Rebase to OpenSSL 3.2.2.

Related: RHEL-31762
This commit is contained in:
Dmitry Belyavskiy 2024-05-23 16:02:16 +02:00
parent c948b4d252
commit 3ae0078fd9
9 changed files with 421 additions and 652 deletions

1
.gitignore vendored
View File

@ -61,3 +61,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.1.1.tar.gz /openssl-3.1.1.tar.gz
/openssl-3.1.4.tar.gz /openssl-3.1.4.tar.gz
/openssl-3.2.1.tar.gz /openssl-3.2.1.tar.gz
/openssl-3.2.2.tar.gz

View File

@ -1,30 +1,32 @@
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build> From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200 Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
Patch-name: 0033-FIPS-embed-hmac.patch Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33 Patch-id: 33
Patch-status: | Patch-status: |
# # Embed HMAC into the fips.so # # Embed HMAC into the fips.so
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 # Modify fips self test as per
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
--- ---
providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
test/fipsmodule.cnf | 2 + test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +- test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +- test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +- test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +- test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +- test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +- test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 71 insertions(+), 13 deletions(-) 8 files changed, 200 insertions(+), 18 deletions(-)
create mode 100644 test/fipsmodule.cnf create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index b8dc9817b2..e3a629018a 100644 index b8dc9817b2..28f536d13c 100644
--- a/providers/fips/self_test.c --- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c +++ b/providers/fips/self_test.c
@@ -230,11 +230,27 @@ err: @@ -230,11 +230,133 @@ err:
return ok; return ok;
} }
@ -40,6 +42,7 @@ index b8dc9817b2..e3a629018a 100644
* the result matches the expected value. * the result matches the expected value.
* Return 1 if verified, or 0 if it fails. * Return 1 if verified, or 0 if it fails.
*/ */
+
+#ifndef __USE_GNU +#ifndef __USE_GNU
+#define __USE_GNU +#define __USE_GNU
+#include <dlfcn.h> +#include <dlfcn.h>
@ -49,220 +52,6 @@ index b8dc9817b2..e3a629018a 100644
+#endif +#endif
+#include <link.h> +#include <link.h>
+ +
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
OPENSSL_free(indicator_checksum);
if (st != NULL) {
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 4e3a6d85e8..e8255ba974 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index ce594817d5..00cebacff8 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index b8b136d110..8242f4ebc3 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
index c8f145405b..56a2ec5dc4 100644
--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
($no_fips ? 1 : 5);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 0c6d6402d9..e45f9cb560 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 9e9e32b51e..1a1a7159b5 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
--
2.41.0
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:36:27.970983419 +0100
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:39:19.788685051 +0100
@@ -242,6 +242,7 @@ static const unsigned char __attribute__
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+
#ifndef __USE_GNU
#define __USE_GNU
#include <dlfcn.h>
@@ -251,6 +252,111 @@ static const unsigned char __attribute__
#endif
#include <link.h>
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio, +static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+ unsigned char *expected, size_t expected_len, + unsigned char *expected, size_t expected_len,
@ -371,10 +160,111 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len, unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/providers/fips/self_test.c @@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
--- openssl-3.2.0/providers/fips/self_test.c.fix-self-test 2024-02-01 17:40:54.926627242 +0100 EVP_MAC *mac = NULL;
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-01 17:45:58.939636676 +0100 EVP_MAC_CTX *ctx = NULL;
@@ -527,14 +527,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+ } else {
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+ &checksum_len);
+ }
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */ /* Always check the integrity of the fips module */
@ -407,92 +297,100 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fix-self-test openssl-3.2.0/pr
/* This will be NULL during installation - so the self test KATS will run */ /* This will be NULL during installation - so the self test KATS will run */
if (st->indicator_data != NULL) { if (st->indicator_data != NULL) {
/* /*
diff -up openssl-3.2.0/providers/fips/self_test.c.fips-self openssl-3.2.0/providers/fips/self_test.c @@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
--- openssl-3.2.0/providers/fips/self_test.c.fips-self 2024-02-06 12:20:56.963719115 +0100 end:
+++ openssl-3.2.0/providers/fips/self_test.c 2024-02-06 12:22:23.705604045 +0100 EVP_RAND_free(testrand);
@@ -517,8 +517,13 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS OSSL_SELF_TEST_free(ev);
if (ev == NULL) - OPENSSL_free(module_checksum);
goto end; OPENSSL_free(indicator_checksum);
if (st != NULL) {
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 4e3a6d85e8..e8255ba974 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index ce594817d5..00cebacff8 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index b8b136d110..8242f4ebc3 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
index c8f145405b..56a2ec5dc4 100644
--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
($no_fips ? 1 : 5);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 195b85ea8c..92d48dbf7d 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 18d9f3d204..71780d8caa 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
setup("test_sslapi");
}
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
--
2.44.0
- module_checksum = fips_hmac_container;
- checksum_len = sizeof(fips_hmac_container);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+ } else {
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+ &checksum_len);
+ }
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c
--- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200
+++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200
@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
- Dl_info info;
- void *extra_info = NULL;
- struct link_map *lm = NULL;
- unsigned long paddr;
- unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
- if (!dladdr1 ((const void *)fips_hmac_container,
- &info, &extra_info, RTLD_DL_LINKMAP))
- goto err;
- lm = extra_info;
- paddr = (unsigned long)fips_hmac_container - lm->l_addr;
-
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
- if (status != 1)
- break;
- if (!EVP_MAC_update(ctx, buf, bytes_read))
- goto err;
- off += bytes_read;
- }
-
- if (off + INTEGRITY_BUF_SIZE > paddr) {
- int delta = paddr - off;
- status = read_ex_cb(bio, buf, delta, &bytes_read);
- if (status != 1)
- goto err;
- if (!EVP_MAC_update(ctx, buf, bytes_read))
- goto err;
- off += bytes_read;
-
- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
- memset(buf, 0, HMAC_LEN);
- if (status != 1)
- goto err;
- if (!EVP_MAC_update(ctx, buf, bytes_read))
- goto err;
- off += bytes_read;
- }
-
- while (bytes_read > 0) {
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ while (1) {
+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
- off += bytes_read;
}
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))

