import openssl-1.1.1g-9.el8

This commit is contained in:
CentOS Sources 2020-07-28 03:48:24 -04:00 committed by Stepan Oksanichenko
parent ed72945b4b
commit 412876a99c
34 changed files with 6164 additions and 2763 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openssl-1.1.1c-hobbled.tar.xz
SOURCES/openssl-1.1.1g-hobbled.tar.xz

View File

@ -1 +1 @@
a85056adf2c2402e808bbe3201f6e473cfa8c214 SOURCES/openssl-1.1.1c-hobbled.tar.xz
b55517bdc9aa61627a9896c1a3a156d5f6a4348f SOURCES/openssl-1.1.1g-hobbled.tar.xz

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@ -9,7 +9,7 @@
*/
#include <string.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name)
}
return NID_undef;
}
#define NUM_BN_FIELDS 6
/*
* Validates EC domain parameter data for known named curves.
* This can be used when a curve is loaded explicitly (without a curve
* name) or to validate that domain parameters have not been modified.
*
* Returns: The nid associated with the found named curve, or NID_undef
* if not found. If there was an error it returns -1.
*/
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
{
int ret = -1, nid, len, field_type, param_len;
size_t i, seed_len;
const unsigned char *seed, *params_seed, *params;
unsigned char *param_bytes = NULL;
const EC_CURVE_DATA *data;
const EC_POINT *generator = NULL;
const EC_METHOD *meth;
const BIGNUM *cofactor = NULL;
/* An array of BIGNUMs for (p, a, b, x, y, order) */
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
meth = EC_GROUP_method_of(group);
if (meth == NULL)
return -1;
/* Use the optional named curve nid as a search field */
nid = EC_GROUP_get_curve_name(group);
field_type = EC_METHOD_get_field_type(meth);
seed_len = EC_GROUP_get_seed_len(group);
seed = EC_GROUP_get0_seed(group);
cofactor = EC_GROUP_get0_cofactor(group);
BN_CTX_start(ctx);
/*
* The built-in curves contains data fields (p, a, b, x, y, order) that are
* all zero-padded to be the same size. The size of the padding is
* determined by either the number of bytes in the field modulus (p) or the
* EC group order, whichever is larger.
*/
param_len = BN_num_bytes(group->order);
len = BN_num_bytes(group->field);
if (len > param_len)
param_len = len;
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
if (param_bytes == NULL)
goto end;
/* Create the bignums */
for (i = 0; i < NUM_BN_FIELDS; ++i) {
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
goto end;
}
/*
* Fill in the bn array with the same values as the internal curves
* i.e. the values are p, a, b, x, y, order.
*/
/* Get p, a & b */
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
/* Get x & y */
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
/* Get order */
&& EC_GROUP_get_order(group, bn[5], ctx)))
goto end;
/*
* Convert the bignum array to bytes that are joined together to form
* a single buffer that contains data for all fields.
* (p, a, b, x, y, order) are all zero padded to be the same size.
*/
for (i = 0; i < NUM_BN_FIELDS; ++i) {
if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
goto end;
}
for (i = 0; i < curve_list_length; i++) {
const ec_list_element curve = curve_list[i];
data = curve.data;
/* Get the raw order byte data */
params_seed = (const unsigned char *)(data + 1); /* skip header */
params = params_seed + data->seed_len;
/* Look for unique fields in the fixed curve data */
if (data->field_type == field_type
&& param_len == data->param_len
&& (nid <= 0 || nid == curve.nid)
/* check the optional cofactor (ignore if its zero) */
&& (BN_is_zero(cofactor)
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
/* Check the optional seed (ignore if its not set) */
&& (data->seed_len == 0 || seed_len == 0
|| ((size_t)data->seed_len == seed_len
&& memcmp(params_seed, seed, seed_len) == 0))
/* Check that the groups params match the built-in curve params */
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
== 0) {
ret = curve.nid;
goto end;
}
}
/* Gets here if the group was not found */
ret = NID_undef;
end:
OPENSSL_free(param_bytes);
BN_CTX_end(ctx);
return ret;
}

