forked from rpms/openssl
Rebase to upstream version 3.0.8
Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401
This commit is contained in:
parent
02d85d00af
commit
194ef7464a
1
.gitignore
vendored
1
.gitignore
vendored
@ -56,3 +56,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-3.0.3-hobbled.tar.gz
|
/openssl-3.0.3-hobbled.tar.gz
|
||||||
/openssl-3.0.5-hobbled.tar.xz
|
/openssl-3.0.5-hobbled.tar.xz
|
||||||
/openssl-3.0.7-hobbled.tar.gz
|
/openssl-3.0.7-hobbled.tar.gz
|
||||||
|
/openssl-3.0.8-hobbled.tar.gz
|
||||||
|
@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644
|
|||||||
--- a/util/libcrypto.num
|
--- a/util/libcrypto.num
|
||||||
+++ b/util/libcrypto.num
|
+++ b/util/libcrypto.num
|
||||||
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
||||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
|
||||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||||
|
OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
|
||||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
--
|
--
|
||||||
2.26.2
|
2.26.2
|
||||||
|
@ -2,8 +2,8 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
|
|||||||
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
||||||
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
||||||
@@ -12,11 +12,46 @@
|
@@ -12,11 +12,46 @@
|
||||||
#include "internal/provider.h"
|
|
||||||
#include "crypto/ctype.h"
|
#include "crypto/ctype.h"
|
||||||
|
#include "crypto/rand.h"
|
||||||
|
|
||||||
+# include <sys/types.h>
|
+# include <sys/types.h>
|
||||||
+# include <sys/stat.h>
|
+# include <sys/stat.h>
|
||||||
|
@ -148,7 +148,7 @@ diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_
|
|||||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||||
+for more information.
|
+for more information.
|
||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 HISTORY
|
||||||
|
|
||||||
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||||
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
||||||
|
@ -493,8 +493,8 @@ index 10b4e57d79..2d3c363bb0 100644
|
|||||||
--- a/util/libcrypto.num
|
--- a/util/libcrypto.num
|
||||||
+++ b/util/libcrypto.num
|
+++ b/util/libcrypto.num
|
||||||
@@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex 5552 3_0_0 EXIST::FUNCTION:
|
@@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex 5552 3_0_0 EXIST::FUNCTION:
|
||||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
|
||||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||||
|
OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
|
||||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
@ -2,9 +2,9 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.nu
|
|||||||
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
||||||
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
||||||
@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
|
@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
|
||||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
|
||||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||||
|
OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
|
||||||
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||||
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
@ -136,7 +136,7 @@ diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/t
|
|||||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200
|
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200
|
||||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200
|
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200
|
||||||
@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
|
@@ -263,13 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
|
||||||
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||||
|
|
||||||
# RSA decrypt
|
# RSA decrypt
|
||||||
@ -147,6 +147,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
|||||||
Output = "Hello World"
|
Output = "Hello World"
|
||||||
|
|
||||||
# Corrupted ciphertext
|
# Corrupted ciphertext
|
||||||
|
-FIPSversion = <3.2.0
|
||||||
+Availablein = default
|
+Availablein = default
|
||||||
Decrypt = RSA-2048
|
Decrypt = RSA-2048
|
||||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
|
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
|
||||||
|
@ -1,221 +0,0 @@
|
|||||||
From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Thu, 10 Nov 2022 10:46:32 -0500
|
|
||||||
Subject: [PATCH 1/3] Propagate selection all the way on key export
|
|
||||||
|
|
||||||
EVP_PKEY_eq() is used to check, among other things, if a certificate
|
|
||||||
public key corresponds to a private key. When the private key belongs to
|
|
||||||
a provider that does not allow to export private keys this currently
|
|
||||||
fails as the internal functions used to import/export keys ignored the
|
|
||||||
selection given (which specifies that only the public key needs to be
|
|
||||||
considered) and instead tries to export everything.
