# For the curious: # 0.9.8jk + EAP-FAST soversion = 8 # 1.0.0 soversion = 10 # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols # depends on build configuration options) # 3.0.0 soversion = 3 (same as upstream) %define soversion 3 # Arches on which we need to prevent arch conflicts on opensslconf.h, must # also be handled in opensslconf-new.h. %define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 %global _performance_build 1 %bcond_with bootstrap %bcond_with tests %if 0%{?rhel} < 7 %global _pkgdocdir %{_datadir}/doc/%{name}-%{version} %endif Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl3 Version: 3.0.8 Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. Source: openssl-%{version}-hobbled.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source3: genpatches Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h Source12: ec_curve.c Source13: ectest.c Source14: rx-openssl.conf # Patches exported from source git # Aarch64 and ppc64le use lib64 Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch # Use more general default values in openssl.cnf Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch # Do not install html docs Patch3: 0003-Do-not-install-html-docs.patch # Override default paths for the CA directory tree Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch # apps/ca: fix md option help text Patch5: 0005-apps-ca-fix-md-option-help-text.patch # Disable signature verification with totally unsafe hash algorithms Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch # Add support for PROFILE=SYSTEM system default cipherlist Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # Add FIPS_mode() compatibility macro Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Disable explicit EC curves # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch # Tmp: test name change Patch31: 0031-tmp-Fix-test-names.patch # We load FIPS provider and set FIPS properties implicitly Patch32: 0032-Force-fips.patch # Embed HMAC into the fips.so Patch33: 0033-FIPS-embed-hmac.patch # Comment out fipsinstall command-line utility Patch34: 0034.fipsinstall_disable.patch # Skip unavailable algorithms running `openssl speed` Patch35: 0035-speed-skip-unavailable-dgst.patch # Extra public/private key checks required by FIPS-140-3 Patch44: 0044-FIPS-140-3-keychecks.patch # Minimize fips services Patch45: 0045-FIPS-services-minimize.patch # Execute KATS before HMAC verification Patch47: 0047-FIPS-early-KATS.patch # Backport of correctly handle 2^14 byte long records #17538 # Patch48: 0048-correctly-handle-records.patch %if 0%{?rhel} # Selectively disallow SHA1 signatures Patch49: 0049-Selectively-disallow-SHA1-signatures.patch %else # Selectively disallow SHA1 signatures rhbz#2070977 Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch %endif # Backport of patch for RHEL for Edge rhbz #2027261 Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch %if 0%{?rhel} # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch %else # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1) Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch %endif %if 0%{?rhel} # no USDT probe instrumentation required %else # Instrument with USDT probes related to SHA-1 deprecation Patch53: 0053-Add-SHA1-probes.patch %endif # https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 # Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch # https://github.com/openssl/openssl/pull/17324 # Patch55: 0055-nonlegacy-fetch-null-deref.patch # https://github.com/openssl/openssl/pull/18103 # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1 # so the patch should persist Patch56: 0056-strcasecmp.patch # https://github.com/openssl/openssl/pull/18175 # Patch57: 0057-strcasecmp-fix.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 Patch58: 0058-FIPS-limit-rsa-encrypt.