View File

@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = {
0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
};
/*
* Sometime we cannot compare nids for equality, as the built-in curve table
* includes aliases with different names for the same curve.
*
* This function returns TRUE (1) if the checked nids are identical, or if they
* alias to the same curve. FALSE (0) otherwise.
*/
static ossl_inline
int are_ec_nids_compatible(int n1d, int n2d)
{
int ret = 0;
switch (n1d) {
# ifndef OPENSSL_NO_EC2M
case NID_sect113r1:
case NID_wap_wsg_idm_ecid_wtls4:
ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
break;
case NID_sect163k1:
case NID_wap_wsg_idm_ecid_wtls3:
ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
break;
case NID_sect233k1:
case NID_wap_wsg_idm_ecid_wtls10:
ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
break;
case NID_sect233r1:
case NID_wap_wsg_idm_ecid_wtls11:
ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
break;
case NID_X9_62_c2pnb163v1:
case NID_wap_wsg_idm_ecid_wtls5:
ret = (n2d == NID_X9_62_c2pnb163v1
|| n2d == NID_wap_wsg_idm_ecid_wtls5);
break;
# endif /* OPENSSL_NO_EC2M */
case NID_secp112r1:
case NID_wap_wsg_idm_ecid_wtls6:
ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
break;
case NID_secp160r2:
case NID_wap_wsg_idm_ecid_wtls7:
ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
break;
# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
case NID_secp224r1:
case NID_wap_wsg_idm_ecid_wtls12:
ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
break;
# else
/*
* For SEC P-224 we want to ensure that the SECP nid is returned, as
* that is associated with a specialized method.
*/
case NID_wap_wsg_idm_ecid_wtls12:
ret = (n2d == NID_secp224r1);
break;
# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
default:
ret = (n1d == n2d);
}
return ret;
}
/*
* This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
* EC_GROUP for built-in curves.
*
* Note that it is possible to retrieve an alternative alias that does not match
* the original nid.
*
* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
*/
static int check_named_curve_from_ecparameters(int id)
{
int ret = 0, nid, tnid;
EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
const EC_POINT *group_gen = NULL;
EC_POINT *other_gen = NULL;
BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
const BIGNUM *group_order = NULL;
BIGNUM *other_order = NULL;
BN_CTX *bn_ctx = NULL;
static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
static size_t invalid_seed_len = sizeof(invalid_seed);
ECPARAMETERS *params = NULL, *other_params = NULL;
EC_GROUP *g_ary[8] = {NULL};
EC_GROUP **g_next = &g_ary[0];
ECPARAMETERS *p_ary[8] = {NULL};
ECPARAMETERS **p_next = &p_ary[0];
/* Do some setup */
nid = curves[id].nid;
TEST_note("Curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(bn_ctx = BN_CTX_new()))
return ret;
BN_CTX_start(bn_ctx);
if (/* Allocations */
!TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
|| !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
/* Generate reference group and params */
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|| !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
|| !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
|| !TEST_ptr(group_order = EC_GROUP_get0_order(group))
|| !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
/* compute `other_*` values */
|| !TEST_ptr(tmpg = EC_GROUP_dup(group))
|| !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
|| !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
|| !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
other_gen_x, other_gen_y, bn_ctx))
|| !TEST_true(BN_copy(other_order, group_order))
|| !TEST_true(BN_add_word(other_order, 1))
|| !TEST_true(BN_copy(other_cofactor, group_cofactor))
|| !TEST_true(BN_add_word(other_cofactor, 1)))
goto err;
EC_POINT_free(other_gen);
other_gen = NULL;
if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
|| !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
other_gen_x, other_gen_y,
bn_ctx)))
goto err;
/*
* ###########################
* # Actual tests start here #
* ###########################
*/
/*
* Creating a group from built-in explicit parameters returns a
* "named" EC_GROUP
*/
if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
goto err;
/*
* We cannot always guarantee the names match, as the built-in table
* contains aliases for the same curve with different names.
*/
if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
goto err;
/*
* An invalid seed in the parameters should be ignored: expect a "named"
* group.
*/
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
invalid_seed_len)
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/*
* A null seed in the parameters should be ignored, as it is optional:
* expect a "named" group.
*/
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)) {
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
goto err;
}
/*
* Check that changing any of the generator parameters does not yield a
* match with the built-in curves
*/
if (/* Other gen, same group order & cofactor */
!TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
/* Same gen & cofactor, different order */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
/* The order is not an optional field, so this should fail */
|| !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
group_cofactor))
/* Check that a wrong cofactor is ignored, and we still match */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
other_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)
/* Check that if the cofactor is not set then it still matches */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
NULL))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE)
/* check that restoring the generator passes */
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
group_cofactor))
|| !TEST_ptr(other_params = *p_next++ =
EC_GROUP_get_ecparameters(tmpg, NULL))
|| !TEST_ptr(tgroup = *g_next++ =
EC_GROUP_new_from_ecparameters(other_params))
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
OPENSSL_EC_EXPLICIT_CURVE))
goto err;
ret = 1;
err:
for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
EC_GROUP_free(*g_next);
for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
ECPARAMETERS_free(*p_next);
ECPARAMETERS_free(params);
EC_POINT_free(other_gen);
EC_GROUP_free(tmpg);
EC_GROUP_free(group);
BN_CTX_end(bn_ctx);
BN_CTX_free(bn_ctx);
return ret;
}
static int parameter_test(void)
{
EC_GROUP *group = NULL, *group2 = NULL;
@ -851,7 +1116,8 @@ static int parameter_test(void)
unsigned char *buf = NULL;
int r = 0, len;
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
/* must use a curve without a special group method */
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1))
|| !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
|| !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
|| !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
@ -886,7 +1152,280 @@ err:
OPENSSL_free(buf);
return r;
}
#endif
/*-
* random 256-bit explicit parameters curve, cofactor absent