View File

@ -217,6 +217,14 @@ diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 14999540ab..b05b84717b 100644 index 14999540ab..b05b84717b 100644
--- a/crypto/rand/rand_lib.c --- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c
@@ -11,6 +11,7 @@
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/opensslconf.h>
#include <openssl/core_names.h>
#include "internal/cryptlib.h"
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) @@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
return ret; return ret;
} }
@ -234,3 +242,76 @@ index 14999540ab..b05b84717b 100644
PRIMARY_RESEED_INTERVAL, PRIMARY_RESEED_INTERVAL,
PRIMARY_RESEED_TIME_INTERVAL, 1); PRIMARY_RESEED_TIME_INTERVAL, 1);
/* /*
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL, 0);
CRYPTO_THREAD_set_local(&dgbl->public, rand);
}
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL, 0);
CRYPTO_THREAD_set_local(&dgbl->private, rand);
}
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
reseed_when = time(NULL);
/* Generate random output from the public and private DRBG */
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
+ before_reseed = 0;
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
RANDOM_SIZE), expect_success)
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
*/
/* Test whether reseeding succeeded as expected */
- if (!TEST_int_eq(state(primary), expected_state)
- || !TEST_int_eq(state(public), expected_state)
+ if (/*!TEST_int_eq(state(primary), expected_state)
+ ||*/ !TEST_int_eq(state(public), expected_state)
|| !TEST_int_eq(state(private), expected_state))
return 0;
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
if (expect_public_reseed >= 0) {
/* Test whether public DRBG was reseeded as expected */
if (!TEST_int_ge(reseed_counter(public), public_reseed)
- || !TEST_uint_ge(reseed_counter(public),
- reseed_counter(primary)))
+ /*|| !TEST_uint_ge(reseed_counter(public),
+ reseed_counter(primary))*/)
return 0;
}
if (expect_private_reseed >= 0) {
/* Test whether public DRBG was reseeded as expected */
if (!TEST_int_ge(reseed_counter(private), private_reseed)
- || !TEST_uint_ge(reseed_counter(private),
- reseed_counter(primary)))
+ /*|| !TEST_uint_ge(reseed_counter(private),
+ reseed_counter(primary))*/)
return 0;
}
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
if (!TEST_ptr_ne(public, private)
|| !TEST_ptr_ne(public, primary)
|| !TEST_ptr_ne(private, primary)
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
return 0;
/* Disable CRNG testing for the primary DRBG */