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2069235 Patch60: 0060-FIPS-KAT-signature-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Patch62: 0062-fips-Expose-a-FIPS-indicator.patch # https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c # https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd # Regression on Power8, see rhbz2124845, https://github.com/openssl/openssl/issues/19163; fix in 0079-Fix-AES-GCM-on-Power-8-CPUs.patch Patch71: 0071-AES-GCM-performance-optimization.patch # https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 # https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa # hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 %if 0%{?rhel} Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test-eln.patch %else Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch %endif # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 %if 0%{?rhel} >= 8 Patch76: 0076-FIPS-140-3-DRBG.patch %else # RHEL 7 has no getrandom() implemented Patch76: 0076-FIPS-140-3-DRBG-OLD.patch %endif # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 Patch77: 0077-FIPS-140-3-zeroization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182 Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch Patch100: 0100-RSA-PKCS15-implicit-rejection.patch %if 0%{?rhel} < 8 Patch102: openssl-3.0.2-bundled-policy.patch %endif License: ASL 2.0 URL: http://www.openssl.org/ %if 0%{?rhel} < 8 BuildRequires: devtoolset-8-gcc-c++ devtoolset-8-build %else BuildRequires: gcc-c++ %endif BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/pod2man BuildRequires: /sbin/sysctl BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) BuildRequires: git-core %if %{with bootstrap} BuildRequires: %{name}-devel = %{epoch}:%{version} %endif Requires: coreutils Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} %if 0%{?rhel} < 8 Obsoletes: rx-openssl Provides: rx-openssl = %{epoch}:%{version}-%{release} %endif %description The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. %package libs Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Provides: openssl-libs%{?_isa} = %{epoch}:%{version}-%{release} %if 0%{?rhel} < 8 Obsoletes: rx-openssl-libs >= %{epoch}:3.0 Provides: rx-openssl-libs = %{epoch}:%{version}-%{release} %endif %if 0%{?rhel} >= 8 Requires: crypto-policies >= 20180730 Recommends: openssl-pkcs11%{?_isa} %endif %description libs OpenSSL is a toolkit for supporting cryptography. The openssl-libs package contains the libraries that are used by various applications which support cryptographic algorithms and protocols. %package devel Summary: Files for development of applications which will use OpenSSL Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Conflicts: openssl-devel <= 3.0.0 Provides: openssl-devel = %{epoch}:%{version}-%{release} Provides: openssl-devel%{?_isa} = %{epoch}:%{version}-%{release} %if 0%{?rhel} < 8 Obsoletes: rx-openssl-devel Provides: rx-openssl-devel = %{epoch}:%{version}-%{release} %endif Requires: pkgconfig %description devel OpenSSL is a toolkit for supporting cryptography. The openssl-devel package contains include files needed to develop applications which support various cryptographic algorithms and protocols. %prep %autosetup -S git -n openssl-%{version} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. %{SOURCE1} > /dev/null cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ %build %if 0%{?rhel} < 8 %enable_devtoolset8 %endif # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch sparcv9 sslarch=linux-sparcv9 sslflags=no-asm %endif %ifarch sparc64 sslarch=linux64-sparcv9 sslflags=no-asm %endif %ifarch alpha alphaev56 alphaev6 alphaev67 sslarch=linux-alpha-gcc %endif %ifarch s390 sh3eb sh4eb sslarch="linux-generic32 -DB_ENDIAN" %endif %ifarch s390x sslarch="linux64-s390x" %endif %ifarch %{arm} sslarch=linux-armv4 %endif %ifarch aarch64 sslarch=linux-aarch64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch sh3 sh4 sslarch=linux-generic32 %endif %ifarch ppc64 ppc64p7 sslarch=linux-ppc64 %endif %ifarch ppc64le sslarch="linux-ppc64le" sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch mips mipsel sslarch="linux-mips32 -mips32r2" %endif %ifarch mips64 mips64el sslarch="linux64-mips64 -mips64r2" %endif %ifarch mips64el sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch riscv64 sslarch=linux-generic64 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. # RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -fno-common -DPURIFY -DOPENSSL_NO_BUF_FREELISTS -DTERMIO $RPM_LD_FLAGS" %if %{with bootstrap} export LDFLAGS="-L%{_libdir} -Wl,-rpath=%{_libdir} $_LDFLAGS -lcrypto -lssl" export CFLAGS="-I%{_includedir} $_CFLAGS" %endif export HASHBANGPERL=/usr/bin/perl %define fips %{version}-%(date +%Y%m%d) # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ %if 0%{?rhel} > 7 --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ %endif zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ no-mdc2 no-ec2m no-sm2 no-sm4 no-tests \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' \ -Wl,--allow-multiple-definition # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update make -s %{?