forked from rpms/openssl
Rebase to OpenSSL 3.2.2.
Related: RHEL-31762
This commit is contained in:
parent
c948b4d252
commit
3ae0078fd9
1
.gitignore
vendored
1
.gitignore
vendored
@ -61,3 +61,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-3.1.1.tar.gz
|
/openssl-3.1.1.tar.gz
|
||||||
/openssl-3.1.4.tar.gz
|
/openssl-3.1.4.tar.gz
|
||||||
/openssl-3.2.1.tar.gz
|
/openssl-3.2.1.tar.gz
|
||||||
|
/openssl-3.2.2.tar.gz
|
||||||
|
@ -1,30 +1,32 @@
|
|||||||
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
|
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
||||||
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
|
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
|
||||||
|
|
||||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
Patch-name: 0033-FIPS-embed-hmac.patch
|
||||||
Patch-id: 33
|
Patch-id: 33
|
||||||
Patch-status: |
|
Patch-status: |
|
||||||
# # Embed HMAC into the fips.so
|
# # Embed HMAC into the fips.so
|
||||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
# Modify fips self test as per
|
||||||
|
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
|
||||||
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||||
---
|
---
|
||||||
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
|
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
|
||||||
test/fipsmodule.cnf | 2 +
|
test/fipsmodule.cnf | 2 +
|
||||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
||||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
||||||
test/recipes/03-test_fipsinstall.t | 2 +-
|
test/recipes/03-test_fipsinstall.t | 2 +-
|
||||||
test/recipes/30-test_defltfips.t | 2 +-
|
test/recipes/30-test_defltfips.t | 2 +-
|
||||||
test/recipes/80-test_ssl_new.t | 2 +-
|
test/recipes/80-test_ssl_new.t | 2 +-
|
||||||
test/recipes/90-test_sslapi.t | 2 +-
|
test/recipes/90-test_sslapi.t | 2 +-
|
||||||
8 files changed, 71 insertions(+), 13 deletions(-)
|
8 files changed, 200 insertions(+), 18 deletions(-)
|
||||||
create mode 100644 test/fipsmodule.cnf
|
create mode 100644 test/fipsmodule.cnf
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||||
index b8dc9817b2..e3a629018a 100644
|
index b8dc9817b2..28f536d13c 100644
|
||||||
--- a/providers/fips/self_test.c
|
--- a/providers/fips/self_test.c
|
||||||
+++ b/providers/fips/self_test.c
|
+++ b/providers/fips/self_test.c
|
||||||
@@ -230,11 +230,27 @@ err:
|
@@ -230,11 +230,133 @@ err:
|
||||||
return ok;
|
return ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -40,6 +42,7 @@ index b8dc9817b2..e3a629018a 100644
|
|||||||
* the result matches the expected value.
|
* the result matches the expected value.
|
||||||
* Return 1 if verified, or 0 if it fails.
|
* Return 1 if verified, or 0 if it fails.
|
||||||
*/
|
*/
|
||||||
|
+
|
||||||
+#ifndef __USE_GNU
|
+#ifndef __USE_GNU
|
||||||
+#define __USE_GNU
|
+#define __USE_GNU
|
||||||
+#include <dlfcn.h>
|
+#include <dlfcn.h>
|
||||||
@ -49,220 +52,6 @@ index b8dc9817b2..e3a629018a 100644
|
|||||||
+#endif
|
+#endif
|
||||||
+#include <link.h>
|
+#include <link.h>
|
||||||
+
|
+
|
||||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
||||||
unsigned char *expected, size_t expected_len,
|
|
||||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
||||||
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
EVP_MAC *mac = NULL;
|
|
||||||
EVP_MAC_CTX *ctx = NULL;
|
|
||||||
OSSL_PARAM params[2], *p = params;
|
|
||||||
+ Dl_info info;
|
|
||||||
+ void *extra_info = NULL;
|
|
||||||
+ struct link_map *lm = NULL;
|
|
||||||
+ unsigned long paddr;
|
|
||||||
+ unsigned long off = 0;
|
|
||||||
|
|
||||||
if (!integrity_self_test(ev, libctx))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
|
||||||
|
|
||||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
|
||||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
|
||||||
+ goto err;
|
|
||||||
+ lm = extra_info;
|
|
||||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
||||||
+
|
|
||||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
||||||
if (mac == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- while (1) {
|
|
||||||
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
|
||||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ break;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
|
||||||
+ int delta = paddr - off;
|
|
||||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+
|
|
||||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
|
||||||
+ memset(buf, 0, HMAC_LEN);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while (bytes_read > 0) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
if (status != 1)
|
|
||||||
break;
|
|
||||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
goto err;
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
+ OPENSSL_cleanse(out, sizeof(out));
|
|
||||||
OSSL_SELF_TEST_onend(ev, ret);
|
|
||||||
EVP_MAC_CTX_free(ctx);
|
|
||||||
EVP_MAC_free(mac);
|
|
||||||
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (st == NULL
|
|
||||||
- || st->module_checksum_data == NULL) {
|
|
||||||
+ if (st == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
if (ev == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
|
||||||
- &checksum_len);
|
|
||||||
+ module_checksum = fips_hmac_container;
|
|
||||||
+ checksum_len = sizeof(fips_hmac_container);
|
|
||||||
+
|
|
||||||
if (module_checksum == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
|
||||||
goto end;
|
|
||||||
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
end:
|
|
||||||
EVP_RAND_free(testrand);
|
|
||||||
OSSL_SELF_TEST_free(ev);
|
|
||||||
- OPENSSL_free(module_checksum);
|
|
||||||
OPENSSL_free(indicator_checksum);
|
|
||||||
|
|
||||||
if (st != NULL) {
|
|
||||||
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..f05d0dedbe
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/fipsmodule.cnf
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+[fips_sect]
|
|
||||||
+activate = 1
|
|
||||||
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
index 4e3a6d85e8..e8255ba974 100644
|
|
||||||
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-my $no_check = disabled("fips");
|
|
||||||
+my $no_check = 1;
|
|
||||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
|
||||||
if $no_check;
|
|
||||||
|
|
||||||
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
index ce594817d5..00cebacff8 100644
|
|
||||||
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-my $no_check = disabled("fips");
|
|
||||||
+my $no_check = 1;
|
|
||||||
plan skip_all => "Test only supported in a fips build"
|
|
||||||
if $no_check;
|
|
||||||
plan tests => 1;
|
|
||||||
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
|
||||||
index b8b136d110..8242f4ebc3 100644
|
|
||||||
--- a/test/recipes/03-test_fipsinstall.t
|
|
||||||
+++ b/test/recipes/03-test_fipsinstall.t
|
|
||||||
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
|
||||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
|
||||||
|
|
||||||
# Compatible options for pedantic FIPS compliance
|
|
||||||
my @pedantic_okay =
|
|
||||||
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
|
||||||
index c8f145405b..56a2ec5dc4 100644
|
|
||||||
--- a/test/recipes/30-test_defltfips.t
|
|
||||||
+++ b/test/recipes/30-test_defltfips.t
|
|
||||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
||||||
plan skip_all => "Configuration loading is turned off"
|
|
||||||
if disabled("autoload-config");
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
|
|
||||||
plan tests =>
|
|
||||||
($no_fips ? 1 : 5);
|
|
||||||
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
|
||||||
index 0c6d6402d9..e45f9cb560 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_new.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_new.t
|
|
||||||
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
|
||||||
use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
|
|
||||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
|
||||||
|
|
||||||
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
|
||||||
index 9e9e32b51e..1a1a7159b5 100644
|
|
||||||
--- a/test/recipes/90-test_sslapi.t
|
|
||||||
+++ b/test/recipes/90-test_sslapi.t
|
|
||||||
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
|
||||||
use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
|
||||||
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c
|
|
||||||
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:36:27.970983419 +0100
|
|
||||||
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:39:19.788685051 +0100
|
|
||||||
@@ -242,6 +242,7 @@ static const unsigned char __attribute__
|
|
||||||
* the result matches the expected value.