|
|
||||||
|
|
||||||
This patch allows to propagate the selection all the way down including
|
|
||||||
adding it in the cache so that a following operation actually looking
|
|
||||||
for other selection parameters does not mistakenly pick up an export
|
|
||||||
containing only partial information.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
|
|
||||||
index b06730dc7a..2d0238ee27 100644
|
|
||||||
--- a/crypto/evp/keymgmt_lib.c
|
|
||||||
+++ b/crypto/evp/keymgmt_lib.c
|
|
||||||
@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
export_cb, export_cbarg);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection)
|
|
||||||
{
|
|
||||||
struct evp_keymgmt_util_try_import_data_st import_data;
|
|
||||||
OP_CACHE_ELEM *op;
|
|
||||||
@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
*/
|
|
||||||
if (pk->dirty_cnt == pk->dirty_cnt_copy) {
|
|
||||||
/* If this key is already exported to |keymgmt|, no more to do */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
|
||||||
if (op != NULL && op->keymgmt != NULL) {
|
|
||||||
void *ret = op->keydata;
|
|
||||||
|
|
||||||
@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
/* Setup for the export callback */
|
|
||||||
import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
|
|
||||||
import_data.keymgmt = keymgmt;
|
|
||||||
- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
|
|
||||||
+ import_data.selection = selection;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The export function calls the callback (evp_keymgmt_util_try_import),
|
|
||||||
* which does the import for us. If successful, we're done.
|
|
||||||
*/
|
|
||||||
- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
|
|
||||||
+ if (!evp_keymgmt_util_export(pk, selection,
|
|
||||||
&evp_keymgmt_util_try_import, &import_data))
|
|
||||||
/* If there was an error, bail out */
|
|
||||||
return NULL;
|
|
||||||
@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
/* Check to make sure some other thread didn't get there first */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
|
||||||
if (op != NULL && op->keydata != NULL) {
|
|
||||||
void *ret = op->keydata;
|
|
||||||
|
|
||||||
@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
evp_keymgmt_util_clear_operation_cache(pk, 0);
|
|
||||||
|
|
||||||
/* Add the new export to the operation cache */
|
|
||||||
- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
|
|
||||||
+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
|
|
||||||
+ selection)) {
|
|
||||||
CRYPTO_THREAD_unlock(pk->lock);
|
|
||||||
evp_keymgmt_freedata(keymgmt, import_data.keydata);
|
|
||||||
return NULL;
|
|
||||||
@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
|
|
||||||
}
|
|
||||||
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt)
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection)
|
|
||||||
{
|
|
||||||
int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
|
|
||||||
OP_CACHE_ELEM *p;
|
|
||||||
@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
*/
|
|
||||||
for (i = 0; i < end; i++) {
|
|
||||||
p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
|
|
||||||
- if (keymgmt == p->keymgmt)
|
|
||||||
+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
|
|
||||||
return p;
|
|
||||||
}
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata)
|
|
||||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection)
|
|
||||||
{
|
|
||||||
OP_CACHE_ELEM *p = NULL;
|
|
||||||
|
|
||||||
@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
return 0;
|
|
||||||
p->keydata = keydata;
|
|
||||||
p->keymgmt = keymgmt;
|
|
||||||
+ p->selection = selection;
|
|
||||||
|
|
||||||
if (!EVP_KEYMGMT_up_ref(keymgmt)) {
|
|
||||||
OPENSSL_free(p);
|
|
||||||
@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
|
||||||
ok = 1;
|
|
||||||
if (keydata1 != NULL) {
|
|
||||||
tmp_keydata =
|
|
||||||
- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
|
|
||||||
+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
|
|
||||||
+ selection);
|
|
||||||
ok = (tmp_keydata != NULL);
|
|
||||||
}
|
|
||||||
if (ok) {
|
|
||||||
@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
|
||||||
ok = 1;
|
|
||||||
if (keydata2 != NULL) {
|
|
||||||
tmp_keydata =
|
|
||||||
- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