_smp_mflags} all # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check %if %{with tests} # Verify that what was compiled actually works. # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) # We must revert patch4 before tests otherwise they will fail patch -p1 -R < %{PATCH4} OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY %if 0%{?rhel} OPENSSL_ENABLE_SHA1_SIGNATURES= export OPENSSL_ENABLE_SHA1_SIGNATURES %endif OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library #%define __spec_install_post \ # %{?__debug_package:%{__debug_install_post}} \ # %{__arch_install_post} \ # %{__os_install_post} \ # crypto/fips/fips_standalone_hmac %{buildroot}%{_libdir}/libcrypto.so.%{version} >%{buildroot}%{_libdir}/.libcrypto.so.%{version}.hmac \ # ln -sf .libcrypto.so.%{version}.hmac %{buildroot}%{_libdir}/.libcrypto.so.%{soversion}.hmac \ # crypto/fips/fips_standalone_hmac %{buildroot}%{_libdir}/libssl.so.%{version} >%{buildroot}%{_libdir}/.libssl.so.%{version}.hmac \ # ln -sf .libssl.so.%{version}.hmac %{buildroot}%{_libdir}/.libssl.so.%{soversion}.hmac \ #%{nil} %define __provides_exclude_from %{_libdir}/openssl %endif %install [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} # Install OpenSSL. install -d %{buildroot}{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} %make_install rename so.%{soversion} so.%{version} %{buildroot}%{_libdir}/*.so.%{soversion} for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`.%{soversion} done # Remove static libraries for lib in %{buildroot}%{_libdir}/*.a ; do rm -f ${lib} done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} %{buildroot}%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir} mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir} # Rename man pages so that they don't conflict with other system man pages. pushd %{buildroot}%{_mandir} mv man5/config.5ossl man5/openssl.cnf.5 popd mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA mkdir -m700 %{buildroot}%{_sysconfdir}/pki/CA/private mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/certs mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/crl mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/newcerts #mkdir -p -m755 %{buildroot}%{_sysconfig}/ld.so.conf.d #install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfig}/ld.so.conf.d/ # Ensure the config file timestamps are identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade touch -r %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf touch -r %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %ifarch i686 rm -f %{buildroot}%{_sysconfdir}/pki/tls/fipsmodule.cnf %endif # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} %ifarch %{ix86} basearch=i386 %endif %ifarch sparcv9 basearch=sparc %endif %ifarch sparc64 basearch=sparc64 %endif # Next step of gradual disablement of SSL3. # Make SSL3 disappear to newly built dependencies. sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ #ifndef OPENSSL_NO_SSL3\ # define OPENSSL_NO_SSL3\ #endif' %{buildroot}/%{_prefix}/include/openssl/opensslconf.h %ifarch %{multilib_arches} # Do an configuration.h switcheroo to avoid file conflicts on systems where you # can have both a 32- and 64-bit version of the library, and they each need # their own correct-but-different versions of opensslconf.h to be usable. install -m644 %{SOURCE10} \ %{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h cat %{buildroot}/%{_prefix}/include/openssl/configuration.h >> \ %{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h install -m644 %{SOURCE9} \ %{buildroot}/%{_prefix}/include/openssl/configuration.h %endif # Transformation for openssl3 # see openssl11.spec mkdir -p %{buildroot}{%{_libdir},%{_includedir}}/%{name}/ rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf #rm -f %{buildroot}%{_libdir}/*.so mv -f %{buildroot}%{_includedir}/{openssl,%{name}/openssl}/ mv -f %{buildroot}%{_bindir}/{openssl,%{name}} for pc in libcrypto libssl openssl; do sed -i 's@/include@/include/%{name}@' %{buildroot}%{_libdir}/pkgconfig/${pc}.pc done # ln -s ../libcrypto.so.%{version} %{buildroot}%{_libdir}/libcrypto.so # ln -s ../libssl.so.