|
|
||||||
* Return 1 if verified, or 0 if it fails.
|
|
||||||
*/
|
|
||||||
+
|
|
||||||
#ifndef __USE_GNU
|
|
||||||
#define __USE_GNU
|
|
||||||
#include <dlfcn.h>
|
|
||||||
@@ -251,6 +252,111 @@ static const unsigned char __attribute__
|
|
||||||
#endif
|
|
||||||
#include <link.h>
|
|
||||||
|
|
||||||
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
||||||
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||||
+ unsigned char *expected, size_t expected_len,
|
+ unsigned char *expected, size_t expected_len,
|
||||||
@ -371,10 +160,111 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr
|
|||||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||||
unsigned char *expected, size_t expected_len,
|
unsigned char *expected, size_t expected_len,
|
||||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||||
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c
|
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||||
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:40:54.926627242 +0100
|
EVP_MAC *mac = NULL;
|
||||||
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:45:58.939636676 +0100
|
EVP_MAC_CTX *ctx = NULL;
|
||||||
@@ -527,14 +527,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
OSSL_PARAM params[2], *p = params;
|
||||||
|
+ Dl_info info;
|
||||||
|
+ void *extra_info = NULL;
|
||||||
|
+ struct link_map *lm = NULL;
|
||||||
|
+ unsigned long paddr;
|
||||||
|
+ unsigned long off = 0;
|
||||||
|
|
||||||
|
if (!integrity_self_test(ev, libctx))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||||
|
|
||||||
|
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||||
|
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||||
|
+ goto err;
|
||||||
|
+ lm = extra_info;
|
||||||
|
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||||
|
+
|
||||||
|
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||||
|
if (mac == NULL)
|
||||||
|
goto err;
|
||||||
|
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||||
|
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- while (1) {
|
||||||
|
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||||
|
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||||
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||||
|
if (status != 1)
|
||||||
|
break;
|
||||||
|
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
goto err;
|
||||||
|
+ off += bytes_read;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
||||||
|
+ int delta = paddr - off;
|
||||||
|
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||||
|
+ if (status != 1)
|
||||||
|
+ goto err;
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
+ goto err;
|
||||||
|
+ off += bytes_read;
|
||||||
|
+
|
||||||
|
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||||
|
+ memset(buf, 0, HMAC_LEN);
|
||||||
|
+ if (status != 1)
|
||||||
|
+ goto err;
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
+ goto err;
|
||||||
|
+ off += bytes_read;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ while (bytes_read > 0) {
|
||||||
|
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||||
|
+ if (status != 1)
|
||||||
|
+ break;
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
+ goto err;
|
||||||
|
+ off += bytes_read;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||||
|
goto err;
|
||||||
|
ret = 1;
|
||||||
|
err:
|
||||||
|
+ OPENSSL_cleanse(out, sizeof(out));
|
||||||
|
OSSL_SELF_TEST_onend(ev, ret);
|
||||||
|
EVP_MAC_CTX_free(ctx);
|
||||||
|
EVP_MAC_free(mac);
|
||||||
|
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (st == NULL
|
||||||
|
- || st->module_checksum_data == NULL) {
|
||||||
|
+ if (st == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
|
if (ev == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||||
|
- &checksum_len);
|
||||||
|
+ if (st->module_checksum_data == NULL) {
|
||||||
|
+ module_checksum = fips_hmac_container;
|
||||||
|
+ checksum_len = sizeof(fips_hmac_container);
|
||||||
|
+ } else {
|
||||||
|
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||||
|
+ &checksum_len);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (module_checksum == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||||
|
goto end;
|
||||||
|
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
||||||
|
|
||||||
/* Always check the integrity of the fips module */
|
/* Always check the integrity of the fips module */
|
||||||
@ -407,92 +297,100 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr
|
|||||||
/* This will be NULL during installation - so the self test KATS will run */
|
/* This will be NULL during installation - so the self test KATS will run */
|
||||||
if (st->indicator_data != NULL) {
|
if (st->indicator_data != NULL) {
|
||||||
/*
|
/*
|
||||||
diff -up openssl-3.2.0/providers/fips/self_test.c.fips-self openssl-3.2.0/providers/fips/self_test.c
|
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||||
--- openssl-3.2.0/providers/fips/self_test.c.fips-self 2024-02-06 12:20:56.963719115 +0100
|
end:
|
||||||
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-06 12:22:23.705604045 +0100
|
EVP_RAND_free(testrand);
|
||||||
@@ -517,8 +517,13 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
OSSL_SELF_TEST_free(ev);
|
||||||
if (ev == NULL)
|
- OPENSSL_free(module_checksum);
|
||||||
goto end;
|
OPENSSL_free(indicator_checksum);
|
||||||
|
|
||||||
- module_checksum = fips_hmac_container;
|
if (st != NULL) {
|
||||||
- checksum_len = sizeof(fips_hmac_container);
|
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
||||||
+ if (st->module_checksum_data == NULL) {
|
new file mode 100644
|
||||||
+ module_checksum = fips_hmac_container;
|
index 0000000000..f05d0dedbe
|
||||||
+ checksum_len = sizeof(fips_hmac_container);
|
--- /dev/null
|
||||||
+ } else {
|
+++ b/test/fipsmodule.cnf
|
||||||
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
@@ -0,0 +1,2 @@
|
||||||
+ &checksum_len);
|
+[fips_sect]
|
||||||
+ }
|
+activate = 1
|
||||||
|
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||||
|
index 4e3a6d85e8..e8255ba974 100644
|
||||||
|
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
||||||
|
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||||
|
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
if (module_checksum == NULL) {
|
-my $no_check = disabled("fips");
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
+my $no_check = 1;
|
||||||
diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c
|
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||||
--- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200
