fix CI build error

backport-Fix-password_callback-to-handle-short-passwords.patch

@@ -0,0 +1,71 @@
+From f4942134815f95845706993c15ca7e4fd6e44627 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Fri, 7 Jan 2022 10:18:58 +0100
+Subject: [PATCH] Fix password_callback to handle short passwords
+
+Fixes #17426
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17439)
+---
+ apps/apps.c                   | 8 ++++++--
+ test/recipes/15-test_genrsa.t | 7 ++++++-
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/apps/apps.c b/apps/apps.c
+index c06241abb9..531fbec551 100644
+--- a/apps/apps.c
++++ b/apps/apps.c
+@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
+         int ui_flags = 0;
+         const char *prompt_info = NULL;
+         char *prompt;
++        int pw_min_len = PW_MIN_LENGTH;
+ 
+         if (cb_data != NULL && cb_data->prompt_info != NULL)
+             prompt_info = cb_data->prompt_info;
++        if (cb_data != NULL && cb_data->password != NULL
++                && *(const char*)cb_data->password != '\0')
++            pw_min_len = 1;
+         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
+         if (!prompt) {
+             BIO_printf(bio_err, "Out of memory\n");
+@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
+         (void)UI_add_user_data(ui, cb_data);
+ 
+         ok = UI_add_input_string(ui, prompt, ui_flags, buf,
+-                                 PW_MIN_LENGTH, bufsiz - 1);
++                                 pw_min_len, bufsiz - 1);
+ 
+         if (ok >= 0 && verify) {
+             buff = app_malloc(bufsiz, "password buffer");
+             ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
+-                                      PW_MIN_LENGTH, bufsiz - 1, buf);
++                                      pw_min_len, bufsiz - 1, buf);
+         }
+         if (ok >= 0)
+             do {
+diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
+index e16a9a4042..c9bc6bdc8a 100644
+--- a/test/recipes/15-test_genrsa.t
++++ b/test/recipes/15-test_genrsa.t
+@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
+ 
+ setup("test_genrsa");
+ 
+-plan tests => 5;
++plan tests => 7;
+ 
+ # We want to know that an absurdly small number of bits isn't support
+ is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
+@@ -52,3 +52,8 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
+    "genrsa -f4 $good");
+ ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+    "rsa -check");
++ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem',
++   '-aes256', '-passout', 'pass:x' ])),
++   "rsa encrypt");
++ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])),
++   "rsa decrypt");
+-- 
+Gitee

backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch

@@ -75,13 +75,14 @@ index d701c46b43..79cfd1d835 100644
                   ERR_R_INTERNAL_ERROR);
          return 0;
 diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 21322ceec5..09a732f577 100644
+index 650ff68..8b2ba80 100644
 --- a/test/sslapitest.c
 +++ b/test/sslapitest.c
-@@ -6734,6 +6734,64 @@ end:
-     SSL_CTX_free(cctx);
-     return testresult;
+@@ -6780,6 +6780,72 @@ static int test_ssl_dup(void)
  }
+ #endif
+
++#ifndef OPENSSL_NO_TLS1_3
 +
 +/*
 + * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week
@@ -99,7 +100,12 @@ index 21322ceec5..09a732f577 100644
 +#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC)
 +
 +    if (idx == 0) {
++#ifdef OPENSSL_NO_TLS1_2
++        TEST_info("Skipping: TLS 1.2 is disabled.");
++        return 1;
++#else
 +        version = TLS1_2_VERSION;
++#endif
 +    }
 +
 +    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
@@ -140,17 +146,21 @@ index 21322ceec5..09a732f577 100644
 +    SSL_CTX_free(cctx);
 +    return testresult;
 +}
++#endif
++
+ struct resume_servername_cb_data {
+     int i;
+     SSL_CTX *cctx;
+@@ -7077,6 +7143,9 @@ int setup_tests(void)
+ #ifndef OPENSSL_NO_TLS1_2
+     ADD_TEST(test_ssl_dup);
  #endif
- /*
-  * Test that setting an ALPN does not violate RFC
-@@ -6973,6 +7031,7 @@ int setup_tests(void)
++#ifndef OPENSSL_NO_TLS1_3
++    ADD_TEST(test_ticket_lifetime);
++#endif
+ #if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+     ADD_ALL_TESTS(test_session_cache_overflow, 4);
  #endif
- #ifndef OPENSSL_NO_TLS1_3
-     ADD_TEST(test_sni_tls13);
-+    ADD_ALL_TESTS(test_ticket_lifetime, 2);
- #endif
-     ADD_TEST(test_set_alpn);
-     ADD_TEST(test_inherit_verify_param);
 -- 
 2.17.1
 

openssl.spec

@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1f
-Release:     36
+Release:     37
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay and GPLv2+
 URL:         https://www.openssl.org/
@@ -144,6 +144,9 @@ Patch133:    backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-.patch
 Patch134:    backport-CVE-2024-4741-test-Fix-possible-use-after-free.patch
 Patch135:    backport-CVE-2024-5535-Fix-SSL_select_next_proto-and-add-ALPN.patch
 Patch136:    backport-Pipeline-output-input-buf-arrays-must-live-until-the.patch
+Patch137:    backport-Fix-password_callback-to-handle-short-passwords.patch
+Patch138:    backport-Check-password-length-only-when-verify-is-enabled.patch
+Patch139:    backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
 
 BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel
 
@@ -327,6 +330,9 @@ make test || :
 %{_pkgdocdir}/html/
 
 %changelog
+* Sat Nov 16 2024 liningjie <liningjie@xfusion.com> - 1:1.1.1f-37
+- fix CI build error
+
 * Fri Oct 11 2024 hugel <gengqihu2@h-partners.com> - 1:1.1.1f-36
 - fix openssl asan error