packages/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add fips feature

Browse Source
This commit is contained in:
fly_fzc 2024-08-21 09:52:34 +08:00
parent bf5ab7245d
commit 9496280b42
3 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
add-FIPS_mode_set-support.patch Normal file
View File

@ -0,0 +1,24 @@
From 9ffb8af6f00224c93caa8d738414502b7483a2a0 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Wed, 14 Aug 2024 15:24:31 +0800
Subject: [PATCH] add FIPS_mode_set support
---
include/openssl/fips.h | 1 +
1 files changed, 1 insertions(+)
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
index 4162cbf..5e89003 100644
--- a/include/openssl/fips.h
+++ b/include/openssl/fips.h
@@ -19,6 +19,7 @@ extern "C" {
# endif
# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+# define FIPS_mode_set(r) EVP_default_properties_enable_fips(NULL, r)
# ifdef __cplusplus
}
--
2.27.0

79
backport-Add-FIPS_mode-compatibility-macro.patch Normal file
View File

@ -0,0 +1,79 @@
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 26 Nov 2020 14:00:16 +0100
Subject: Add FIPS_mode() compatibility macro
Reference:https://src.fedoraproject.org/rpms/openssl/blob/f38/f/0008-Add-FIPS_mode-compatibility-macro.patch
Conflict:NA
The macro calls EVP_default_properties_is_fips_enabled() on the
default context.
---
include/openssl/crypto.h.in | 1 +
include/openssl/fips.h | 25 +++++++++++++++++++++++++
test/property_test.c | 13 +++++++++++++
3 files changed, 39 insertions(+)
create mode 100644 include/openssl/fips.h
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..c64f0f8e8f
--- /dev/null
+++ b/include/openssl/fips.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_H
+# define OPENSSL_FIPS_H
+# pragma once
+
+# include <openssl/evp.h>
+# include <openssl/macros.h>
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+
+# ifdef __cplusplus
+}
+# endif
+#endif
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
@@ -488,6 +488,19 @@ static int test_property_list_to_string(
return ret;
}
+#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
+ int ret = 0;
+
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
+ && TEST_true(FIPS_mode())
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
+ && TEST_false(FIPS_mode());
+
+ return ret;
+}
+
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -500,6 +512,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
+ ADD_TEST(test_downstream_FIPS_mode);
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
return 1;
}

8
openssl.spec
View File

@ -2,7 +2,7 @@
Name: openssl Name: openssl
Epoch: 1 Epoch: 1
Version: 3.0.12 Version: 3.0.12
Release: 9 Release: 10
Summary: Cryptography and SSL/TLS Toolkit Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay License: OpenSSL and SSLeay
URL: https://www.openssl.org/ URL: https://www.openssl.org/
@ -49,6 +49,9 @@ Patch37: Backport-bn-Properly-error-out-if-aliasing-return-value-with-.patch
Patch38: Fix-build-error-for-ppc64le.patch Patch38: Fix-build-error-for-ppc64le.patch
Patch39: Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch Patch39: Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch
Patch40: Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch Patch40: Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch
Patch41: backport-Add-FIPS_mode-compatibility-macro.patch
Patch9000: add-FIPS_mode_set-support.patch
BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -249,6 +252,9 @@ make test || :
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Aug 21 2024 fuanan <fuanan3@h-partners.com> - 1:3.0.12-10
- add fips feature
* Wed Jul 3 2024 gengqihu <gengqihu2@h-partners.com> - 1:3.0.12-9 * Wed Jul 3 2024 gengqihu <gengqihu2@h-partners.com> - 1:3.0.12-9
- fix CVE-2024-5535 - fix CVE-2024-5535