View File

@ -1,13 +1,45 @@
From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001 From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build> From: Clemens Lang <cllang@redhat.com>
Date: Mon, 31 Jul 2023 09:41:29 +0200 Date: Thu, 11 Aug 2022 09:27:12 +0200
Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch Subject: KDF: Add FIPS indicators
Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch FIPS requires a number of restrictions on the parameters of the various
Patch-id: 78 key derivation functions implemented in OpenSSL. The KDFs that use
Patch-status: | digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772 C.C). Additionally, some application-specific KDFs have further
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd restrictions defined in SP 800-135r1.
Generally, all KDFs shall use a key-derivation key length of at least
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
to generate and output length of less than 112 bits will also set the
indicator to unapproved.
Add explicit indicators to all KDFs usable in FIPS mode except for
PBKDF2 (which has its specific FIPS limits already implemented). The
indicator can be queried using EVP_KDF_CTX_get_params() after setting
the required parameters and keys for the KDF.
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
truncated versions -224 and -384), as well as SHAKE-128 and -256.
The SHAKE functions are generally not allowed in KDFs. For the rest, the
support matrix is:
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
==========================================================================
KBKDF | x | x | x | x | x
HKDF | x | x | x | x | x
TLS1PRF | | SHA-{256,384,512} only | |
SSHKDF | x | x | x | |
SSKDF | x | x | x | x | x
X9.63KDF | | x | x | x | x
X9.42-ASN1 | x | x | x | x | x
TLS1.3PRF | | SHA-{256,384} only | |
Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2160733 rhbz#2164763
Related: rhbz#2114772 rhbz#2141695
--- ---
include/crypto/evp.h | 7 ++ include/crypto/evp.h | 7 ++
include/openssl/kdf.h | 4 + include/openssl/kdf.h | 4 +
@ -17,10 +49,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
9 files changed, 487 insertions(+), 22 deletions(-) 9 files changed, 487 insertions(+), 22 deletions(-)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index dbbdcccbda..aa07153441 100644 index e70d8e9e84..76fb990de4 100644
--- a/include/crypto/evp.h --- a/include/crypto/evp.h
+++ b/include/crypto/evp.h +++ b/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st { @@ -219,6 +219,13 @@ struct evp_mac_st {
@ -53,10 +86,10 @@ index 0983230a48..86171635ea 100644
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index 5304baa6c9..f9c77f4236 100644 index dfa7786bde..f01e40ff5a 100644
--- a/providers/implementations/kdfs/hkdf.c --- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c
@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; @@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
@ -64,7 +97,7 @@ index 5304baa6c9..f9c77f4236 100644
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
@@ -86,6 +87,10 @@ typedef struct { @@ -85,6 +86,10 @@ typedef struct {
size_t data_len; size_t data_len;
unsigned char *info; unsigned char *info;
size_t info_len; size_t info_len;
@ -75,7 +108,7 @@ index 5304baa6c9..f9c77f4236 100644
} KDF_HKDF; } KDF_HKDF;
static void *kdf_hkdf_new(void *provctx) static void *kdf_hkdf_new(void *provctx)
@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
return 0; return 0;
} }
@ -87,7 +120,7 @@ index 5304baa6c9..f9c77f4236 100644
switch (ctx->mode) { switch (ctx->mode) {
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
default: default:
@@ -363,15 +373,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) @@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
{ {
KDF_HKDF *ctx = (KDF_HKDF *)vctx; KDF_HKDF *ctx = (KDF_HKDF *)vctx;
OSSL_PARAM *p; OSSL_PARAM *p;
@ -96,15 +129,20 @@ index 5304baa6c9..f9c77f4236 100644
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
size_t sz = kdf_hkdf_size(ctx); size_t sz = kdf_hkdf_size(ctx);
- if (sz == 0)
+ any_valid = 1; + any_valid = 1;
+ if (sz == 0)