|
if $no_check;
|
||||||
+++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200
|
|
||||||
@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI
|
|
||||||
EVP_MAC *mac = NULL;
|
|
||||||
EVP_MAC_CTX *ctx = NULL;
|
|
||||||
OSSL_PARAM params[2], *p = params;
|
|
||||||
- Dl_info info;
|
|
||||||
- void *extra_info = NULL;
|
|
||||||
- struct link_map *lm = NULL;
|
|
||||||
- unsigned long paddr;
|
|
||||||
- unsigned long off = 0;
|
|
||||||
|
|
||||||
if (!integrity_self_test(ev, libctx))
|
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
||||||
goto err;
|
index ce594817d5..00cebacff8 100644
|
||||||
|
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
||||||
|
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
||||||
|
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
-my $no_check = disabled("fips");
|
||||||
|
+my $no_check = 1;
|
||||||
|
plan skip_all => "Test only supported in a fips build"
|
||||||
|
if $no_check;
|
||||||
|
plan tests => 1;
|
||||||
|
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
||||||
|
index b8b136d110..8242f4ebc3 100644
|
||||||
|
--- a/test/recipes/03-test_fipsinstall.t
|
||||||
|
+++ b/test/recipes/03-test_fipsinstall.t
|
||||||
|
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
- if (!dladdr1 ((const void *)fips_hmac_container,
|
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||||
- &info, &extra_info, RTLD_DL_LINKMAP))
|
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||||
- goto err;
|
|
||||||
- lm = extra_info;
|
|
||||||
- paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
||||||
-
|
|
||||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
||||||
if (mac == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI
|
|
||||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
# Compatible options for pedantic FIPS compliance
|
||||||
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
my @pedantic_okay =
|
||||||
- if (status != 1)
|
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
||||||
- break;
|
index c8f145405b..56a2ec5dc4 100644
|
||||||
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
--- a/test/recipes/30-test_defltfips.t
|
||||||
- goto err;
|
+++ b/test/recipes/30-test_defltfips.t
|
||||||
- off += bytes_read;
|
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||||
- }
|
plan skip_all => "Configuration loading is turned off"
|
||||||
-
|
if disabled("autoload-config");
|
||||||
- if (off + INTEGRITY_BUF_SIZE > paddr) {
|
|
||||||
- int delta = paddr - off;
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
- status = read_ex_cb(bio, buf, delta, &bytes_read);
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
- if (status != 1)
|
|
||||||
- goto err;
|
plan tests =>
|
||||||
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
($no_fips ? 1 : 5);
|
||||||
- goto err;
|
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
||||||
- off += bytes_read;
|
index 195b85ea8c..92d48dbf7d 100644
|
||||||
-
|
--- a/test/recipes/80-test_ssl_new.t
|
||||||
- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
+++ b/test/recipes/80-test_ssl_new.t
|
||||||
- memset(buf, 0, HMAC_LEN);
|
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
||||||
- if (status != 1)
|
use lib srctop_dir('Configurations');
|
||||||
- goto err;
|
use lib bldtop_dir('.');
|
||||||
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
- goto err;
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
- off += bytes_read;
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
- }
|
|
||||||
-
|
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||||
- while (bytes_read > 0) {
|
|
||||||
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
||||||
+ while (1) {
|
index 18d9f3d204..71780d8caa 100644
|
||||||
+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
--- a/test/recipes/90-test_sslapi.t
|
||||||
if (status != 1)
|
+++ b/test/recipes/90-test_sslapi.t
|
||||||
break;
|
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
||||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
setup("test_sslapi");
|
||||||
goto err;
|
}
|
||||||
- off += bytes_read;
|
|
||||||
}
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
||||||
|
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
||||||
|
@ -217,6 +217,14 @@ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
|||||||
index 14999540ab..b05b84717b 100644
|
index 14999540ab..b05b84717b 100644
|
||||||
--- a/crypto/rand/rand_lib.c
|
--- a/crypto/rand/rand_lib.c
|
||||||
+++ b/crypto/rand/rand_lib.c
|
+++ b/crypto/rand/rand_lib.c
|
||||||
|
@@ -11,6 +11,7 @@
|
||||||
|
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||||
|
|
||||||
|
#include <openssl/err.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -234,3 +242,76 @@ index 14999540ab..b05b84717b 100644
|
|||||||
PRIMARY_RESEED_INTERVAL,
|
PRIMARY_RESEED_INTERVAL,
|
||||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||||
/*
|
/*
|
||||||
|
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
|
||||||
|
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
|
||||||
|
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||||
|
return NULL;
|
||||||
|
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||||
|
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||||
|
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||||
|
CRYPTO_THREAD_set_local(&dgbl->public, rand);
|
||||||
|
}
|
||||||
|
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
|
||||||
|
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
|
||||||
|
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||||
|
return NULL;
|
||||||
|
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||||
|
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||||
|
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||||
|
CRYPTO_THREAD_set_local(&dgbl->private, rand);
|
||||||
|
}
|
||||||
|
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
|
||||||
|
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
|
||||||
|
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
|
||||||
|
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
|
||||||
|
reseed_when = time(NULL);
|
||||||
|
|
||||||
|
/* Generate random output from the public and private DRBG */
|
||||||
|
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
|
||||||
|
+ before_reseed = 0;
|
||||||
|
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
|
||||||
|
RANDOM_SIZE), expect_success)
|
||||||
|
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
|
||||||
|