%{version} %{buildroot}%{_libdir}/%{name}/libssl.so # pushd %{buildroot}%{_mandir} # for manpage in man*/* ; do # [ "${manpage}" = "man1/%{name}.1" ] && continue # if [ -L ${manpage} ]; then # TARGET=`ls -l ${manpage} | awk '{ print $NF }'` # ln -snf ${TARGET}11 ${manpage} # rm -f ${manpage} # else # mv -f ${manpage} ${manpage}3 # fi # done # popd # No openssl3-perl, because it wouldn't be really different or newer rm -rf %{buildroot}{%{_sysconfdir}/pki/CA/,{%{_bindir},%{_mandir}/man1}/{CA.pl,c_rehash,*tsget}*} # Remove dummy cert tools rm -f %{buildroot}%{_bindir}/{make,renew}-dummy-cert %files %if 0%{?rhel} >= 7 %license LICENSE.txt %doc NEWS.md README.md %endif %{_bindir}/%{name} %{_mandir}/man1/* %{_mandir}/man5/* %{_mandir}/man7/* #exclude %{_mandir}/man1/*.pl* #exclude %{_mandir}/man1/tsget* %{_pkgdocdir}/Makefile.certificate %files libs %if 0%{?rhel} >= 7 %license LICENSE.txt %endif %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %ifnarch i686 %config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf %endif %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/ossl-modules %files devel %doc CHANGES.md %doc doc/dir-locals.example.el doc/openssl-c-indent.el %{_prefix}/include %{_libdir}/*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc %ldconfig_scriptlets libs %changelog * Fri Feb 10 2023 Raven - 1:3.0.8-1 - update to 3.0.8 Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401 * Fri Dec 23 2022 Raven - 1:3.0.7-2 - import FIPS patches from Fedora - rename to openssl3 * Wed Nov 2 2022 Raven - 1:3.0.7-1 - update to 3.0.7 * Wed Nov 2 2022 Raven - 1:3.0.5-2 - security patch from Fedora Resolves: CVE-2022-3602 Resolves: CVE-2022-3786 * Fri Aug 19 2022 Raven - 1:3.0.5-1 - update to 3.0.5 - Related: rhbz#2099972, CVE-2022-2097 * Tue Jul 12 2022 Raven - 1:3.0.2-4 - rebuild for debuginfo * Wed May 18 2022 Raven - 1:3.0.2-3 - port configs from crypto-policies * Mon Apr 25 2022 Raven - 1:3.0.2-2 - minor bug in Requires * Wed Mar 16 2022 Raven - 1:3.0.2-1 - port c9s' openssl to rx-openssl for epel7 - update to 3.0.2 * Thu Mar 10 2022 Clemens Lang - 1:3.0.1-17 - Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before setting an allowed digest with EVP_PKEY_CTX_set_signature_md() - Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch - Resolves: rhbz#2062640 * Tue Mar 01 2022 Clemens Lang - 1:3.0.1-15 - Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes - Resolves: rhbz#2060510 * Fri Feb 25 2022 Clemens Lang - 1:3.0.1-14 - Prevent use of SHA1 with ECDSA - Resolves: rhbz#2031742 * Fri Feb 25 2022 Dmitry Belyavskiy - 1:3.0.1-13 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters - Resolves: rhbz#1977867 * Thu Feb 24 2022 Peter Robinson - 1:3.0.1-12 - Support KBKDF (NIST SP800-108) with an R value of 8bits - Resolves: rhbz#2027261 * Wed Feb 23 2022 Clemens Lang - 1:3.0.1-11 - Allow SHA1 usage in MGF1 for RSASSA-PSS signatures - Resolves: rhbz#2031742 * Wed Feb 23 2022 Dmitry Belyavskiy - 1:3.0.1-10 - rebuilt * Tue Feb 22 2022 Clemens Lang - 1:3.0.1-9 - Allow SHA1 usage in HMAC in TLS - Resolves: rhbz#2031742 * Tue Feb 22 2022 Dmitry Belyavskiy - 1:3.0.1-8 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters - Resolves: rhbz#1977867 - pkcs12 export broken in FIPS mode - Resolves: rhbz#2049265 * Tue Feb 22 2022 Clemens Lang - 1:3.0.1-8 - Disable SHA1 signature creation and verification by default - Set rh-allow-sha1-signatures = yes to re-enable - Resolves: rhbz#2031742 * Thu Feb 03 2022 Sahana Prasad - 1:3.0.1-7 - s_server: correctly handle 2^14 byte long records - Resolves: rhbz#2042011 * Tue Feb 01 2022 Dmitry Belyavskiy - 1:3.0.1-6 - Adjust FIPS provider version - Related: rhbz#2026445 * Wed Jan 26 2022 Dmitry Belyavskiy - 1:3.0.1-5 - On the s390x, zeroize all the copies of TLS premaster secret - Related: rhbz#2040448 * Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-4 - rebuilt * Fri Jan 21 2022 Dmitry Belyavskiy - 1:3.0.1-3 - KATS tests should be executed before HMAC verification - Restoring fips=yes for SHA1 - Related: rhbz#2026445, rhbz#2041994 * Thu Jan 20 2022 Sahana Prasad - 1:3.0.1-2 - Add enable-buildtest-c++ to the configure options. - Related: rhbz#1990814 * Tue Jan 18 2022 Sahana Prasad - 1:3.0.1-1 - Rebase to upstream version 3.0.1 - Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl - Resolves: rhbz#2038910, rhbz#2035148 * Mon Jan 17 2022 Dmitry Belyavskiy - 1:3.0.0-7 - Remove