|
|
||||||
+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
|
|
||||||
+ selection);
|
|
||||||
ok = (tmp_keydata != NULL);
|
|
||||||
}
|
|
||||||
if (ok) {
|
|
||||||
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
|
|
||||||
index 70d17ec37e..905e9c9ce4 100644
|
|
||||||
--- a/crypto/evp/p_lib.c
|
|
||||||
+++ b/crypto/evp/p_lib.c
|
|
||||||
@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
{
|
|
||||||
EVP_KEYMGMT *allocated_keymgmt = NULL;
|
|
||||||
EVP_KEYMGMT *tmp_keymgmt = NULL;
|
|
||||||
+ int selection = OSSL_KEYMGMT_SELECT_ALL;
|
|
||||||
void *keydata = NULL;
|
|
||||||
int check;
|
|
||||||
|
|
||||||
@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
|
|
||||||
if (!CRYPTO_THREAD_read_lock(pk->lock))
|
|
||||||
goto end;
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
|
|
||||||
+ selection);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If |tmp_keymgmt| is present in the operation cache, it means
|
|
||||||
@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
|
|
||||||
|
|
||||||
/* Check to make sure some other thread didn't get there first */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
|
|
||||||
if (op != NULL && op->keymgmt != NULL) {
|
|
||||||
void *tmp_keydata = op->keydata;
|
|
||||||
|
|
||||||
@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Add the new export to the operation cache */
|
|
||||||
- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
|
|
||||||
+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
|
|
||||||
+ selection)) {
|
|
||||||
CRYPTO_THREAD_unlock(pk->lock);
|
|
||||||
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
|
||||||
keydata = NULL;
|
|
||||||
@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
|
|
||||||
+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
|
|
||||||
|
|
||||||
end:
|
|
||||||
/*
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
|
||||||
index f601b72807..dbbdcccbda 100644
|
|
||||||
--- a/include/crypto/evp.h
|
|
||||||
+++ b/include/crypto/evp.h
|
|
||||||
@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
|
|
||||||
typedef struct {
|
|
||||||
EVP_KEYMGMT *keymgmt;
|
|
||||||
void *keydata;
|
|
||||||
+ int selection;
|
|
||||||
} OP_CACHE_ELEM;
|
|
||||||
|
|
||||||
DEFINE_STACK_OF(OP_CACHE_ELEM)
|
|
||||||
@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
|
|
||||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
|
||||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
|
||||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt);
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
|
||||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection);
|
|
||||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
|
||||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
|
||||||
int selection, const OSSL_PARAM params[]);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Thu, 10 Nov 2022 16:58:28 -0500
|
|
||||||
Subject: [PATCH 2/3] Update documentation for keymgmt export utils
|
|
||||||
|
|
||||||
Change function prototypes and explain how to use the selection
|
|
||||||
argument.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
index 1fee9f6ff9..7099e44964 100644
|
|
||||||
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
@@ -20,12 +20,14 @@ OP_CACHE_ELEM
|
|
||||||
|
|
||||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
|
||||||
- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
|
||||||
+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt);
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
|
||||||
- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection);
|
|
||||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
|
||||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
|
||||||
int selection, const OSSL_PARAM params[]);
|
|
||||||
@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
|
|
||||||
given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
|
|
||||||
helper for L<EVP_PKEY_fromdata(3)>.
|
|
||||||
|
|
||||||
+In all functions that take a I<selection> argument, the selection is used to
|
|
||||||
+constraint the information requested on export. It is also used in the cache
|
|
||||||
+so that key data is guaranteed to contain all the information requested in
|
|
||||||
+the selection.
