_list(ctx->cert, parg, 1);
 +        return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
     case SSL_CTRL_SET_CLIENT_CERT_TYPES:
         return ssl3_set_req_cert_type(ctx->cert, parg, larg);
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 index 1329841aaf..4d95ab71cd 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
             return tls1_set_groups_list(ctx, NULL, NULL, parg);
         case SSL_CTRL_SET_SIGALGS_LIST:
         case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
 -            return tls1_set_sigalgs_list(NULL, parg, 0);
 +            return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
         default:
             return 0;
         }
 diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
 index 0d3acfbe66..a73b2c4770 100644
 --- a/ssl/ssl_local.h
 +++ b/ssl/ssl_local.h
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
 void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
 -__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
 +__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
 __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
                                 int client);
 __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
 index fe680449c5..87f2ae7000 100644
 --- a/ssl/t1_lib.c
 +++ b/ssl/t1_lib.c
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
     /* now populate ctx->ssl_cert_info */
     if (ctx->sigalg_list_len > 0) {
 +        OPENSSL_free(ctx->ssl_cert_info);
         ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
         if (ctx->ssl_cert_info == NULL)
             return 0;
@@ -2889,6 +2890,7 @@ typedef struct {
     size_t sigalgcnt;
     /* TLSEXT_SIGALG_XXX values */
     uint16_t sigalgs[TLS_MAX_SIGALGCNT];
 +    SSL_CTX *ctx;
 } sig_cb_st;
 static void get_sigorhash(int *psig, int *phash, const char *str)
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
 static int sig_cb(const char *elem, int len, void *arg)
 {
     sig_cb_st *sarg = arg;
 -    size_t i;
 +    size_t i = 0;
 +    int load_success = 0;
     const SIGALG_LOOKUP *s;
     char etmp[TLS_MAX_SIGSTRING_LEN], *p;
     int sig_alg = NID_undef, hash_alg = NID_undef;
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
      * in the table.
      */
     if (p == NULL) {
 -        for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
 -             i++, s++) {
 -            if (s->name != NULL && strcmp(etmp, s->name) == 0) {
 -                sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
 -                break;
 -            }
 +        /* Load provider sigalgs */
 +        if (sarg->ctx) {
 +            load_success = ssl_load_sigalgs(sarg->ctx);
         }
 -        if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
 -            /* Ignore unknown algorithms if ignore_unknown */
 -            return ignore_unknown;
 +        if (load_success) {
 +            /* Check if a provider supports the sigalg */
 +            for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
 +                if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
 +                    && strcmp(etmp,
 +                              sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
 +                    sarg->sigalgs[sarg->sigalgcnt++] =
 +                            sarg->ctx->sigalg_list[i].code_point;
 +                    break;
 +                }
 +            }
         }
 +        /* Check the built-in sigalgs */
 +        if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
 +            for (i = 0, s = sigalg_lookup_tbl;
 +                 i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
 +                if (s->name != NULL && strcmp(etmp, s->name) == 0) {
 +                    sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
 +                    break;
 +                }
 +            }
 +            if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
 +                /* Ignore unknown algorithms if ignore_unknown */
 +                return ignore_unknown;
 +            }
 +	}
     } else {
         *p = 0;
         p++;
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
  * Set supported signature algorithms based on a colon separated list of the
  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
  */
 -int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
 +int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
 {
     sig_cb_st sig;
     sig.sigalgcnt = 0;
 +    sig.ctx = ctx;
     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
         return 0;
     if (sig.sigalgcnt == 0) {
 -- 
 2.44.0
--- a/SOURCES/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
+++ b/SOURCES/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
@ -0,0 +1,33 @@
 From 34a709e89e0c43928d9353aca1fb0c82aaa7e6ab Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 12 Jun 2024 20:14:04 +0900
 Subject: [PATCH] kdf: Preserve backward compatibility with older providers
 Suggested in:
 https://github.com/openssl/openssl/issues/24611#issuecomment-2162560293
 ---
 crypto/evp/pmeth_lib.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
 index 015f756..e776ea5 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
@@ -1068,8 +1068,13 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
     os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
     os_params[1] = OSSL_PARAM_construct_end();
 -    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
 +    if (!EVP_PKEY_CTX_get_params(ctx, os_params)) {
 +        if (EVP_PKEY_CTX_gettable_params(ctx) == NULL) {
 +            /* Older provider that doesn't support gettable parameters */
 +            return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
 +        }
         return 0;
 +    }
     /* Older provider that doesn't support getting this parameter */
     if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
 -- 
 2.45.1
--- a/SPECS/openssl3.spec
+++ b/SPECS/openssl3.spec
@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl3
-Version: 3.2.1
+Version: 3.2.2
-Release: 1.2%{?dist}
+Release: 2.1%{?dist}
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
@ -151,15 +151,13 @@ Patch115: 0115-skip-quic-pairwise.patch
 Patch116: 0116-version-aliasing.patch
 # https://github.com/openssl/openssl/issues/23050
 Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
 # https://github.com/openssl/openssl/issues/23770
 Patch118: 0118-no-crl-memleak.patch
 # https://github.com/openssl/openssl/issues/22779
 Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2160797
 Patch121: 0121-FIPS-cms-defaults.patch
 # KTLS regression, temporary skip tests
 Patch122: 0122-TMP-KTLS-test-skip.patch
 # HKDF regression with older provider implementations
 Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
 License: ASL 2.0
 URL: http://www.openssl.org/
@ -509,6 +507,25 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/{make,renew}-dummy-cert
 %ldconfig_scriptlets libs
 %changelog
 * Mon Jun 17 2024 Michel Lind <salimma@fedoraproject.org> - 3.2.2-2.1
 - Merge c9s openssl changes to pick up CVE fixes
 * Wed Jun 12 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-2
 - Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
  Resolves: RHEL-40823
 * Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
 - Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741,
  and Minerva attack.
  Resolves: RHEL-32148
  Resolves: RHEL-36792
  Resolves: RHEL-38514
  Resolves: RHEL-39111
 * Thu May 23 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-2
 - Update RNG changing for FIPS purpose
  Resolves: RHEL-35380
 * Thu May 02 2024 Michel Lind <salimma@fedoraproject.org> - 3.2.1-1.2
 - Drop openssl-fips-provider requirement, accidentally included due to incorrect gating
`@ -1 +1 @@`
	`SOURCES/openssl-3.2.1.tar.gz`	`SOURCES/openssl-3.2.2.tar.gz`
`@ -1 +1 @@`
	`070a0ae6df5de8536c215046f7e7065fafde6504 SOURCES/openssl-3.2.1.tar.gz`	`b12311372a0277ca0eb218a68a7fd9f5ce66d162 SOURCES/openssl-3.2.2.tar.gz`