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Test whether reseeding succeeded as expected */
|
||||||
|
- if (!TEST_int_eq(state(primary), expected_state)
|
||||||
|
- || !TEST_int_eq(state(public), expected_state)
|
||||||
|
+ if (/*!TEST_int_eq(state(primary), expected_state)
|
||||||
|
+ ||*/ !TEST_int_eq(state(public), expected_state)
|
||||||
|
|| !TEST_int_eq(state(private), expected_state))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
|
||||||
|
if (expect_public_reseed >= 0) {
|
||||||
|
/* Test whether public DRBG was reseeded as expected */
|
||||||
|
if (!TEST_int_ge(reseed_counter(public), public_reseed)
|
||||||
|
- || !TEST_uint_ge(reseed_counter(public),
|
||||||
|
- reseed_counter(primary)))
|
||||||
|
+ /*|| !TEST_uint_ge(reseed_counter(public),
|
||||||
|
+ reseed_counter(primary))*/)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (expect_private_reseed >= 0) {
|
||||||
|
/* Test whether public DRBG was reseeded as expected */
|
||||||
|
if (!TEST_int_ge(reseed_counter(private), private_reseed)
|
||||||
|
- || !TEST_uint_ge(reseed_counter(private),
|
||||||
|
- reseed_counter(primary)))
|
||||||
|
+ /*|| !TEST_uint_ge(reseed_counter(private),
|
||||||
|
+ reseed_counter(primary))*/)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
|
||||||
|
if (!TEST_ptr_ne(public, private)
|
||||||
|
|| !TEST_ptr_ne(public, primary)
|
||||||
|
|| !TEST_ptr_ne(private, primary)
|
||||||
|
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||||
|
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
|
||||||
|
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||||
|
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Disable CRNG testing for the primary DRBG */
|
||||||
|
@ -1,13 +1,45 @@
|
|||||||
From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
|
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
Date: Mon, 31 Jul 2023 09:41:29 +0200
|
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
||||||
Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
Subject: KDF: Add FIPS indicators
|
||||||
|
|
||||||
Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
FIPS requires a number of restrictions on the parameters of the various
|
||||||
Patch-id: 78
|
key derivation functions implemented in OpenSSL. The KDFs that use
|
||||||
Patch-status: |
|
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
|
C.C). Additionally, some application-specific KDFs have further
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
restrictions defined in SP 800-135r1.
|
||||||
|
|
||||||
|
Generally, all KDFs shall use a key-derivation key length of at least
|
||||||
|
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
|
||||||
|
to generate and output length of less than 112 bits will also set the
|
||||||
|
indicator to unapproved.
|
||||||
|
|
||||||
|
Add explicit indicators to all KDFs usable in FIPS mode except for
|
||||||
|
PBKDF2 (which has its specific FIPS limits already implemented). The
|
||||||
|
indicator can be queried using EVP_KDF_CTX_get_params() after setting
|
||||||
|
the required parameters and keys for the KDF.
|
||||||
|
|
||||||
|
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
|
||||||
|
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
|
||||||
|
truncated versions -224 and -384), as well as SHAKE-128 and -256.
|
||||||
|
|
||||||
|
The SHAKE functions are generally not allowed in KDFs. For the rest, the
|
||||||
|
support matrix is:
|
||||||
|
|
||||||
|
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
|
||||||
|
==========================================================================
|
||||||
|
KBKDF | x | x | x | x | x
|
||||||
|
HKDF | x | x | x | x | x
|
||||||
|
TLS1PRF | | SHA-{256,384,512} only | |
|
||||||
|
SSHKDF | x | x | x | |
|
||||||
|
SSKDF | x | x | x | x | x
|
||||||
|
X9.63KDF | | x | x | x | x
|
||||||
|
X9.42-ASN1 | x | x | x | x | x
|
||||||
|
TLS1.3PRF | | SHA-{256,384} only | |
|
||||||
|
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
Resolves: rhbz#2160733 rhbz#2164763
|
||||||
|
Related: rhbz#2114772 rhbz#2141695
|
||||||
---
|
---
|
||||||
include/crypto/evp.h | 7 ++
|
include/crypto/evp.h | 7 ++
|
||||||
include/openssl/kdf.h | 4 +
|
include/openssl/kdf.h | 4 +
|
||||||
@ -17,10 +49,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|||||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||||
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
||||||
|
util/perl/OpenSSL/paramnames.pm | 1 +
|
||||||
9 files changed, 487 insertions(+), 22 deletions(-)
|
9 files changed, 487 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||||
index dbbdcccbda..aa07153441 100644
|
index e70d8e9e84..76fb990de4 100644
|
||||||
--- a/include/crypto/evp.h
|
--- a/include/crypto/evp.h
|
||||||
+++ b/include/crypto/evp.h
|
+++ b/include/crypto/evp.h
|
||||||
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
||||||
@ -53,10 +86,10 @@ index 0983230a48..86171635ea 100644
|
|||||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
||||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
||||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
||||||
index 5304baa6c9..f9c77f4236 100644
|
index dfa7786bde..f01e40ff5a 100644
|
||||||
--- a/providers/implementations/kdfs/hkdf.c
|
--- a/providers/implementations/kdfs/hkdf.c
|
||||||
+++ b/providers/implementations/kdfs/hkdf.c
|
+++ b/providers/implementations/kdfs/hkdf.c
|
||||||
@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
||||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
||||||
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
||||||
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
||||||
@ -64,7 +97,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
||||||
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
||||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
||||||
@@ -86,6 +87,10 @@ typedef struct {
|
@@ -85,6 +86,10 @@ typedef struct {
|
||||||
size_t data_len;
|
size_t data_len;
|
||||||
unsigned char *info;
|
unsigned char *info;
|
||||||
size_t info_len;
|
size_t info_len;
|
||||||
@ -75,7 +108,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
} KDF_HKDF;
|
} KDF_HKDF;
|
||||||
|
|
||||||
static void *kdf_hkdf_new(void *provctx)
|
static void *kdf_hkdf_new(void *provctx)
|
||||||
@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -87,7 +120,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
switch (ctx->mode) {
|
switch (ctx->mode) {
|
||||||
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
||||||
default:
|
default:
|
||||||
@@ -363,15 +373,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