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
return 0; return 0;
- return OSSL_PARAM_set_size_t(p, sz); return OSSL_PARAM_set_size_t(p, sz);
}
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ any_valid = 1;
if (ctx->info == NULL || ctx->info_len == 0) {
p->return_size = 0;
return 1;
}
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
} }
- return -2; - return -2;
+
+#ifdef FIPS_MODULE +#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
+ != NULL) { + != NULL) {
@ -169,17 +207,17 @@ index 5304baa6c9..f9c77f4236 100644
} }
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -379,6 +452,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, @@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+#ifdef FIPS_MODULE +#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */ +#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END OSSL_PARAM_END
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
@@ -709,6 +785,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, @@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
return ret; return ret;
} }
@ -197,7 +235,7 @@ index 5304baa6c9..f9c77f4236 100644
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
const OSSL_PARAM params[]) const OSSL_PARAM params[])
{ {
@@ -724,6 +811,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, @@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
return 0; return 0;
} }
@ -209,7 +247,7 @@ index 5304baa6c9..f9c77f4236 100644
switch (ctx->mode) { switch (ctx->mode) {
default: default:
return 0; return 0;
@@ -801,7 +893,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, @@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
} }
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
@ -219,7 +257,7 @@ index 5304baa6c9..f9c77f4236 100644
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index aa3df15bc7..3f82710061 100644 index a542f84dfa..6b6dfb94ac 100644
--- a/providers/implementations/kdfs/kbkdf.c --- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c
@@ -59,6 +59,9 @@ typedef struct { @@ -59,6 +59,9 @@ typedef struct {
@ -232,7 +270,7 @@ index aa3df15bc7..3f82710061 100644
/* Names are lowercased versions of those found in SP800-108. */ /* Names are lowercased versions of those found in SP800-108. */
int r; int r;
unsigned char *ki; unsigned char *ki;
@@ -72,6 +75,9 @@ typedef struct { @@ -73,6 +76,9 @@ typedef struct {
int use_l; int use_l;
int is_kmac; int is_kmac;
int use_separator; int use_separator;
@ -242,7 +280,7 @@ index aa3df15bc7..3f82710061 100644
} KBKDF; } KBKDF;
/* Definitions needed for typechecking. */ /* Definitions needed for typechecking. */
@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx) @@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
void *provctx = ctx->provctx; void *provctx = ctx->provctx;
EVP_MAC_CTX_free(ctx->ctx_init); EVP_MAC_CTX_free(ctx->ctx_init);
@ -250,7 +288,7 @@ index aa3df15bc7..3f82710061 100644
OPENSSL_clear_free(ctx->context, ctx->context_len); OPENSSL_clear_free(ctx->context, ctx->context_len);
OPENSSL_clear_free(ctx->label, ctx->label_len); OPENSSL_clear_free(ctx->label, ctx->label_len);
OPENSSL_clear_free(ctx->ki, ctx->ki_len); OPENSSL_clear_free(ctx->ki, ctx->ki_len);
@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
goto done; goto done;
} }
@ -262,7 +300,7 @@ index aa3df15bc7..3f82710061 100644
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
if (h == 0) if (h == 0)
goto done; goto done;
@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) @@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
} }
} }
@ -272,7 +310,7 @@ index aa3df15bc7..3f82710061 100644
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
if (p != NULL if (p != NULL
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, @@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
OSSL_PARAM *p; OSSL_PARAM *p;
@ -356,10 +394,10 @@ index aa3df15bc7..3f82710061 100644
} }
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
index 1afac4e477..389b82b714 100644 index c592ba72f1..4a52b38266 100644
--- a/providers/implementations/kdfs/sshkdf.c --- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c