* order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
* cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
*/
static const unsigned char params_cf_pass[] = {
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
0x14, 0xa8, 0x2f, 0x4f
};
/*-
* random 256-bit explicit parameters curve, cofactor absent
* order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
* cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
*/
static const unsigned char params_cf_fail[] = {
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
0x34, 0xa2, 0x21, 0x01
};
/*-
* Test two random 256-bit explicit parameters curves with absent cofactor.
* The two curves are chosen to roughly straddle the bounds at which the lib
* can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
*
* - params_cf_pass: order is sufficiently close to p to compute cofactor
* - params_cf_fail: order is too far away from p to compute cofactor
*
* For standards-compliant curves, cofactor is chosen as small as possible.
* So you can see neither of these curves are fit for cryptographic use.
*
* Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
* h <= 2**(t/8) where t is the security level of the curve, for which the lib
* will always succeed in computing the cofactor. Neither of these curves
* conform to that -- this is just robustness testing.
*/
static int cofactor_range_test(void)
{
EC_GROUP *group = NULL;
BIGNUM *cf = NULL;
int ret = 0;
const unsigned char *b1 = (const unsigned char *)params_cf_fail;
const unsigned char *b2 = (const unsigned char *)params_cf_pass;
if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
|| !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
|| !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
sizeof(params_cf_pass)))
|| !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
|| !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
goto err;
ret = 1;
err:
BN_free(cf);
EC_GROUP_free(group);
return ret;
}
/*-
* For named curves, test that:
* - the lib correctly computes the cofactor if passed a NULL or zero cofactor
* - a nonsensical cofactor throws an error (negative test)
* - nonsensical orders throw errors (negative tests)
*/
static int cardinality_test(int n)
{
int ret = 0;
int nid = curves[n].nid;
BN_CTX *ctx = NULL;
EC_GROUP *g1 = NULL, *g2 = NULL;
EC_POINT *g2_gen = NULL;
BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
*g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new())
|| !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
|| !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
EC_GROUP_free(g1);
EC_GROUP_free(g2);
BN_CTX_free(ctx);
return 0;
}
BN_CTX_start(ctx);
g1_p = BN_CTX_get(ctx);
g1_a = BN_CTX_get(ctx);
g1_b = BN_CTX_get(ctx);
g1_x = BN_CTX_get(ctx);
g1_y = BN_CTX_get(ctx);
g1_order = BN_CTX_get(ctx);
g1_cf = BN_CTX_get(ctx);
if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
/* pull out the explicit curve parameters */
|| !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
|| !TEST_true(EC_POINT_get_affine_coordinates(g1,
EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
|| !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
|| !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
/* construct g2 manually with g1 parameters */
|| !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
|| !TEST_ptr(g2_gen = EC_POINT_new(g2))
|| !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
/* pass NULL cofactor: lib should compute it */
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|| !TEST_BN_eq(g1_cf, g2_cf)
/* pass zero cofactor: lib should compute it */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|| !TEST_BN_eq(g1_cf, g2_cf)
/* negative test for invalid cofactor */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
/* negative test for NULL order */
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
/* negative test for zero order */
|| !TEST_true(BN_set_word(g1_order, 0))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
/* negative test for negative order */
|| !TEST_true(BN_set_word(g2_cf, 0))
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
/* negative test for too large order */
|| !TEST_true(BN_lshift(g1_order, g1_p, 2))
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
goto err;
ret = 1;
err:
EC_POINT_free(g2_gen);
EC_GROUP_free(g1);
EC_GROUP_free(g2);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
/*
* Helper for ec_point_hex2point_test
*
* Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
* (group,P) pair.
*
* If P is NULL use point at infinity.
*/
static ossl_inline
int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
point_conversion_form_t form,
BN_CTX *bnctx)
{
int ret = 0;
EC_POINT *Q = NULL, *Pinf = NULL;
char *hex = NULL;
if (P == NULL) {
/* If P is NULL use point at infinity. */
if (!TEST_ptr(Pinf = EC_POINT_new(group))
|| !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
goto err;
P = Pinf;
}
if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
|| !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
|| !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
goto err;
/*
* The next check is most likely superfluous, as EC_POINT_cmp should already
* cover this.
* Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
* so we include it anyway!
*/
if (Pinf != NULL
&& !TEST_true(EC_POINT_is_at_infinity(group, Q)))
goto err;
ret = 1;
err:
EC_POINT_free(Pinf);
OPENSSL_free(hex);
EC_POINT_free(Q);
return ret;
}
/*
* This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
*/
static int ec_point_hex2point_test(int id)
{
int ret = 0, nid;
EC_GROUP *group = NULL;
const EC_POINT *G = NULL;
EC_POINT *P = NULL;
BN_CTX * bnctx = NULL;
/* Do some setup */
nid = curves[id].nid;
if (!TEST_ptr(bnctx = BN_CTX_new())
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|| !TEST_ptr(G = EC_GROUP_get0_generator(group))
|| !TEST_ptr(P = EC_POINT_dup(G, group)))
goto err;
if (!TEST_true(ec_point_hex2point_test_helper(group, P,
POINT_CONVERSION_COMPRESSED,
bnctx))
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
POINT_CONVERSION_COMPRESSED,
bnctx))
|| !TEST_true(ec_point_hex2point_test_helper(group, P,
POINT_CONVERSION_UNCOMPRESSED,
bnctx))
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
POINT_CONVERSION_UNCOMPRESSED,
bnctx))
|| !TEST_true(ec_point_hex2point_test_helper(group, P,
POINT_CONVERSION_HYBRID,
bnctx))
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
POINT_CONVERSION_HYBRID,
bnctx)))
goto err;
ret = 1;
err:
EC_POINT_free(P);
EC_GROUP_free(group);
BN_CTX_free(bnctx);
return ret;
}
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
{
@ -897,6 +1436,8 @@ int setup_tests(void)
return 0;
ADD_TEST(parameter_test);
ADD_TEST(cofactor_range_test);
ADD_ALL_TESTS(cardinality_test, crv_len);
ADD_TEST(prime_field_tests);
# ifndef OPENSSL_NO_EC2M
ADD_TEST(char2_field_tests);
@ -908,7 +1449,10 @@ int setup_tests(void)
# endif
ADD_ALL_TESTS(internal_curve_test, crv_len);
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
#endif
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}