|
|
||||||
+
|
|
||||||
=head1 RETURN VALUES
|
|
||||||
|
|
||||||
evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,357 +0,0 @@
|
|||||||
From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Fri, 11 Nov 2022 12:18:26 -0500
|
|
||||||
Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
|
|
||||||
|
|
||||||
This tests that the comparison work even if a provider can only return
|
|
||||||
a public key.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
|
|
||||||
index d556551bb6..5e92e72d4b 100644
|
|
||||||
--- a/test/fake_rsaprov.c
|
|
||||||
+++ b/test/fake_rsaprov.c
|
|
||||||
@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
|
|
||||||
static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
|
|
||||||
static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
|
|
||||||
static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
|
|
||||||
+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
|
|
||||||
+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
|
|
||||||
static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
|
|
||||||
|
|
||||||
static int has_selection;
|
|
||||||
static int imptypes_selection;
|
|
||||||
+static int exptypes_selection;
|
|
||||||
static int query_id;
|
|
||||||
|
|
||||||
+struct fake_rsa_keydata {
|
|
||||||
+ int selection;
|
|
||||||
+ int status;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static void *fake_rsa_keymgmt_new(void *provctx)
|
|
||||||
{
|
|
||||||
- unsigned char *keydata = OPENSSL_zalloc(1);
|
|
||||||
+ struct fake_rsa_keydata *key;
|
|
||||||
|
|
||||||
- TEST_ptr(keydata);
|
|
||||||
+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
|
|
||||||
+ return NULL;
|
|
||||||
|
|
||||||
/* clear test globals */
|
|
||||||
has_selection = 0;
|
|
||||||
imptypes_selection = 0;
|
|
||||||
+ exptypes_selection = 0;
|
|
||||||
query_id = 0;
|
|
||||||
|
|
||||||
- return keydata;
|
|
||||||
+ return key;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void fake_rsa_keymgmt_free(void *keydata)
|
|
||||||
@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
|
|
||||||
static int fake_rsa_keymgmt_import(void *keydata, int selection,
|
|
||||||
const OSSL_PARAM *p)
|
|
||||||
{
|
|
||||||
- unsigned char *fake_rsa_key = keydata;
|
|
||||||
+ struct fake_rsa_keydata *fake_rsa_key = keydata;
|
|
||||||
|
|
||||||
/* key was imported */
|
|
||||||
- *fake_rsa_key = 1;
|
|
||||||
+ fake_rsa_key->status = 1;
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static unsigned char fake_rsa_n[] =
|
|
||||||
+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
|
|
||||||
+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
|
|
||||||
+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
|
|
||||||
+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
|
|
||||||
+ "\xF5";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_e[] = "\x11";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_d[] =
|
|
||||||
+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
|
|
||||||
+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
|
|
||||||
+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
|
|
||||||
+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_p[] =
|
|
||||||
+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
|
|
||||||
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
|
|
||||||
+ "\x0D";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_q[] =
|
|
||||||
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
|
|
||||||
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
|
|
||||||
+ "\x89";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_dmp1[] =
|
|
||||||
+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
|
|
||||||
+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_dmq1[] =
|
|
||||||
+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
|
|
||||||
+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
|
|
||||||
+ "\x51";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_iqmp[] =
|
|
||||||
+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
|
|
||||||
+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
|
|
||||||
+
|
|
||||||
+OSSL_PARAM *fake_rsa_key_params(int priv)
|
|
||||||
+{
|
|
||||||
+ if (priv) {
|
|
||||||
+ OSSL_PARAM params[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
|
||||||
+ sizeof(fake_rsa_n) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
|
||||||
+ sizeof(fake_rsa_e) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
|
|
||||||
+ sizeof(fake_rsa_d) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