@@ -49,6 +49,9 @@ typedef struct { @@ -48,6 +48,9 @@ typedef struct {
char type; /* X */ char type; /* X */
unsigned char *session_id; unsigned char *session_id;
size_t session_id_len; size_t session_id_len;
@ -369,7 +407,7 @@ index 1afac4e477..389b82b714 100644
} KDF_SSHKDF; } KDF_SSHKDF;
static void *kdf_sshkdf_new(void *provctx) static void *kdf_sshkdf_new(void *provctx)
@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
return 0; return 0;
} }
@ -382,7 +420,7 @@ index 1afac4e477..389b82b714 100644
return SSHKDF(md, ctx->key, ctx->key_len, return SSHKDF(md, ctx->key, ctx->key_len,
ctx->xcghash, ctx->xcghash_len, ctx->xcghash, ctx->xcghash_len,
ctx->session_id, ctx->session_id_len, ctx->session_id, ctx->session_id_len,
@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, @@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
OSSL_PARAM *p; OSSL_PARAM *p;
@ -453,7 +491,7 @@ index 1afac4e477..389b82b714 100644
} }
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, @@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
{ {
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -464,10 +502,10 @@ index 1afac4e477..389b82b714 100644
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
index ecb98de6fd..98fcc583d8 100644 index eb54972e1c..23865cd70f 100644
--- a/providers/implementations/kdfs/sskdf.c --- a/providers/implementations/kdfs/sskdf.c
+++ b/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c
@@ -63,6 +63,10 @@ typedef struct { @@ -64,6 +64,10 @@ typedef struct {
size_t salt_len; size_t salt_len;
size_t out_len; /* optional KMAC parameter */ size_t out_len; /* optional KMAC parameter */
int is_kmac; int is_kmac;
@ -486,7 +524,7 @@ index ecb98de6fd..98fcc583d8 100644
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_freectx_fn sskdf_free;
static OSSL_FUNC_kdf_reset_fn sskdf_reset; static OSSL_FUNC_kdf_reset_fn sskdf_reset;
@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx) @@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
return ctx; return ctx;
} }
@ -503,7 +541,7 @@ index ecb98de6fd..98fcc583d8 100644
static void sskdf_reset(void *vctx) static void sskdf_reset(void *vctx)
{ {
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
} }
md = ossl_prov_digest_md(&ctx->digest); md = ossl_prov_digest_md(&ctx->digest);
@ -515,7 +553,7 @@ index ecb98de6fd..98fcc583d8 100644
if (ctx->macctx != NULL) { if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */ /* H(x) = KMAC or H(x) = HMAC */
int ret; int ret;
@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
return 0; return 0;
} }
@ -527,7 +565,7 @@ index ecb98de6fd..98fcc583d8 100644
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
ctx->info, ctx->info_len, 1, key, keylen); ctx->info, ctx->info_len, 1, key, keylen);
} }
@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) @@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
OSSL_PARAM *p; OSSL_PARAM *p;
@ -605,7 +643,7 @@ index ecb98de6fd..98fcc583d8 100644
} }
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, @@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
{ {
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -615,7 +653,7 @@ index ecb98de6fd..98fcc583d8 100644
OSSL_PARAM_END OSSL_PARAM_END
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { @@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
}; };
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
@ -625,10 +663,10 @@ index ecb98de6fd..98fcc583d8 100644
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 54124ad4cb..25a6c79a2e 100644 index a4d64b9352..f6782a6ca2 100644
--- a/providers/implementations/kdfs/tls1_prf.c --- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c
@@ -104,6 +104,13 @@ typedef struct { @@ -93,6 +93,13 @@ typedef struct {
/* Buffer of concatenated seed data */ /* Buffer of concatenated seed data */
unsigned char seed[TLS1_PRF_MAXBUF]; unsigned char seed[TLS1_PRF_MAXBUF];
size_t seedlen; size_t seedlen;
@ -642,7 +680,7 @@ index 54124ad4cb..25a6c79a2e 100644
} TLS1_PRF; } TLS1_PRF;
static void *kdf_tls1_prf_new(void *provctx) static void *kdf_tls1_prf_new(void *provctx)