View File

@ -1,12 +0,0 @@
diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r -v $(DESTDIR)$(DOCDIR)

View File

@ -0,0 +1,27 @@
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Mar 26 15:59:00 2020 +0100
s_server: Properly indicate ALPN protocol mismatch
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
an alert is sent to the client on ALPN protocol mismatch.
Fixes: #2708
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11415)
diff --git a/apps/s_server.c b/apps/s_server.c
index bcc83e562c..591c6c19c5 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
if (SSL_select_next_proto
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
inlen) != OPENSSL_NPN_NEGOTIATED) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (!s_quiet) {

View File

@ -1,28 +1,7 @@
diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
@@ -680,7 +680,7 @@ uninstall_runtime:
install_man_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
uninstall_man_docs:
@@ -692,7 +692,7 @@ uninstall_man_docs:
install_html_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing HTML manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
uninstall_html_docs:
diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
@@ -693,6 +693,7 @@ my %targets = (
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
@@ -678,6 +678,7 @@ my %targets = (
cxxflags => add("-m64"),
lib_cppflags => add("-DL_ENDIAN"),
perlasm_scheme => "linux64le",
@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-armv4" => {
@@ -733,6 +734,7 @@ my %targets = (
@@ -718,6 +719,7 @@ my %targets = (
"linux-aarch64" => {
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
perlasm_scheme => "linux64",
@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
install_man_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
uninstall_man_docs:
@@ -835,7 +835,7 @@ uninstall_man_docs:
install_html_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing HTML manpages"
- $(PERL) $(SRCDIR)/util/process_docs.pl \
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
uninstall_html_docs:

View File

@ -1,171 +0,0 @@
From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001
From: Billy Brumley <bbrumley@gmail.com>
Date: Thu, 5 Sep 2019 21:25:37 +0300
Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,
compute it
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.
This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.
This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.
It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).
The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.
CVE-2019-1547
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9781)
---
crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 96 insertions(+), 7 deletions(-)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 8cab5a5061..1289c8608e 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)
static int ec_precompute_mont_data(EC_GROUP *);
+/*-
+ * Try computing cofactor from the generator order (n) and field cardinality (q).
+ * This works for all curves of cryptographic interest.
+ *
+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)
+ * h_min = (q + 1 - 2*sqrt(q))/n
+ * h_max = (q + 1 + 2*sqrt(q))/n
+ * h_max - h_min = 4*sqrt(q)/n
+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:
+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil
+ *
+ * Otherwise, zero cofactor and return success.
+ */
+static int ec_guess_cofactor(EC_GROUP *group) {
+ int ret = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *q = NULL;
+
+ /*-
+ * If the cofactor is too large, we cannot guess it.
+ * The RHS of below is a strict overestimate of lg(4 * sqrt(q))
+ */
+ if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {
+ /* default to 0 */
+ BN_zero(group->cofactor);
+ /* return success */
+ return 1;
+ }
+
+ if ((ctx = BN_CTX_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((q = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /* set q = 2**m for binary fields; q = p otherwise */
+ if (group->meth->field_type == NID_X9_62_characteristic_two_field) {
+ BN_zero(q);
+ if (!BN_set_bit(q, BN_num_bits(group->field) - 1))
+ goto err;
+ } else {
+ if (!BN_copy(q, group->field))
+ goto err;
+ }
+
+ /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */
+ if (!BN_rshift1(group->cofactor, group->order) /* n/2 */
+ || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */
+ /* q + 1 + n/2 */
+ || !BN_add(group->cofactor, group->cofactor, BN_value_one())
+ /* (q + 1 + n/2)/n */
+ || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))
+ goto err;
+ ret = 1;
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ return ret;
+}
+
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor)
{
@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
return 0;
}
+ /* require group->field >= 1 */
+ if (group->field == NULL || BN_is_zero(group->field)
+ || BN_is_negative(group->field)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);
+ return 0;
+ }
+
+ /*-
+ * - require order >= 1
+ * - enforce upper bound due to Hasse thm: order can be no more than one bit
+ * longer than field cardinality
+ */
+ if (order == NULL || BN_is_zero(order) || BN_is_negative(order)
+ || BN_num_bits(order) > BN_num_bits(group->field) + 1) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);
+ return 0;
+ }
+
+ /*-
+ * Unfortunately the cofactor is an optional field in many standards.
+ * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".
+ * So accept cofactor == NULL or cofactor >= 0.
+ */
+ if (cofactor != NULL && BN_is_negative(cofactor)) {
+ ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);
+ return 0;
+ }
+
if (group->generator == NULL) {
group->generator = EC_POINT_new(group);
if (group->generator == NULL)
@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
if (!EC_POINT_copy(group->generator, generator))
return 0;
- if (order != NULL) {
- if (!BN_copy(group->order, order))
- return 0;
- } else
- BN_zero(group->order);
+ if (!BN_copy(group->order, order))
+ return 0;
- if (cofactor != NULL) {
+ /* Either take the provided positive cofactor, or try to compute it */
+ if (cofactor != NULL && !BN_is_zero(cofactor)) {
if (!BN_copy(group->cofactor, cofactor))
return 0;
- } else
+ } else if (!ec_guess_cofactor(group)) {
BN_zero(group->cofactor);
+ return 0;
+ }
/*
* Some groups have an order with
--
2.20.1