algorithms we don't plan to certify from fips module - Remove native fipsmodule.cnf - Related: rhbz#2026445 * Tue Dec 21 2021 Dmitry Belyavskiy - 1:3.0.0-6 - openssl speed should run in FIPS mode - Related: rhbz#1977318 * Wed Nov 24 2021 Dmitry Belyavskiy - 1:3.0.0-5 - rebuilt for spec cleanup - Related: rhbz#1985362 * Thu Nov 18 2021 Dmitry Belyavskiy - 1:3.0.0-4 - Embed FIPS HMAC in fips.so - Enforce loading FIPS provider when FIPS kernel flag is on - Related: rhbz#1985362 * Thu Oct 07 2021 Dmitry Belyavskiy - 1:3.0.0-3 - Fix memory leak in s_client - Related: rhbz#1996092 * Mon Sep 20 2021 Dmitry Belyavskiy - 1:3.0.0-2 - Avoid double-free on error seeding the RNG. - KTLS and FIPS may interfere, so tests need to be tuned - Resolves: rhbz#1952844, rhbz#1961643 * Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1 - Rebase to upstream version 3.0.0 - Related: rhbz#1990814 * Wed Aug 25 2021 Sahana Prasad - 1:3.0.0-0.beta2.7 - Removes the dual-abi build as it not required anymore. The mass rebuild was completed and all packages are rebuilt against Beta version. - Resolves: rhbz#1984097 * Mon Aug 23 2021 Dmitry Belyavskiy - 1:3.0.0-0.beta2.6 - Correctly process CMS reading from /dev/stdin - Resolves: rhbz#1986315 * Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.5 - Add instruction for loading legacy provider in openssl.cnf - Resolves: rhbz#1975836 * Mon Aug 16 2021 Sahana Prasad - 3.0.0-0.beta2.4 - Adds support for IDEA encryption. - Resolves: rhbz#1990602 * Tue Aug 10 2021 Sahana Prasad - 3.0.0-0.beta2.3 - Fixes core dump in openssl req -modulus - Fixes 'openssl req' to not ask for password when non-encrypted private key is used - cms: Do not try to check binary format on stdin and -rctform fix - Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137 * Mon Aug 09 2021 Mohan Boddu - 1:3.0.0-0.beta2.2.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 * Wed Aug 04 2021 Dmitry Belyavskiy - 3.0.0-0.beta2.2 - When signature_algorithm extension is omitted, use more relevant alerts - Resolves: rhbz#1965017 * Tue Aug 03 2021 Sahana Prasad 3.0.0-0.beta2.1 - Rebase to upstream version beta2 - Related: rhbz#1903209 * Thu Jul 22 2021 Sahana Prasad 3.0.0-0.beta1.5 - Prevents creation of duplicate cert entries in PKCS #12 files - Resolves: rhbz#1978670 * Wed Jul 21 2021 Sahana Prasad 3.0.0-0.beta1.4 - NVR bump to update to OpenSSL 3.0 Beta1 * Mon Jul 19 2021 Sahana Prasad 3.0.0-0.beta1.3 - Update patch dual-abi.patch to add the #define macros in implementation files instead of public header files * Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.2 - Removes unused patch dual-abi.patch * Wed Jul 14 2021 Sahana Prasad 3.0.0-0.beta1.1 - Update to Beta1 version - Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16 * Tue Jul 06 2021 Sahana Prasad 3.0.0-0.alpha16.7 - Fixes override of openssl_conf in openssl.cnf - Use AI_ADDRCONFIG only when explicit host name is given - Temporarily remove fipsmodule.cnf for arch i686 - Fixes segmentation fault in BN_lebin2bn - Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855 * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.6 - Adds FIPS mode compatibility patch (sahana@redhat.com) - Related: rhbz#1977318 * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.5 - Fixes system hang issue when booted in FIPS mode (sahana@redhat.com) - Temporarily disable downstream FIPS patches - Related: rhbz#1977318 * Fri Jun 11 2021 Mohan Boddu 3.0.0-0.alpha16.4 - Speeding up building openssl (dbelyavs@redhat.com) Resolves: rhbz#1903209 * Fri Jun 04 2021 Sahana Prasad 3.0.0-0.alpha16.3 - Fix reading SPKAC data from stdin - Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448 - Return 0 after cleanup in OPENSSL_init_crypto() - Cleanup the peer point formats on regotiation - Fix default digest to SHA256 * Thu May 27 2021 Sahana Prasad 3.0.0-0.alpha16.2 - Enable FIPS via config options * Mon May 17 2021 Sahana Prasad 3.0.0-0.alpha16.1 - Update to alpha 16 version Resolves: rhbz#1952901 openssl sends alert after orderly connection close * Mon Apr 26 2021 Sahana Prasad 3.0.0-0.alpha15.1 - Update to alpha 15 version Resolves: rhbz#1903209, rhbz#1952598, * Fri Apr 16 2021 Mohan Boddu - 1:3.0.0-0.alpha13.1.1 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Fri Apr 09 2021 Sahana Prasad 3.0.0-0.alpha13.1 - Update to new major release OpenSSL 3.0.0 alpha 13 Resolves: rhbz#1903209