@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vctx) @@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
EVP_MAC_CTX_free(ctx->P_sha1); EVP_MAC_CTX_free(ctx->P_sha1);
OPENSSL_clear_free(ctx->sec, ctx->seclen); OPENSSL_clear_free(ctx->sec, ctx->seclen);
OPENSSL_cleanse(ctx->seed, ctx->seedlen); OPENSSL_cleanse(ctx->seed, ctx->seedlen);
@ -650,7 +688,7 @@ index 54124ad4cb..25a6c79a2e 100644
memset(ctx, 0, sizeof(*ctx)); memset(ctx, 0, sizeof(*ctx));
ctx->provctx = provctx; ctx->provctx = provctx;
} }
@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0; return 0;
} }
@ -661,7 +699,7 @@ index 54124ad4cb..25a6c79a2e 100644
/* /*
* The seed buffer is prepended with a label. * The seed buffer is prepended with a label.
@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) @@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
} }
} }
@ -671,7 +709,7 @@ index 54124ad4cb..25a6c79a2e 100644
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
OPENSSL_clear_free(ctx->sec, ctx->seclen); OPENSSL_clear_free(ctx->sec, ctx->seclen);
ctx->sec = NULL; ctx->sec = NULL;
@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( @@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
OSSL_PARAM *p; OSSL_PARAM *p;
@ -735,7 +773,7 @@ index 54124ad4cb..25a6c79a2e 100644
} }
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( @@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
{ {
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -746,7 +784,7 @@ index 54124ad4cb..25a6c79a2e 100644
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index 4c274fe27a..5ce23c8eb9 100644 index b1bc6f7e1b..8173fc2cc7 100644
--- a/providers/implementations/kdfs/x942kdf.c --- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c
@@ -13,11 +13,13 @@ @@ -13,11 +13,13 @@
@ -763,7 +801,7 @@ index 4c274fe27a..5ce23c8eb9 100644
#include "prov/provider_ctx.h" #include "prov/provider_ctx.h"
#include "prov/providercommon.h" #include "prov/providercommon.h"
#include "prov/implementations.h" #include "prov/implementations.h"
@@ -49,6 +51,9 @@ typedef struct { @@ -47,6 +50,9 @@ typedef struct {
const unsigned char *cek_oid; const unsigned char *cek_oid;
size_t cek_oid_len; size_t cek_oid_len;
int use_keybits; int use_keybits;
@ -773,7 +811,7 @@ index 4c274fe27a..5ce23c8eb9 100644
} KDF_X942; } KDF_X942;
/* /*
@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, @@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
return 0; return 0;
} }
@ -784,7 +822,7 @@ index 4c274fe27a..5ce23c8eb9 100644
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
der, der_len, ctr, key, keylen); der, der_len, ctr, key, keylen);
OPENSSL_free(der); OPENSSL_free(der);
@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) @@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{ {
KDF_X942 *ctx = (KDF_X942 *)vctx; KDF_X942 *ctx = (KDF_X942 *)vctx;
OSSL_PARAM *p; OSSL_PARAM *p;
@ -846,7 +884,7 @@ index 4c274fe27a..5ce23c8eb9 100644
} }
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, @@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
{ {
static const OSSL_PARAM known_gettable_ctx_params[] = { static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -856,12 +894,10 @@ index 4c274fe27a..5ce23c8eb9 100644
OSSL_PARAM_END OSSL_PARAM_END
}; };
return known_gettable_ctx_params; return known_gettable_ctx_params;
-- diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
2.41.0 index 70f7c50fe4..6618122417 100644
--- a/util/perl/OpenSSL/paramnames.pm
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch 2024-01-02 12:11:36.633033731 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:12:54.022901822 +0100
@@ -183,6 +183,7 @@ my %params = ( @@ -183,6 +183,7 @@ my %params = (
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
@ -870,3 +906,6 @@ diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.fips-indicators-patch ope
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
'KDF_PARAM_HMACDRBG_NONCE' => "nonce", 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
'KDF_PARAM_THREADS' => "threads", # uint32_t 'KDF_PARAM_THREADS' => "threads", # uint32_t
--
2.39.2