View File

@ -1,300 +0,0 @@
diff -up openssl-1.1.1c/crypto/fips/fips.c.fork-safety openssl-1.1.1c/crypto/fips/fips.c
--- openssl-1.1.1c/crypto/fips/fips.c.fork-safety 2019-11-20 11:36:22.343506961 +0100
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-11-21 17:44:32.920776849 +0100
@@ -472,7 +472,7 @@ int FIPS_module_mode_set(int onoff)
fips_set_mode(onoff);
/* force RNG reseed with entropy from getrandom() on next call */
- rand_fork();
+ rand_force_reseed();
ret = 1;
goto end;
diff -up openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety openssl-1.1.1c/crypto/include/internal/rand_int.h
--- openssl-1.1.1c/crypto/include/internal/rand_int.h.fork-safety 2019-11-20 11:36:22.382506277 +0100
+++ openssl-1.1.1c/crypto/include/internal/rand_int.h 2019-11-21 17:45:42.102456672 +0100
@@ -24,9 +24,9 @@
typedef struct rand_pool_st RAND_POOL;
void rand_cleanup_int(void);
+void rand_force_reseed(void);
void rand_drbg_cleanup_int(void);
void drbg_delete_thread_state(void);
-void rand_fork(void);
/* Hardware-based seeding functions. */
size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
diff -up openssl-1.1.1c/crypto/init.c.fork-safety openssl-1.1.1c/crypto/init.c
--- openssl-1.1.1c/crypto/init.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/init.c 2019-11-21 17:34:13.478597398 +0100
@@ -847,6 +847,5 @@ void OPENSSL_fork_parent(void)
void OPENSSL_fork_child(void)
{
- rand_fork();
}
#endif
diff -up openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety openssl-1.1.1c/crypto/rand/drbg_lib.c
--- openssl-1.1.1c/crypto/rand/drbg_lib.c.fork-safety 2019-11-20 11:36:22.383506260 +0100
+++ openssl-1.1.1c/crypto/rand/drbg_lib.c 2019-11-21 17:46:37.583397431 +0100
@@ -197,7 +197,7 @@ static RAND_DRBG *rand_drbg_new(int secu
}
drbg->secure = secure && CRYPTO_secure_allocated(drbg);
- drbg->fork_count = rand_fork_count;
+ drbg->fork_id = openssl_get_fork_id();
drbg->parent = parent;
if (parent == NULL) {
@@ -583,6 +583,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
+ int fork_id;
int reseed_required = 0;
if (drbg->state != DRBG_READY) {
@@ -608,8 +609,10 @@ int RAND_DRBG_generate(RAND_DRBG *drbg,
return 0;
}
- if (drbg->fork_count != rand_fork_count) {
- drbg->fork_count = rand_fork_count;
+ fork_id = openssl_get_fork_id();
+
+ if (drbg->fork_id != fork_id) {
+ drbg->fork_id = fork_id;
reseed_required = 1;
}
@@ -1011,6 +1014,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
+void rand_force_reseed(void)
+{
+ RAND_DRBG *drbg;
+
+ drbg = RAND_DRBG_get0_master();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_private();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_public();
+ drbg->fork_id = 0;
+}
+
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
diff -up openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety openssl-1.1.1c/crypto/rand/rand_lcl.h
--- openssl-1.1.1c/crypto/rand/rand_lcl.h.fork-safety 2019-11-20 11:36:22.383506260 +0100
+++ openssl-1.1.1c/crypto/rand/rand_lcl.h 2019-11-21 17:34:13.485597265 +0100
@@ -176,12 +176,12 @@ struct rand_drbg_st {
int secure; /* 1: allocated on the secure heap, 0: otherwise */
int type; /* the nid of the underlying algorithm */
/*
- * Stores the value of the rand_fork_count global as of when we last
- * reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
- * rand_fork_count. Used to provide fork-safety and reseed this DRBG in
- * the child process.
+ * Stores the return value of openssl_get_fork_id() as of when we last
+ * reseeded. The DRBG reseeds automatically whenever drbg->fork_id !=
+ * openssl_get_fork_id(). Used to provide fork-safety and reseed this
+ * DRBG in the child process.
*/
- int fork_count;
+ int fork_id;
unsigned short flags; /* various external flags */
/*
@@ -273,19 +273,6 @@ struct rand_drbg_st {
/* The global RAND method, and the global buffer and DRBG instance. */
extern RAND_METHOD rand_meth;
-/*
- * A "generation count" of forks. Incremented in the child process after a
- * fork. Since rand_fork_count is increment-only, and only ever written to in
- * the child process of the fork, which is guaranteed to be single-threaded, no
- * locking is needed for normal (read) accesses; the rest of pthread fork
- * processing is assumed to introduce the necessary memory barriers. Sibling
- * children of a given parent will produce duplicate values, but this is not
- * problematic because the reseeding process pulls input from the system CSPRNG
- * and/or other global sources, so the siblings will end up generating
- * different output streams.
- */
-extern int rand_fork_count;
-
/* DRBG helpers */
int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *buffer, size_t len, size_t entropy);
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety openssl-1.1.1c/crypto/rand/rand_lib.c
--- openssl-1.1.1c/crypto/rand/rand_lib.c.fork-safety 2019-11-20 11:36:22.374506418 +0100
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-11-21 17:34:13.487597227 +0100
@@ -30,8 +30,6 @@ static CRYPTO_RWLOCK *rand_meth_lock;
static const RAND_METHOD *default_RAND_meth;
static CRYPTO_ONCE rand_init = CRYPTO_ONCE_STATIC_INIT;
-int rand_fork_count;
-
static CRYPTO_RWLOCK *rand_nonce_lock;
static int rand_nonce_count;
@@ -303,11 +301,6 @@ void rand_drbg_cleanup_additional_data(R
rand_pool_reattach(pool, out);
}
-void rand_fork(void)
-{
- rand_fork_count++;
-}
-
DEFINE_RUN_ONCE_STATIC(do_rand_init)
{
#ifndef OPENSSL_NO_ENGINE
diff -up openssl-1.1.1c/crypto/threads_none.c.fork-safety openssl-1.1.1c/crypto/threads_none.c
--- openssl-1.1.1c/crypto/threads_none.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_none.c 2019-11-21 17:34:13.489597189 +0100
@@ -12,6 +12,11 @@
#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+# endif
+
CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
{
CRYPTO_RWLOCK *lock;
@@ -133,4 +138,12 @@ int openssl_init_fork_handlers(void)
return 0;
}
+int openssl_get_fork_id(void)
+{
+# if defined(OPENSSL_SYS_UNIX)
+ return getpid();
+# else
+ return 0;
+# endif
+}
#endif
diff -up openssl-1.1.1c/crypto/threads_pthread.c.fork-safety openssl-1.1.1c/crypto/threads_pthread.c
--- openssl-1.1.1c/crypto/threads_pthread.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_pthread.c 2019-11-21 17:34:13.492597131 +0100
@@ -12,6 +12,11 @@
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <unistd.h>
+#endif
+
# ifdef PTHREAD_RWLOCK_INITIALIZER
# define USE_RWLOCK
# endif
@@ -193,4 +198,9 @@ int openssl_init_fork_handlers(void)
# endif
return 0;
}
+
+int openssl_get_fork_id(void)
+{
+ return getpid();
+}
#endif
diff -up openssl-1.1.1c/crypto/threads_win.c.fork-safety openssl-1.1.1c/crypto/threads_win.c
--- openssl-1.1.1c/crypto/threads_win.c.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/threads_win.c 2019-11-21 17:34:13.495597074 +0100
@@ -164,4 +164,8 @@ int openssl_init_fork_handlers(void)
return 0;
}
+int openssl_get_fork_id(void)
+{
+ return 0;
+}
#endif
diff -up openssl-1.1.1c/include/internal/cryptlib.h.fork-safety openssl-1.1.1c/include/internal/cryptlib.h
--- openssl-1.1.1c/include/internal/cryptlib.h.fork-safety 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/internal/cryptlib.h 2019-11-21 17:34:13.497597036 +0100
@@ -80,6 +80,7 @@ extern unsigned int OPENSSL_ia32cap_P[];
void OPENSSL_showfatal(const char *fmta, ...);
void crypto_cleanup_all_ex_data_int(void);
int openssl_init_fork_handlers(void);
+int openssl_get_fork_id(void);
char *ossl_safe_getenv(const char *name);
diff -up openssl-1.1.1c/test/drbgtest.c.fork-safety openssl-1.1.1c/test/drbgtest.c
--- openssl-1.1.1c/test/drbgtest.c.fork-safety 2019-11-20 11:36:22.384506242 +0100
+++ openssl-1.1.1c/test/drbgtest.c 2019-11-21 17:34:13.499596998 +0100
@@ -22,6 +22,13 @@
# include <windows.h>
#endif
+
+#if defined(OPENSSL_SYS_UNIX)
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <unistd.h>
+#endif
+
#include "testutil.h"
#include "drbgtest.h"
@@ -696,6 +703,40 @@ static int test_drbg_reseed(int expect_s
return 1;
}
+
+#if defined(OPENSSL_SYS_UNIX)
+/*
+ * Test whether master, public and private DRBG are reseeded after
+ * forking the process.
+ */
+static int test_drbg_reseed_after_fork(RAND_DRBG *master,
+ RAND_DRBG *public,
+ RAND_DRBG *private)
+{
+ pid_t pid;
+ int status=0;
+
+ pid = fork();
+ if (!TEST_int_ge(pid, 0))
+ return 0;
+
+ if (pid > 0) {
+ /* I'm the parent; wait for the child and check its exit code */
+ return TEST_int_eq(waitpid(pid, &status, 0), pid) && TEST_int_eq(status, 0);
+ }
+
+ /* I'm the child; check whether all three DRBGs reseed. */
+ if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)))
+ status = 1;
+
+ /* Remove hooks */
+ unhook_drbg(master);
+ unhook_drbg(public);
+ unhook_drbg(private);
+ exit(status);
+}
+#endif
+
/*
* Test whether the default rand_method (RAND_OpenSSL()) is
* setup correctly, in particular whether reseeding works
@@ -786,6 +827,10 @@ static int test_rand_drbg_reseed(void)
goto error;
reset_drbg_hook_ctx();
+#if defined(OPENSSL_SYS_UNIX)
+ if (!TEST_true(test_drbg_reseed_after_fork(master, public, private)))
+ goto error;
+#endif
/* fill 'randomness' buffer with some arbitrary data */
memset(rand_add_buf, 'r', sizeof(rand_add_buf));