|
||||||
{
|
{
|
||||||
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -96,15 +129,20 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
size_t sz = kdf_hkdf_size(ctx);
|
size_t sz = kdf_hkdf_size(ctx);
|
||||||
|
|
||||||
- if (sz == 0)
|
|
||||||
+ any_valid = 1;
|
+ any_valid = 1;
|
||||||
+
|
if (sz == 0)
|
||||||
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
|
|
||||||
return 0;
|
return 0;
|
||||||
- return OSSL_PARAM_set_size_t(p, sz);
|
return OSSL_PARAM_set_size_t(p, sz);
|
||||||
|
}
|
||||||
|
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
if (ctx->info == NULL || ctx->info_len == 0) {
|
||||||
|
p->return_size = 0;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
|
||||||
}
|
}
|
||||||
- return -2;
|
- return -2;
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
+#ifdef FIPS_MODULE
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||||
+ != NULL) {
|
+ != NULL) {
|
||||||
@ -169,17 +207,17 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
@@ -379,6 +452,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
|
||||||
+#ifdef FIPS_MODULE
|
+#ifdef FIPS_MODULE
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
OSSL_PARAM_END
|
OSSL_PARAM_END
|
||||||
};
|
};
|
||||||
return known_gettable_ctx_params;
|
return known_gettable_ctx_params;
|
||||||
@@ -709,6 +785,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -197,7 +235,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
const OSSL_PARAM params[])
|
const OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
@@ -724,6 +811,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -209,7 +247,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
switch (ctx->mode) {
|
switch (ctx->mode) {
|
||||||
default:
|
default:
|
||||||
return 0;
|
return 0;
|
||||||
@@ -801,7 +893,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
||||||
@ -219,7 +257,7 @@ index 5304baa6c9..f9c77f4236 100644
|
|||||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
||||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
||||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
||||||
index aa3df15bc7..3f82710061 100644
|
index a542f84dfa..6b6dfb94ac 100644
|
||||||
--- a/providers/implementations/kdfs/kbkdf.c
|
--- a/providers/implementations/kdfs/kbkdf.c
|
||||||
+++ b/providers/implementations/kdfs/kbkdf.c
|
+++ b/providers/implementations/kdfs/kbkdf.c
|
||||||
@@ -59,6 +59,9 @@ typedef struct {
|
@@ -59,6 +59,9 @@ typedef struct {
|
||||||
@ -232,7 +270,7 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
/* Names are lowercased versions of those found in SP800-108. */
|
/* Names are lowercased versions of those found in SP800-108. */
|
||||||
int r;
|
int r;
|
||||||
unsigned char *ki;
|
unsigned char *ki;
|
||||||
@@ -72,6 +75,9 @@ typedef struct {
|
@@ -73,6 +76,9 @@ typedef struct {
|
||||||
int use_l;
|
int use_l;
|
||||||
int is_kmac;
|
int is_kmac;
|
||||||
int use_separator;
|
int use_separator;
|
||||||
@ -242,7 +280,7 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
} KBKDF;
|
} KBKDF;
|
||||||
|
|
||||||
/* Definitions needed for typechecking. */
|
/* Definitions needed for typechecking. */
|
||||||
@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
|
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
|
||||||
void *provctx = ctx->provctx;
|
void *provctx = ctx->provctx;
|
||||||
|
|
||||||
EVP_MAC_CTX_free(ctx->ctx_init);
|
EVP_MAC_CTX_free(ctx->ctx_init);
|
||||||
@ -250,7 +288,7 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
||||||
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
||||||
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
||||||
@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -262,7 +300,7 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
||||||
if (h == 0)
|
if (h == 0)
|
||||||
goto done;
|
goto done;
|
||||||
@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -272,7 +310,7 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
||||||
if (p != NULL
|
if (p != NULL
|
||||||
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
||||||
@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||||
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -356,10 +394,10 @@ index aa3df15bc7..3f82710061 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
||||||
index 1afac4e477..389b82b714 100644
|
index c592ba72f1..4a52b38266 100644
|
||||||
--- a/providers/implementations/kdfs/sshkdf.c
|
--- a/providers/implementations/kdfs/sshkdf.c
|
||||||
+++ b/providers/implementations/kdfs/sshkdf.c
|
+++ b/providers/implementations/kdfs/sshkdf.c
|
||||||
@@ -49,6 +49,9 @@ typedef struct {
|
@@ -48,6 +48,9 @@ typedef struct {
|
||||||
char type; /* X */
|
char type; /* X */
|
||||||
unsigned char *session_id;
|
unsigned char *session_id;
|
||||||
size_t session_id_len;
|
size_t session_id_len;
|
||||||
@ -369,7 +407,7 @@ index 1afac4e477..389b82b714 100644
|
|||||||
} KDF_SSHKDF;
|
} KDF_SSHKDF;
|
||||||
|
|
||||||
static void *kdf_sshkdf_new(void *provctx)
|
static void *kdf_sshkdf_new(void *provctx)
|
||||||
@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -382,7 +420,7 @@ index 1afac4e477..389b82b714 100644
|
|||||||
return SSHKDF(md, ctx->key, ctx->key_len,
|
return SSHKDF(md, ctx->key, ctx->key_len,
|
||||||
ctx->xcghash, ctx->xcghash_len,
|
ctx->xcghash, ctx->xcghash_len,
|
||||||
ctx->session_id, ctx->session_id_len,
|
ctx->session_id, ctx->session_id_len,
|
||||||
@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||||
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -453,7 +491,7 @@ index 1afac4e477..389b82b714 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
{
|
{
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
@ -464,10 +502,10 @@ index 1afac4e477..389b82b714 100644
|
|||||||
};
|
};
|
||||||
return known_gettable_ctx_params;
|
return known_gettable_ctx_params;
|
||||||
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
||||||
index ecb98de6fd..98fcc583d8 100644
|
index eb54972e1c..23865cd70f 100644
|
||||||
--- a/providers/implementations/kdfs/sskdf.c
|
--- a/providers/implementations/kdfs/sskdf.c
|
||||||
+++ b/providers/implementations/kdfs/sskdf.c
|
+++ b/providers/implementations/kdfs/sskdf.c
|
||||||
@@ -63,6 +63,10 @@ typedef struct {
|
@@ -64,6 +64,10 @@ typedef struct {
|
||||||
size_t salt_len;
|
size_t salt_len;
|
||||||
size_t out_len; /* optional KMAC parameter */
|
size_t out_len; /* optional KMAC parameter */
|
||||||
int is_kmac;
|
int is_kmac;
|
||||||
@ -486,7 +524,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
||||||