View File

@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644
+ } + }
if (garg->gidcnt == garg->gidmax) { if (garg->gidcnt == garg->gidmax) {
uint16_t *tmp = uint16_t *tmp =
OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); OPENSSL_realloc(garg->gid_arr,
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) @@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
gid = tls1_group_name2id(garg->ctx, etmp); gid = tls1_group_name2id(garg->ctx, etmp);
@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644
return 0; return 0;
if (len > (int)(sizeof(etmp) - 1)) if (len > (int)(sizeof(etmp) - 1))
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) @@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
break; break;
}
} }
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
- return 0;
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
} }
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
- return 0;
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
} else { } else {
*p = 0; *p = 0;
p++;
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) @@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
return 0; return 0;
get_sigorhash(&sig_alg, &hash_alg, etmp); get_sigorhash(&sig_alg, &hash_alg, etmp);
@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644
} }
return 1; return 1;
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) @@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
sig.sigalgcnt = 0; }
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0; return 0;
+ if (sig.sigalgcnt == 0) { + if (sig.sigalgcnt == 0) {

View File

@ -1,80 +0,0 @@
From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Tue, 27 Feb 2024 15:22:58 +0100
Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
Patch-name: 0118-no-crl-memleak.patch
Patch-id: 118
Patch-status: |
# https://github.com/openssl/openssl/issues/23770
---
crypto/x509/by_file.c | 2 ++
test/recipes/60-test_x509_load_cert_file.t | 3 ++-
test/x509_load_cert_file_test.c | 8 +++++++-
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index 5073c137a2..85923804ac 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
goto err;
}
count++;
+ X509_CRL_free(x);
+ x = NULL;
}
} else if (type == X509_FILETYPE_ASN1) {
x = d2i_X509_CRL_bio(in, NULL);
diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
index 75aeac362c..e329d7675c 100644
--- a/test/recipes/60-test_x509_load_cert_file.t
+++ b/test/recipes/60-test_x509_load_cert_file.t
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
plan tests => 1;
-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
index 4a736071ae..c07d329915 100644
--- a/test/x509_load_cert_file_test.c
+++ b/test/x509_load_cert_file_test.c
@@ -12,6 +12,7 @@
#include "testutil.h"
static const char *chain;
+static const char *crl;
static int test_load_cert_file(void)
{
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
&& TEST_int_eq(sk_X509_num(certs), 4))
ret = 1;
+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
+ ret = 0;
+
OSSL_STACK_OF_X509_free(certs);
X509_STORE_free(store);
return ret;
}
-OPT_TEST_DECLARE_USAGE("cert.pem...\n")
+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
int setup_tests(void)
{
@@ -45,6 +49,8 @@ int setup_tests(void)
if (chain == NULL)
return 0;
+ crl = test_get_argument(1);
+
ADD_TEST(test_load_cert_file);
return 1;
}
--
2.44.0