View File

@ -1,147 +0,0 @@
From 08229ad838c50f644d7e928e2eef147b4308ad64 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun, 1 Sep 2019 00:16:28 +0200
Subject: [PATCH] Fix a padding oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
---
crypto/cms/cms_env.c | 18 +++++++++++++++++-
crypto/cms/cms_lcl.h | 2 ++
crypto/cms/cms_smime.c | 4 ++++
crypto/pkcs7/pk7_doit.c | 12 ++++++++----
5 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index bb95af75e3..25df1c40b1 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -363,6 +363,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
unsigned char *ek = NULL;
size_t eklen;
int ret = 0;
+ size_t fixlen = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
@@ -371,6 +372,19 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
return 0;
}
+ if (cms->d.envelopedData->encryptedContentInfo->havenocert
+ && !cms->d.envelopedData->encryptedContentInfo->debug) {
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+ const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+
+ if (ciph == NULL) {
+ CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
+ return 0;
+ }
+
+ fixlen = EVP_CIPHER_key_length(ciph);
+ }
+
ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ktri->pctx == NULL)
return 0;
@@ -401,7 +415,9 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen,
ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0) {
+ ktri->encryptedKey->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_CMS_LIB);
goto err;
}
diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h
index b5c06b7f6c..8eddb02493 100644
--- a/crypto/cms/cms_lcl.h
+++ b/crypto/cms/cms_lcl.h
@@ -125,6 +125,8 @@ struct CMS_EncryptedContentInfo_st {
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
+ /* Set to 1 if we have no cert and need extra safety measures for MMA */
+ int havenocert;
};
struct CMS_RecipientInfo_st {
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 5dcf803f4b..3a26108b8c 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -743,6 +743,10 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
+ if (!cert)
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
+ else
+ cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
if (!pk && !cert && !dcont && !out)
return 1;
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index ee08e602a1..15a6160cfe 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -137,7 +137,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
}
static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
- PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
+ PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
+ size_t fixlen)
{
EVP_PKEY_CTX *pctx = NULL;
unsigned char *ek = NULL;
@@ -170,7 +171,9 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
}
if (EVP_PKEY_decrypt(pctx, ek, &eklen,
- ri->enc_key->data, ri->enc_key->length) <= 0) {
+ ri->enc_key->data, ri->enc_key->length) <= 0
+ || eklen == 0
+ || (fixlen != 0 && eklen != fixlen)) {
ret = 0;
PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
goto err;
@@ -499,13 +502,14 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
+ EVP_CIPHER_key_length(evp_cipher)) < 0)
goto err;
ERR_clear_error();
}
} else {
/* Only exit on fatal errors, not decrypt failure */
- if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
+ if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
goto err;
ERR_clear_error();
}
--
2.20.1