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
||||||
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
||||||
@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
|
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
||||||
return ctx;
|
return ctx;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -503,7 +541,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
static void sskdf_reset(void *vctx)
|
static void sskdf_reset(void *vctx)
|
||||||
{
|
{
|
||||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||||
@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
}
|
}
|
||||||
md = ossl_prov_digest_md(&ctx->digest);
|
md = ossl_prov_digest_md(&ctx->digest);
|
||||||
|
|
||||||
@ -515,7 +553,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
if (ctx->macctx != NULL) {
|
if (ctx->macctx != NULL) {
|
||||||
/* H(x) = KMAC or H(x) = HMAC */
|
/* H(x) = KMAC or H(x) = HMAC */
|
||||||
int ret;
|
int ret;
|
||||||
@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -527,7 +565,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||||
ctx->info, ctx->info_len, 1, key, keylen);
|
ctx->info, ctx->info_len, 1, key, keylen);
|
||||||
}
|
}
|
||||||
@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -605,7 +643,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
{
|
{
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
@ -615,7 +653,7 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
OSSL_PARAM_END
|
OSSL_PARAM_END
|
||||||
};
|
};
|
||||||
return known_gettable_ctx_params;
|
return known_gettable_ctx_params;
|
||||||
@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
||||||
};
|
};
|
||||||
|
|
||||||
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
||||||
@ -625,10 +663,10 @@ index ecb98de6fd..98fcc583d8 100644
|
|||||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
||||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
||||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||||
index 54124ad4cb..25a6c79a2e 100644
|
index a4d64b9352..f6782a6ca2 100644
|
||||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||||
@@ -104,6 +104,13 @@ typedef struct {
|
@@ -93,6 +93,13 @@ typedef struct {
|
||||||
/* Buffer of concatenated seed data */
|
/* Buffer of concatenated seed data */
|
||||||
unsigned char seed[TLS1_PRF_MAXBUF];
|
unsigned char seed[TLS1_PRF_MAXBUF];
|
||||||
size_t seedlen;
|
size_t seedlen;
|
||||||
@ -642,7 +680,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
} TLS1_PRF;
|
} TLS1_PRF;
|
||||||
|
|
||||||
static void *kdf_tls1_prf_new(void *provctx)
|
static void *kdf_tls1_prf_new(void *provctx)
|
||||||
@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
||||||
EVP_MAC_CTX_free(ctx->P_sha1);
|
EVP_MAC_CTX_free(ctx->P_sha1);
|
||||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||||
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
||||||
@ -650,7 +688,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
memset(ctx, 0, sizeof(*ctx));
|
memset(ctx, 0, sizeof(*ctx));
|
||||||
ctx->provctx = provctx;
|
ctx->provctx = provctx;
|
||||||
}
|
}
|
||||||
@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -661,7 +699,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* The seed buffer is prepended with a label.
|
* The seed buffer is prepended with a label.
|
||||||
@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -671,7 +709,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
||||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||||
ctx->sec = NULL;
|
ctx->sec = NULL;
|
||||||
@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
||||||
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -735,7 +773,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||||
@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||||
{
|
{
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
@ -746,7 +784,7 @@ index 54124ad4cb..25a6c79a2e 100644
|
|||||||
};
|
};
|
||||||
return known_gettable_ctx_params;
|
return known_gettable_ctx_params;
|
||||||
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
||||||
index 4c274fe27a..5ce23c8eb9 100644
|
index b1bc6f7e1b..8173fc2cc7 100644
|
||||||
--- a/providers/implementations/kdfs/x942kdf.c
|
--- a/providers/implementations/kdfs/x942kdf.c
|
||||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||||
@@ -13,11 +13,13 @@
|
@@ -13,11 +13,13 @@
|
||||||
@ -763,7 +801,7 @@ index 4c274fe27a..5ce23c8eb9 100644
|
|||||||
#include "prov/provider_ctx.h"
|
#include "prov/provider_ctx.h"
|
||||||
#include "prov/providercommon.h"
|
#include "prov/providercommon.h"
|
||||||
#include "prov/implementations.h"
|
#include "prov/implementations.h"
|
||||||
@@ -49,6 +51,9 @@ typedef struct {
|
@@ -47,6 +50,9 @@ typedef struct {
|
||||||
const unsigned char *cek_oid;
|
const unsigned char *cek_oid;
|
||||||
size_t cek_oid_len;
|
size_t cek_oid_len;
|
||||||
int use_keybits;
|
int use_keybits;
|
||||||
@ -773,7 +811,7 @@ index 4c274fe27a..5ce23c8eb9 100644
|
|||||||
} KDF_X942;
|
} KDF_X942;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -784,7 +822,7 @@ index 4c274fe27a..5ce23c8eb9 100644
|
|||||||
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||||
der, der_len, ctr, key, keylen);
|
der, der_len, ctr, key, keylen);
|
||||||
OPENSSL_free(der);
|
OPENSSL_free(der);
|
||||||
@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
{
|
{
|
||||||
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
||||||
OSSL_PARAM *p;
|
OSSL_PARAM *p;
|
||||||
@ -846,7 +884,7 @@ index 4c274fe27a..5ce23c8eb9 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
{
|
{
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
@ -856,12 +894,10 @@ index 4c274fe27a..5ce23c8eb9 100644
|
|||||||
OSSL_PARAM_END
|
OSSL_PARAM_END
|
||||||
};
|
};
|
||||||
return known_gettable_ctx_params;
|
return known_gettable_ctx_params;
|
||||||
--
|
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||||
2.41.0
|
index 70f7c50fe4..6618122417 100644
|
||||||
|
--- a/util/perl/OpenSSL/paramnames.pm
|
||||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch 2024-01-02 12:11:36.633033731 +0100
|
|
||||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:12:54.022901822 +0100
|
|
||||||
@@ -183,6 +183,7 @@ my %params = (
|
@@ -183,6 +183,7 @@ my %params = (
|
||||||
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
||||||
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
||||||
@ -870,3 +906,6 @@ diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch ope
|
|||||||
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
||||||
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