|
|
||||||
+ sizeof(fake_rsa_p) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
|
|
||||||
+ sizeof(fake_rsa_q) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
|
|
||||||
+ sizeof(fake_rsa_dmp1) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
|
|
||||||
+ sizeof(fake_rsa_dmq1) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
|
|
||||||
+ sizeof(fake_rsa_iqmp) -1),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
+ return OSSL_PARAM_dup(params);
|
|
||||||
+ } else {
|
|
||||||
+ OSSL_PARAM params[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
|
||||||
+ sizeof(fake_rsa_n) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
|
||||||
+ sizeof(fake_rsa_e) -1),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
+ return OSSL_PARAM_dup(params);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int fake_rsa_keymgmt_export(void *keydata, int selection,
|
|
||||||
+ OSSL_CALLBACK *param_callback, void *cbarg)
|
|
||||||
+{
|
|
||||||
+ OSSL_PARAM *params = NULL;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ ret = param_callback(params, cbarg);
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static const OSSL_PARAM fake_rsa_import_key_types[] = {
|
|
||||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
|
||||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
|
||||||
@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
|
|
||||||
return fake_rsa_import_key_types;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const OSSL_PARAM fake_rsa_export_key_types[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
|
|
||||||
+{
|
|
||||||
+ /* record global for checking */
|
|
||||||
+ exptypes_selection = selection;
|
|
||||||
+
|
|
||||||
+ return fake_rsa_export_key_types;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
|
|
||||||
{
|
|
||||||
- unsigned char *key = NULL;
|
|
||||||
+ struct fake_rsa_keydata *key = NULL;
|
|
||||||
|
|
||||||
- if (reference_sz != sizeof(key))
|
|
||||||
+ if (reference_sz != sizeof(*key))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- key = *(unsigned char **)reference;
|
|
||||||
- if (*key != 1)
|
|
||||||
+ key = *(struct fake_rsa_keydata **)reference;
|
|
||||||
+ if (key->status != 1)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
/* detach the reference */
|
|
||||||
- *(unsigned char **)reference = NULL;
|
|
||||||
+ *(struct fake_rsa_keydata **)reference = NULL;
|
|
||||||
|
|
||||||
return key;
|
|
||||||
}
|
|
||||||
@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
{
|
|
||||||
unsigned char *gctx = genctx;
|
|
||||||
static const unsigned char inited[] = { 1 };
|
|
||||||
- unsigned char *keydata;
|
|
||||||
+ struct fake_rsa_keydata *keydata;
|
|
||||||
|
|
||||||
if (!TEST_ptr(gctx)
|
|
||||||
|| !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
|
|
||||||
@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- *keydata = 2;
|
|
||||||
+ keydata->status = 2;
|
|
||||||
return keydata;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
|
|
||||||
{ OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
|
|
||||||
(void (*)(void))fake_rsa_keymgmt_imptypes },
|
|
||||||
+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
|
|
||||||
+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
|
|
||||||
+ (void (*)(void))fake_rsa_keymgmt_exptypes },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
|
|
||||||
@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
|
|
||||||
const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
unsigned char *sigctx = ctx;
|
|
||||||
- unsigned char *keydata = provkey;
|
|
||||||
+ struct fake_rsa_keydata *keydata = provkey;
|
|
||||||
|
|
||||||
/* we must have a ctx */
|
|
||||||
if (!TEST_ptr(sigctx))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* we must have some initialized key */
|
|
||||||
- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
|
|
||||||
+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* record that sign init was called */
|
|
||||||
@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
|
||||||
unsigned char *storectx = loaderctx;
|
|
||||||
OSSL_PARAM params[4];
|
|
||||||
int object_type = OSSL_OBJECT_PKEY;
|
|
||||||
- void *key = NULL;
|
|
||||||
+ struct fake_rsa_keydata *key = NULL;
|
|
||||||
int rv = 0;
|
|
||||||
|
|
||||||
switch (*storectx) {
|
|
||||||
@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
|
||||||
/* The address of the key becomes the octet string */
|
|
||||||
params[2] =
|
|
||||||
OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
|
|
||||||
- &key, sizeof(key));
|
|
||||||
+ &key, sizeof(*key));
|
|
||||||
params[3] = OSSL_PARAM_construct_end();
|
|
||||||
rv = object_cb(params, object_cbarg);
|
|
||||||
*storectx = 1;
|
|
||||||
diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
|
|
||||||
index 57de1ecf8d..190c46a285 100644
|
|
||||||
--- a/test/fake_rsaprov.h
|
|
||||||
+++ b/test/fake_rsaprov.h
|
|
||||||
@@ -12,3 +12,4 @@
|
|
||||||
/* Fake RSA provider implementation */
|
|
||||||
OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
|
|
||||||
void fake_rsa_finish(OSSL_PROVIDER *p);
|
|
||||||
+OSSL_PARAM *fake_rsa_key_params(int priv);
|
|
||||||
diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
|
|
||||||
index 5c398398f4..3b190baa5e 100644
|
|
||||||
--- a/test/provider_pkey_test.c
|
|
||||||
+++ b/test/provider_pkey_test.c
|
|
||||||
@@ -176,6 +176,67 @@ end:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pkey_eq(void)
|
|
||||||
+{
|
|
||||||
+ OSSL_PROVIDER *deflt = NULL;
|
|
||||||
+ OSSL_PROVIDER *fake_rsa = NULL;
|
|
||||||
+ EVP_PKEY *pkey_fake = NULL;
|
|
||||||
+ EVP_PKEY *pkey_dflt = NULL;
|
|
||||||
+ EVP_PKEY_CTX *ctx = NULL;
|
|
||||||
+ OSSL_PARAM *params = NULL;
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ /* Construct a public key for fake-rsa */
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
|
||||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
|
||||||
+ "provider=fake-rsa"))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
|
|
||||||
+ params))
|
|
||||||
+ || !TEST_ptr(pkey_fake))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ ctx = NULL;
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ params = NULL;
|
|
||||||
+
|
|
||||||
+ /* Construct a public key for default */
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
|
||||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
|
||||||
+ "provider=default"))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
|
|
||||||
+ params))
|
|
||||||
+ || !TEST_ptr(pkey_dflt))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ ctx = NULL;
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ params = NULL;
|
|
||||||
+
|
|
||||||
+ /* now test for equality */
|
|
||||||
+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ ret = 1;
|
|
||||||
+end:
|
|
||||||
+ fake_rsa_finish(fake_rsa);
|
|
||||||
+ OSSL_PROVIDER_unload(deflt);
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ EVP_PKEY_free(pkey_fake);
|
|
||||||
+ EVP_PKEY_free(pkey_dflt);
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int test_pkey_store(int idx)
|
|
||||||
{
|
|
||||||
OSSL_PROVIDER *deflt = NULL;
|
|
||||||
@@ -235,6 +296,7 @@ int setup_tests(void)
|
|
||||||
|
|
||||||
ADD_TEST(test_pkey_sig);
|
|
||||||
ADD_TEST(test_alternative_keygen_init);
|
|
||||||
+ ADD_TEST(test_pkey_eq);
|
|
||||||
ADD_ALL_TESTS(test_pkey_store, 2);
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,75 +0,0 @@
|
|||||||
From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Mon, 14 Nov 2022 10:25:15 -0500
|
|
||||||
Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
|
|
||||||
|
|
||||||
The providers indication should always indicate that this is not a
|
|
||||||
legacy request.
|
|
||||||
This makes a check for engines redundant as the default return is that
|
|
||||||
legacy is ok if there are no explicit providers.
|
|
||||||
|
|
||||||
Fixes #19662
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19671)
|
|
||||||
---
|
|
||||||
apps/lib/apps.c | 8 --------
|
|
||||||
test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
|
|
||||||
2 files changed, 23 insertions(+), 8 deletions(-)
|
|
||||||
create mode 100755 test/recipes/20-test_legacy_okay.t
|
|
||||||
|
|
||||||
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
|
|
||||||
index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
|
|
||||||
--- a/apps/lib/apps.c
|
|
||||||
+++ b/apps/lib/apps.c
|
|
||||||
@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
|
|
||||||
{
|
|
||||||
int provider_options = opt_provider_option_given();
|
|
||||||
int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
|
|
||||||
-#ifndef OPENSSL_NO_ENGINE
|
|
||||||
- ENGINE *e = ENGINE_get_first();
|
|
||||||
-
|
|
||||||
- if (e != NULL) {
|
|
||||||
- ENGINE_free(e);
|
|
||||||
- return 1;
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
/*
|
|
||||||
* Having a provider option specified or a custom library context or
|
|
||||||
* property query, is a sure sign we're not using legacy.
