diff --git a/0012-Fix-SPKAC-data-from-stdin.patch b/0012-Fix-SPKAC-data-from-stdin.patch new file mode 100644 index 0000000..b9da02d --- /dev/null +++ b/0012-Fix-SPKAC-data-from-stdin.patch @@ -0,0 +1,28 @@ +diff -up openssl-3.0.0-alpha16/apps/lib/apps.c.spkac openssl-3.0.0-alpha16/apps/lib/apps.c +--- openssl-3.0.0-alpha16/apps/lib/apps.c.spkac 2021-06-04 09:28:48.162316896 +0200 ++++ openssl-3.0.0-alpha16/apps/lib/apps.c 2021-06-04 09:32:53.911795489 +0200 +@@ -403,14 +403,18 @@ CONF *app_load_config_verbose(const char + + CONF *app_load_config_internal(const char *filename, int quiet) + { +- BIO *in = NULL; /* leads to empty config in case filename == "" */ ++ BIO *in; + CONF *conf; + +- if (*filename != '\0' +- && (in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL) +- return NULL; +- conf = app_load_config_bio(in, filename); +- BIO_free(in); ++ if (filename == NULL || *filename != '\0') { ++ if ((in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL) ++ return NULL; ++ conf = app_load_config_bio(in, filename); ++ BIO_free(in); ++ } else { ++ /* Return empty config if filename is empty string. */ ++ conf = NCONF_new_ex(app_libctx, NULL); ++ } + return conf; + } + diff --git a/0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch b/0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch new file mode 100644 index 0000000..7467edd --- /dev/null +++ b/0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch @@ -0,0 +1,41 @@ +diff -up openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c.edsize openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c +--- openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c.edsize 2021-06-04 09:51:12.567348198 +0200 ++++ openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c 2021-06-04 09:52:55.650321215 +0200 +@@ -309,14 +309,14 @@ static int x448_get_params(void *key, OS + static int ed25519_get_params(void *key, OSSL_PARAM params[]) + { + return ecx_get_params(key, params, ED25519_BITS, ED25519_SECURITY_BITS, +- ED25519_KEYLEN) ++ ED25519_SIGSIZE) + && ed_get_params(key, params); + } + + static int ed448_get_params(void *key, OSSL_PARAM params[]) + { + return ecx_get_params(key, params, ED448_BITS, ED448_SECURITY_BITS, +- ED448_KEYLEN) ++ ED448_SIGSIZE) + && ed_get_params(key, params); + } + +diff -up openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c.edsize openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c +--- openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c.edsize 2021-06-04 09:51:24.540461209 +0200 ++++ openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c 2021-06-04 09:54:26.531182412 +0200 +@@ -979,7 +979,7 @@ static int test_fromdata_ecx(int tst) + fromdata_params = ed25519_fromdata_params; + bits = ED25519_BITS; + security_bits = ED25519_SECURITY_BITS; +- size = ED25519_KEYLEN; ++ size = ED25519_SIGSIZE; + alg = "ED25519"; + break; + +@@ -987,7 +987,7 @@ static int test_fromdata_ecx(int tst) + fromdata_params = ed448_fromdata_params; + bits = ED448_BITS; + security_bits = ED448_SECURITY_BITS; +- size = ED448_KEYLEN; ++ size = ED448_SIGSIZE; + alg = "ED448"; + break; + default: diff --git a/0014-Return0-OPENSSL-init-crypto-cleanup.patch b/0014-Return0-OPENSSL-init-crypto-cleanup.patch new file mode 100644 index 0000000..041c0e7 --- /dev/null +++ b/0014-Return0-OPENSSL-init-crypto-cleanup.patch @@ -0,0 +1,34 @@ +diff -up openssl-3.0.0-alpha16/crypto/init.c.softhsm openssl-3.0.0-alpha16/crypto/init.c +--- openssl-3.0.0-alpha16/crypto/init.c.softhsm 2021-06-04 09:40:22.637748149 +0200 ++++ openssl-3.0.0-alpha16/crypto/init.c 2021-06-04 09:44:09.695867437 +0200 +@@ -454,6 +454,13 @@ int OPENSSL_init_crypto(uint64_t opts, c + uint64_t tmp; + int aloaddone = 0; + ++ /* Applications depend on 0 being returned when cleanup was already done */ ++ if (stopped) { ++ if (!(opts & OPENSSL_INIT_BASE_ONLY)) ++ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL); ++ return 0; ++ } ++ + /* + * We ignore failures from this function. It is probably because we are + * on a platform that doesn't support lockless atomic loads (we may not +@@ -476,15 +483,7 @@ int OPENSSL_init_crypto(uint64_t opts, c + /* + * At some point we should look at this function with a view to moving + * most/all of this into OSSL_LIB_CTX. +- */ +- +- if (stopped) { +- if (!