||||||
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644
|
|||||||
+ }
|
+ }
|
||||||
if (garg->gidcnt == garg->gidmax) {
|
if (garg->gidcnt == garg->gidmax) {
|
||||||
uint16_t *tmp =
|
uint16_t *tmp =
|
||||||
OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
|
OPENSSL_realloc(garg->gid_arr,
|
||||||
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||||
|
|
||||||
gid = tls1_group_name2id(garg->ctx, etmp);
|
gid = tls1_group_name2id(garg->ctx, etmp);
|
||||||
@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644
|
|||||||
return 0;
|
return 0;
|
||||||
if (len > (int)(sizeof(etmp) - 1))
|
if (len > (int)(sizeof(etmp) - 1))
|
||||||
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||||
|
- return 0;
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
}
|
}
|
||||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
|
||||||
- return 0;
|
|
||||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
|
||||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
+ }
|
|
||||||
} else {
|
} else {
|
||||||
*p = 0;
|
*p = 0;
|
||||||
p++;
|
|
||||||
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
return 0;
|
return 0;
|
||||||
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
||||||
@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644
|
|||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||||
sig.sigalgcnt = 0;
|
}
|
||||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||||
return 0;
|
return 0;
|
||||||
+ if (sig.sigalgcnt == 0) {
|
+ if (sig.sigalgcnt == 0) {
|
||||||
|
@ -1,80 +0,0 @@
|
|||||||
From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Date: Tue, 27 Feb 2024 15:22:58 +0100
|
|
||||||
Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
|
|
||||||
|
|
||||||
Patch-name: 0118-no-crl-memleak.patch
|
|
||||||
Patch-id: 118
|
|
||||||
Patch-status: |
|
|
||||||
# https://github.com/openssl/openssl/issues/23770
|
|
||||||
---
|
|
||||||
crypto/x509/by_file.c | 2 ++
|
|
||||||
test/recipes/60-test_x509_load_cert_file.t | 3 ++-
|
|
||||||
test/x509_load_cert_file_test.c | 8 +++++++-
|
|
||||||
3 files changed, 11 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
|
|
||||||
index 5073c137a2..85923804ac 100644
|
|
||||||
--- a/crypto/x509/by_file.c
|
|
||||||
+++ b/crypto/x509/by_file.c
|
|
||||||
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
count++;
|
|
||||||
+ X509_CRL_free(x);
|
|
||||||
+ x = NULL;
|
|
||||||
}
|
|
||||||
} else if (type == X509_FILETYPE_ASN1) {
|
|
||||||
x = d2i_X509_CRL_bio(in, NULL);
|
|
||||||
diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
|
|
||||||
index 75aeac362c..e329d7675c 100644
|
|
||||||
--- a/test/recipes/60-test_x509_load_cert_file.t
|
|
||||||
+++ b/test/recipes/60-test_x509_load_cert_file.t
|
|
||||||
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
|
|
||||||
|
|
||||||
plan tests => 1;
|
|
||||||
|
|
||||||
-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
|
|
||||||
+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
|
|
||||||
+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
|
|
||||||
diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
|
|
||||||
index 4a736071ae..c07d329915 100644
|
|
||||||
--- a/test/x509_load_cert_file_test.c
|
|
||||||
+++ b/test/x509_load_cert_file_test.c
|
|
||||||
@@ -12,6 +12,7 @@
|
|
||||||
#include "testutil.h"
|
|
||||||
|
|
||||||
static const char *chain;
|
|
||||||
+static const char *crl;
|
|
||||||
|
|
||||||
static int test_load_cert_file(void)
|
|
||||||
{
|
|
||||||
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
|
|
||||||
&& TEST_int_eq(sk_X509_num(certs), 4))
|
|
||||||
ret = 1;
|
|
||||||
|
|
||||||
+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
|
|
||||||
+ ret = 0;
|
|
||||||
+
|
|
||||||
OSSL_STACK_OF_X509_free(certs);
|
|
||||||
X509_STORE_free(store);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-OPT_TEST_DECLARE_USAGE("cert.pem...\n")
|
|
||||||
+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
|
|
||||||
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
@@ -45,6 +49,8 @@ int setup_tests(void)
|
|
||||||
if (chain == NULL)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+ crl = test_get_argument(1);
|
|
||||||
+
|
|
||||||
ADD_TEST(test_load_cert_file);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,170 +0,0 @@
|
|||||||
From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Fri, 8 Mar 2024 11:18:12 +0100
|
|
||||||
Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
|
||||||
|
|
||||||
Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
|
||||||
Patch-id: 119
|
|
||||||
Patch-status: |
|
|
||||||
# https://github.com/openssl/openssl/issues/22779
|
|
||||||
---
|
|
||||||
ssl/s3_lib.c | 8 ++++----
|
|
||||||
ssl/ssl_lib.c | 2 +-
|
|
||||||
ssl/ssl_local.h | 2 +-
|
|
||||||
ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
|
|
||||||
4 files changed, 40 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
|
||||||
index e8ec98c221..48a1aa0e61 100644
|
|
||||||
--- a/ssl/s3_lib.c
|
|
||||||
+++ b/ssl/s3_lib.c
|
|
||||||
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|
||||||
return tls1_set_sigalgs(sc->cert, parg, larg, 0);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
|
||||||
- return tls1_set_sigalgs_list(sc->cert, parg, 0);
|
|
||||||
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
|
||||||
return tls1_set_sigalgs(sc->cert, parg, larg, 1);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
|
||||||
- return tls1_set_sigalgs_list(sc->cert, parg, 1);
|
|
||||||
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
|
|
||||||
|
|
||||||
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
|
|
||||||
{
|
|
||||||
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|
||||||
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
|
||||||
- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
|
|
||||||
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
|
||||||
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
|
||||||
- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
|
|
||||||
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
|
|
||||||
|
|
||||||
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
|
||||||
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
||||||
index 1329841aaf..4d95ab71cd 100644
|
|
||||||
--- a/ssl/ssl_lib.c
|
|
||||||
+++ b/ssl/ssl_lib.c
|
|
||||||
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|
||||||
return tls1_set_groups_list(ctx, NULL, NULL, parg);
|
|
||||||
case SSL_CTRL_SET_SIGALGS_LIST:
|
|
||||||