|
|
||||||
diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/20-test_legacy_okay.t
|
|
||||||
@@ -0,0 +1,23 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+
|
|
||||||
+use OpenSSL::Test;
|
|
||||||
+
|
|
||||||
+setup("test_legacy");
|
|
||||||
+
|
|
||||||
+plan tests => 3;
|
|
||||||
+
|
|
||||||
+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
|
|
||||||
+
|
|
||||||
+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
|
|
||||||
+
|
|
||||||
+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
|
|
||||||
+ 'rand.txt'])), "Fail to generate a digest");
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -104,9 +104,9 @@ index 54e2a1c61ca..094a6632b66 100644
|
|||||||
/* make data into a big number */
|
/* make data into a big number */
|
||||||
if (BN_bin2bn(from, (int)flen, f) == NULL)
|
if (BN_bin2bn(from, (int)flen, f) == NULL)
|
||||||
goto err;
|
goto err;
|
||||||
@@ -471,14 +490,92 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||||
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
BN_free(d);
|
||||||
goto err;
|
}
|
||||||
|
|
||||||
+ /*
|
+ /*
|
||||||
+ * derive the Key Derivation Key from private exponent and public
|
+ * derive the Key Derivation Key from private exponent and public
|
||||||
@ -183,9 +183,11 @@ index 54e2a1c61ca..094a6632b66 100644
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
j = BN_bn2binpad(ret, buf, num);
|
if (blinding) {
|
||||||
if (j < 0)
|
/*
|
||||||
goto err;
|
* ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||||
|
@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||||
|
}
|
||||||
|
|
||||||
switch (padding) {
|
switch (padding) {
|
||||||
- case RSA_PKCS1_PADDING:
|
- case RSA_PKCS1_PADDING:
|
||||||
@ -698,8 +700,8 @@ index ac3f6271969..cb770c9e857 100644
|
|||||||
--- a/doc/man7/provider-asym_cipher.pod
|
--- a/doc/man7/provider-asym_cipher.pod
|
||||||
+++ b/doc/man7/provider-asym_cipher.pod
|
+++ b/doc/man7/provider-asym_cipher.pod
|
||||||
@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client.
|
@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client.
|
||||||
The negotiated TLS protocol version. See
|
|
||||||
B<RSA_PKCS1_WITH_TLS_PADDING> on the page L<EVP_PKEY_CTX_set_rsa_padding(3)>.
|
The negotiated TLS protocol version.
|
||||||
|
|
||||||
+=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
|
+=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
|
||||||
+
|
+
|
||||||
|
56
openssl.spec
56
openssl.spec
@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.7
|
Version: 3.0.8
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -71,12 +71,6 @@ Patch11: 0011-Remove-EC-curves.patch
|
|||||||
# Disable explicit EC curves
|
# Disable explicit EC curves
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
|
||||||
Patch12: 0012-Disable-explicit-ec.patch
|
Patch12: 0012-Disable-explicit-ec.patch
|
||||||
# https://github.com/openssl/openssl/pull/17981
|
|
||||||
# Patch13: 0013-FIPS-provider-explicit-ec.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/17998
|
|
||||||
# Patch14: 0014-FIPS-disable-explicit-ec.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/18609
|
|
||||||
# Patch15: 0015-FIPS-decoded-from-explicit.patch
|
|
||||||
# Instructions to load legacy provider in openssl.cnf
|
# Instructions to load legacy provider in openssl.cnf
|
||||||
Patch24: 0024-load-legacy-prov.patch
|
Patch24: 0024-load-legacy-prov.patch
|
||||||
# Tmp: test name change
|
# Tmp: test name change
|
||||||
@ -93,12 +87,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
|
|||||||
Patch44: 0044-FIPS-140-3-keychecks.patch
|
Patch44: 0044-FIPS-140-3-keychecks.patch
|
||||||
# Minimize fips services
|
# Minimize fips services
|
||||||
Patch45: 0045-FIPS-services-minimize.patch
|
Patch45: 0045-FIPS-services-minimize.patch
|
||||||
# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
|
|
||||||
# Patch46: 0046-FIPS-s390x-hardening.patch
|
|
||||||
# Execute KATS before HMAC verification
|
# Execute KATS before HMAC verification
|
||||||
Patch47: 0047-FIPS-early-KATS.patch
|
Patch47: 0047-FIPS-early-KATS.patch
|
||||||
# Backport of correctly handle 2^14 byte long records #17538
|
|
||||||
# Patch48: 0048-correctly-handle-records.patch
|
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
# Selectively disallow SHA1 signatures
|
# Selectively disallow SHA1 signatures
|
||||||
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
|
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
|
||||||
@ -121,10 +111,6 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