View File

@ -1,170 +0,0 @@
From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 8 Mar 2024 11:18:12 +0100
Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
Patch-id: 119
Patch-status: |
# https://github.com/openssl/openssl/issues/22779
---
ssl/s3_lib.c | 8 ++++----
ssl/ssl_lib.c | 2 +-
ssl/ssl_local.h | 2 +-
ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
4 files changed, 40 insertions(+), 17 deletions(-)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e8ec98c221..48a1aa0e61 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return tls1_set_sigalgs(sc->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
- return tls1_set_sigalgs_list(sc->cert, parg, 0);
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(sc->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
- return tls1_set_sigalgs_list(sc->cert, parg, 1);
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
{
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 1329841aaf..4d95ab71cd 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_groups_list(ctx, NULL, NULL, parg);
case SSL_CTRL_SET_SIGALGS_LIST:
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
- return tls1_set_sigalgs_list(NULL, parg, 0);
+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
default:
return 0;
}
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 0d3acfbe66..a73b2c4770 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
int client);
__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fe680449c5..87f2ae7000 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
/* now populate ctx->ssl_cert_info */
if (ctx->sigalg_list_len > 0) {
+ OPENSSL_free(ctx->ssl_cert_info);
ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
if (ctx->ssl_cert_info == NULL)
return 0;
@@ -2889,6 +2890,7 @@ typedef struct {
size_t sigalgcnt;
/* TLSEXT_SIGALG_XXX values */
uint16_t sigalgs[TLS_MAX_SIGALGCNT];
+ SSL_CTX *ctx;
} sig_cb_st;
static void get_sigorhash(int *psig, int *phash, const char *str)
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
static int sig_cb(const char *elem, int len, void *arg)
{
sig_cb_st *sarg = arg;
- size_t i;
+ size_t i = 0;
+ int load_success = 0;
const SIGALG_LOOKUP *s;
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
int sig_alg = NID_undef, hash_alg = NID_undef;
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
* in the table.
*/
if (p == NULL) {
- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
- i++, s++) {
- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
- break;
- }
+ /* Load provider sigalgs */
+ if (sarg->ctx) {
+ load_success = ssl_load_sigalgs(sarg->ctx);
}
- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
- /* Ignore unknown algorithms if ignore_unknown */
- return ignore_unknown;
+ if (load_success) {
+ /* Check if a provider supports the sigalg */
+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
+ && strcmp(etmp,
+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
+ sarg->sigalgs[sarg->sigalgcnt++] =
+ sarg->ctx->sigalg_list[i].code_point;
+ break;
+ }
+ }
}
+ /* Check the built-in sigalgs */
+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
+ for (i = 0, s = sigalg_lookup_tbl;
+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
+ break;
+ }
+ }
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
+ }
} else {
*p = 0;
p++;
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
* Set supported signature algorithms based on a colon separated list of the
* form sig+hash e.g. RSA+SHA512:DSA+SHA512
*/
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
{
sig_cb_st sig;
sig.sigalgcnt = 0;
+ sig.ctx = ctx;
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0;
if (sig.sigalgcnt == 0) {
--
2.44.0

View File

@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.2.1 Version: 3.2.2
Release: 4%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
Source: openssl-%{version}.tar.gz Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate Source2: Makefile.certificate
@ -116,7 +116,7 @@ Patch76: 0076-FIPS-140-3-DRBG.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 # # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch Patch77: 0077-FIPS-140-3-zeroization.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 # # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch Patch78: 0078-KDF-Add-FIPS-indicators.patch
# # We believe that some changes present in CentOS are not necessary # # We believe that some changes present in CentOS are not necessary
# # because ustream has a check for FIPS version # # because ustream has a check for FIPS version
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
@ -156,11 +156,7 @@ Patch115: 0115-skip-quic-pairwise.patch
Patch116: 0116-version-aliasing.patch Patch116: 0116-version-aliasing.patch
# https://github.com/openssl/openssl/issues/23050 # https://github.com/openssl/openssl/issues/23050
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
# https://github.com/openssl/openssl/issues/23770 # https://bugzilla.redhat.com/show_bug.cgi?id=2160797
Patch118: 0118-no-crl-memleak.patch
# https://github.com/openssl/openssl/issues/22779
Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
# From CentOS 9
Patch121: 0121-FIPS-cms-defaults.patch Patch121: 0121-FIPS-cms-defaults.patch
License: Apache-2.0 License: Apache-2.0
@ -507,6 +503,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
- Rebase to OpenSSL 3.2.2.
Related: RHEL-31762
* Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4 * Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4
- Synchronize patches from c9s and Fedora - Synchronize patches from c9s and Fedora
- Resolves: RHEL-31762 - Resolves: RHEL-31762

View File

@ -1 +1 @@
SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d