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
|
||||||
- return tls1_set_sigalgs_list(NULL, parg, 0);
|
|
||||||
+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
|
||||||
index 0d3acfbe66..a73b2c4770 100644
|
|
||||||
--- a/ssl/ssl_local.h
|
|
||||||
+++ b/ssl/ssl_local.h
|
|
||||||
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
|
|
||||||
|
|
||||||
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
|
|
||||||
|
|
||||||
-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
|
|
||||||
+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
|
|
||||||
__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
|
|
||||||
int client);
|
|
||||||
__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
|
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
||||||
index fe680449c5..87f2ae7000 100644
|
|
||||||
--- a/ssl/t1_lib.c
|
|
||||||
+++ b/ssl/t1_lib.c
|
|
||||||
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
|
|
||||||
|
|
||||||
/* now populate ctx->ssl_cert_info */
|
|
||||||
if (ctx->sigalg_list_len > 0) {
|
|
||||||
+ OPENSSL_free(ctx->ssl_cert_info);
|
|
||||||
ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
|
|
||||||
if (ctx->ssl_cert_info == NULL)
|
|
||||||
return 0;
|
|
||||||
@@ -2889,6 +2890,7 @@ typedef struct {
|
|
||||||
size_t sigalgcnt;
|
|
||||||
/* TLSEXT_SIGALG_XXX values */
|
|
||||||
uint16_t sigalgs[TLS_MAX_SIGALGCNT];
|
|
||||||
+ SSL_CTX *ctx;
|
|
||||||
} sig_cb_st;
|
|
||||||
|
|
||||||
static void get_sigorhash(int *psig, int *phash, const char *str)
|
|
||||||
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
|
|
||||||
static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
{
|
|
||||||
sig_cb_st *sarg = arg;
|
|
||||||
- size_t i;
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ int load_success = 0;
|
|
||||||
const SIGALG_LOOKUP *s;
|
|
||||||
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
|
||||||
int sig_alg = NID_undef, hash_alg = NID_undef;
|
|
||||||
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
* in the table.
|
|
||||||
*/
|
|
||||||
if (p == NULL) {
|
|
||||||
- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
|
||||||
- i++, s++) {
|
|
||||||
- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
|
||||||
- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
+ /* Load provider sigalgs */
|
|
||||||
+ if (sarg->ctx) {
|
|
||||||
+ load_success = ssl_load_sigalgs(sarg->ctx);
|
|
||||||
}
|
|
||||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
|
||||||
- /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
- return ignore_unknown;
|
|
||||||
+ if (load_success) {
|
|
||||||
+ /* Check if a provider supports the sigalg */
|
|
||||||
+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
|
|
||||||
+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
|
|
||||||
+ && strcmp(etmp,
|
|
||||||
+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
|
|
||||||
+ sarg->sigalgs[sarg->sigalgcnt++] =
|
|
||||||
+ sarg->ctx->sigalg_list[i].code_point;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
+ /* Check the built-in sigalgs */
|
|
||||||
+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
|
|
||||||
+ for (i = 0, s = sigalg_lookup_tbl;
|
|
||||||
+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
|
|
||||||
+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
|
||||||
+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
|
||||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
*p = 0;
|
|
||||||
p++;
|
|
||||||
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
* Set supported signature algorithms based on a colon separated list of the
|
|
||||||
* form sig+hash e.g. RSA+SHA512:DSA+SHA512
|
|
||||||
*/
|
|
||||||
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
|
||||||
+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
|
|
||||||
{
|
|
||||||
sig_cb_st sig;
|
|
||||||
sig.sigalgcnt = 0;
|
|
||||||
+ sig.ctx = ctx;
|
|
||||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
|
||||||
return 0;
|
|
||||||
if (sig.sigalgcnt == 0) {
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
16
openssl.spec
16
openssl.spec
@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.2.1
|
Version: 3.2.2
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Source: openssl-%{version}.tar.gz
|
Source: openssl-%{version}.tar.gz
|
||||||
Source2: Makefile.certificate
|
Source2: Makefile.certificate
|
||||||
@ -116,7 +116,7 @@ Patch76: 0076-FIPS-140-3-DRBG.patch
|
|||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
|
||||||
Patch77: 0077-FIPS-140-3-zeroization.patch
|
Patch77: 0077-FIPS-140-3-zeroization.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
|
||||||
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
Patch78: 0078-KDF-Add-FIPS-indicators.patch
|
||||||
# # We believe that some changes present in CentOS are not necessary
|
# # We believe that some changes present in CentOS are not necessary
|
||||||
# # because ustream has a check for FIPS version
|
# # because ustream has a check for FIPS version
|
||||||
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
|
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
|
||||||
@ -156,11 +156,7 @@ Patch115: 0115-skip-quic-pairwise.patch
|
|||||||
Patch116: 0116-version-aliasing.patch
|
Patch116: 0116-version-aliasing.patch
|
||||||
# https://github.com/openssl/openssl/issues/23050
|
# https://github.com/openssl/openssl/issues/23050
|
||||||
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
|
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
# https://github.com/openssl/openssl/issues/23770
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
|
||||||
Patch118: 0118-no-crl-memleak.patch
|
|
||||||
# https://github.com/openssl/openssl/issues/22779
|
|
||||||
Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
|
||||||
# From CentOS 9
|
|
||||||
Patch121: 0121-FIPS-cms-defaults.patch
|
Patch121: 0121-FIPS-cms-defaults.patch
|
||||||
|
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -507,6 +503,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
|
||||||
|
- Rebase to OpenSSL 3.2.2.
|
||||||
|
Related: RHEL-31762
|
||||||
|
|
||||||
* Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4
|
* Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4
|
||||||
- Synchronize patches from c9s and Fedora
|
- Synchronize patches from c9s and Fedora
|
||||||
- Resolves: RHEL-31762
|
- Resolves: RHEL-31762
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f
|
SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d
|
||||||
|
Loading…
Reference in New Issue
Block a user