|||||||
# Instrument with USDT probes related to SHA-1 deprecation
|
# Instrument with USDT probes related to SHA-1 deprecation
|
||||||
Patch53: 0053-Add-SHA1-probes.patch
|
Patch53: 0053-Add-SHA1-probes.patch
|
||||||
%endif
|
%endif
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62
|
|
||||||
# Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/17324
|
|
||||||
# Patch55: 0055-nonlegacy-fetch-null-deref.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/18103
|
# https://github.com/openssl/openssl/pull/18103
|
||||||
# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
||||||
# so the patch should persist
|
# so the patch should persist
|
||||||
@ -138,25 +124,6 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
||||||
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
|
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
|
||||||
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
||||||
# https://github.com/openssl/openssl/pull/18141
|
|
||||||
# Patch63: 0063-CVE-2022-1473.patch
|
|
||||||
# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
|
|
||||||
# Patch64: 0064-CVE-2022-1343.diff
|
|
||||||
# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
|
|
||||||
# Patch65: 0065-CVE-2022-1292.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/18444
|
|
||||||
# https://github.com/openssl/openssl/pull/18467
|
|
||||||
# Patch66: 0066-replace-expired-certs.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/18512
|
|
||||||
# Patch67: 0067-fix-ppc64-montgomery.patch
|
|
||||||
#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa
|
|
||||||
#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739
|
|
||||||
# Patch68: 0068-CVE-2022-2068.patch
|
|
||||||
# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
|
|
||||||
# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
|
|
||||||
# Patch69: 0069-CVE-2022-2097.patch
|
|
||||||
# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
|
|
||||||
# Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
|
|
||||||
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
|
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
|
||||||
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
|
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
|
||||||
# Regression on Power8, see rhbz2124845, https://github.com/openssl/openssl/issues/19163; fix in 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
|
# Regression on Power8, see rhbz2124845, https://github.com/openssl/openssl/issues/19163; fix in 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
|
||||||
@ -184,14 +151,6 @@ Patch77: 0077-FIPS-140-3-zeroization.patch
|
|||||||
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2124845, https://github.com/openssl/openssl/pull/19182
|
||||||
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
|
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
|
||||||
# #CVE-2022-3602
|
|
||||||
# Patch80: 0080-CVE-2022-3602.patch
|
|
||||||
# #Provider interface fixes
|
|
||||||
# Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
|
|
||||||
Patch82: 0082-Propagate-selection-all-the-way-on-key-export.patch
|
|
||||||
Patch83: 0083-Update-documentation-for-keymgmt-export-utils.patch
|
|
||||||
Patch84: 0084-Add-test-for-EVP_PKEY_eq.patch
|
|
||||||
Patch85: 0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
|
|
||||||
# https://github.com/openssl/openssl/pull/13817
|
# https://github.com/openssl/openssl/pull/13817
|
||||||
Patch100: 0100-RSA-PKCS15-implicit-rejection.patch
|
Patch100: 0100-RSA-PKCS15-implicit-rejection.patch
|
||||||
|
|
||||||
@ -532,6 +491,17 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-1
|
||||||
|
- Rebase to upstream version 3.0.8
|
||||||
|
Resolves: CVE-2022-4203
|
||||||
|
Resolves: CVE-2022-4304
|
||||||
|
Resolves: CVE-2022-4450
|
||||||
|
Resolves: CVE-2023-0215
|
||||||
|
Resolves: CVE-2023-0216
|
||||||
|
Resolves: CVE-2023-0217
|
||||||
|
Resolves: CVE-2023-0286
|
||||||
|
Resolves: CVE-2023-0401
|
||||||
|
|
||||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.7-4
|
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.7-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (openssl-3.0.7-hobbled.tar.gz) = 3580f7c2f4b9f2fb0997ddaac31034a9ce2ee288ec1cc58dc48704f43a9116733d0b07c1b262ff55ce58ac89af4abb9bfd559e746338c7b497eb223c473f6751
|
SHA512 (openssl-3.0.8-hobbled.tar.gz) = 42f2a59aa8c39c21b66b528329ace126b870f6d7c3a1da2f2ee18ab875923c5bcf3d9046f884201556799a8ab1d915112a1f124cfaf1ab77b2eac834d1f88c60
|
||||||
|
Loading…
Reference in New Issue
Block a user