(opts & OPENSSL_INIT_BASE_ONLY)) +- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL); +- return 0; +- } +- +- /* ++ * + * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the + * *only* option specified. With that option we return immediately after + * doing the requested limited initialization. Note that diff --git a/0015-Cleanup-peer-point-formats-regotiation.patch b/0015-Cleanup-peer-point-formats-regotiation.patch new file mode 100644 index 0000000..51e3440 --- /dev/null +++ b/0015-Cleanup-peer-point-formats-regotiation.patch @@ -0,0 +1,36 @@ +diff -up openssl-3.0.0-alpha16/ssl/statem/extensions.c.reneg openssl-3.0.0-alpha16/ssl/statem/extensions.c +--- openssl-3.0.0-alpha16/ssl/statem/extensions.c.reneg 2021-06-04 10:03:01.313023512 +0200 ++++ openssl-3.0.0-alpha16/ssl/statem/extensions.c 2021-06-04 10:05:43.019538516 +0200 +@@ -45,6 +45,7 @@ static int tls_parse_certificate_authori + #ifndef OPENSSL_NO_SRP + static int init_srp(SSL *s, unsigned int context); + #endif ++static int init_ec_point_formats(SSL *s, unsigned int context); + static int init_etm(SSL *s, unsigned int context); + static int init_ems(SSL *s, unsigned int context); + static int final_ems(SSL *s, unsigned int context, int sent); +@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de + TLSEXT_TYPE_ec_point_formats, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO + | SSL_EXT_TLS1_2_AND_BELOW_ONLY, +- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, ++ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, + tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, + final_ec_pt_formats + }, +@@ -1144,6 +1145,15 @@ static int init_srp(SSL *s, unsigned int + } + #endif + ++static int init_ec_point_formats(SSL *s, unsigned int context) ++{ ++ OPENSSL_free(s->ext.peer_ecpointformats); ++ s->ext.peer_ecpointformats = NULL; ++ s->ext.peer_ecpointformats_len = 0; ++ ++ return 1; ++} ++ + static int init_etm(SSL *s, unsigned int context) + { + s->ext.use_etm = 0; diff --git a/0016-Fix-default-digest-SHA256.patch b/0016-Fix-default-digest-SHA256.patch new file mode 100644 index 0000000..c419f41 --- /dev/null +++ b/0016-Fix-default-digest-SHA256.patch @@ -0,0 +1,45 @@ +diff -up openssl-3.0.0-alpha16/apps/dgst.c.digest openssl-3.0.0-alpha16/apps/dgst.c +--- openssl-3.0.0-alpha16/apps/dgst.c.digest 2021-06-04 10:21:03.153697643 +0200 ++++ openssl-3.0.0-alpha16/apps/dgst.c 2021-06-04 10:22:26.737489944 +0200 +@@ -330,6 +330,8 @@ int dgst_main(int argc, char **argv) + } + + if (hmac_key != NULL) { ++ if (md == NULL) ++ md = (EVP_MD *)EVP_sha256(); + sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl, + (unsigned char *)hmac_key, + strlen(hmac_key)); +diff -up openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t.digest openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t +--- openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t.digest 2021-06-04 10:21:18.871846631 +0200 ++++ openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t 2021-06-04 10:23:56.862344245 +0200 +@@ -17,7 +17,7 @@ use OpenSSL::Test::Utils; + + setup("test_dgst"); + +-plan tests => 7; ++plan tests => 8; + + sub tsignverify { + my $testtext = shift; +@@ -115,6 +115,20 @@ subtest "HMAC generation with `dgst` CLI + ok($hmacdata[0] =~ $expected, "HMAC: Check HMAC value is as expected ($hmacdata[0]) vs ($expected)"); + ok($hmacdata[1] =~ $expected, + "HMAC: Check second HMAC value is consistent with the first ($hmacdata[1]) vs ($expected)"); ++}; ++ ++subtest "HMAC generation with `dgst` CLI, default digest" => sub { ++ plan tests => 2; ++ ++ my $testdata = srctop_file('test', 'data.bin'); ++ #HMAC the data twice to check consistency ++ my @hmacdata = run(app(['openssl', 'dgst', '-hmac', '123456', ++ $testdata, $testdata]), capture => 1); ++ chomp(@hmacdata); ++ my $expected = qr/HMAC-SHA256\(\Q$testdata\E\)= 6f12484129c4a761747f13d8234a1ff0e074adb34e9e9bf3a155c391b97b9a7c/; ++ ok($hmacdata[0] =~ $expected, "HMAC: Check HMAC value is as expected ($hmacdata[0]) vs ($expected)"); ++ ok($hmacdata[1] =~ $expected, ++ "HMAC: Check second HMAC value is consistent with the first ($hmacdata[1]) vs ($expected)"); + }; + + subtest "Custom length XOF digest generation with `dgst` CLI" => sub { diff --git a/openssl.spec b/openssl.spec index 1678a08..2388033 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 0.alpha16.2%{?dist} +Release: 0.alpha16.3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -54,6 +54,16 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch10: 0010-Avoid-sending-alert-after-shutdown.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch +# Fix reading SPKAC data from stdin +Patch12: 0012-Fix-SPKAC-data-from-stdin.patch +# Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448 +Patch13: 0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch +# Return 0 after cleanup in OPENSSL_init_crypto() +Patch14: 0014-Return0-OPENSSL-init-crypto-cleanup.patch +# Cleanup the peer point formats on regotiation +Patch15: 0015-Cleanup-peer-point-formats-regotiation.patch +# Fix default digest to SHA256 +Patch16: 0016-Fix-default-digest-SHA256.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -373,6 +383,13 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri Jun 04 2021 Sahana Prasad 3.0.0-0.alpha16.3 +- Fix reading SPKAC data from stdin +- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448 +- Return 0 after cleanup in OPENSSL_init_crypto() +- Cleanup the peer point formats on regotiation +- Fix default digest to SHA256 + * Thu May 27 2021 Sahana Prasad 3.0.0-0.alpha16.2 - Enable FIPS via config options