View File

@ -1,17 +1,40 @@
diff -up openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1c/crypto/evp/pkey_kdf.c
--- openssl-1.1.1c/crypto/evp/pkey_kdf.c.edk2-build 2019-11-14 16:25:09.437914854 +0100
+++ openssl-1.1.1c/crypto/evp/pkey_kdf.c 2019-11-15 14:52:40.216905772 +0100
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/evp_int.h"
#include "crypto/evp.h"
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.1.1c/crypto/include/internal/fips_int.h
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build 2019-11-14 16:25:09.430914981 +0100
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-11-15 14:48:02.489936610 +0100
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
@@ -13,6 +13,7 @@
#include <openssl/hmac.h>
#include <openssl/kdf.h>
#include <openssl/evp.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "crypto/evp.h"
#include "kdf_local.h"
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
@@ -20,7 +20,7 @@
#include "crypto/fips.h"
#include <stdio.h>
#include "internal/dso.h"
-#ifdef __linux
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
# include <sys/syscall.h>
# include <sys/random.h>
# ifdef DEVRANDOM_WAIT
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
@@ -50,10 +50,6 @@
#include <openssl/opensslconf.h>
#include <openssl/evp.h>
@ -32,37 +55,3 @@ diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.edk2-build openssl-1.
+# define fips_in_post() 0
+
#endif
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/hkdf.c
--- openssl-1.1.1c/crypto/kdf/hkdf.c.edk2-build 2019-11-14 16:25:09.438914836 +0100
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-15 14:48:53.360015134 +0100
@@ -13,6 +13,7 @@
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "internal/evp_int.h"
#include "kdf_local.h"
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build openssl-1.1.1c/crypto/kdf/sshkdf.c
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.edk2-build 2019-11-14 16:25:09.452914583 +0100
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-15 14:53:14.769279878 +0100
@@ -12,6 +12,7 @@
#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "internal/evp_int.h"
#include "kdf_local.h"
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1c/crypto/rand/rand_unix.c
--- openssl-1.1.1c/crypto/rand/rand_unix.c.edk2-build 2019-11-14 16:25:09.430914981 +0100
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-11-15 14:51:41.634966941 +0100
@@ -19,7 +19,7 @@
#include "internal/fips_int.h"
#include <stdio.h>
#include "internal/dso.h"
-#if defined(__linux)
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
# include <sys/syscall.h>
# include <sys/random.h>
#endif

View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt
--- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/err/openssl.txt 2019-02-28 13:05:05.651521474 +0100
@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
diff -up openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf openssl-1.1.1e/crypto/err/openssl.txt
--- openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-19 16:04:11.299063517 +0100
@@ -747,6 +747,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
EVP_F_EVP_MD_SIZE:162:EVP_MD_size
EVP_F_EVP_OPENINIT:102:EVP_OpenInit
@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
@@ -809,12 +812,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_F_PKEY_SET_TYPE:158:pkey_set_type
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
EVP_F_RC5_CTRL:125:rc5_ctrl
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
+EVP_F_SCRYPT_ALG:228:scrypt_alg
EVP_F_UPDATE:173:update
@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
@@ -826,6 +848,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@ -50,7 +51,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
@@ -2277,6 +2300,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
@ -58,7 +59,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed
@@ -2313,6 +2337,7 @@ KDF_R_MISSING_SEED:106:missing seed
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_ERROR:108:value error
KDF_R_VALUE_MISSING:102:value missing
@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info
--- openssl-1.1.1b/crypto/evp/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/build.info 2019-02-28 13:05:05.651521474 +0100
diff -up openssl-1.1.1e/crypto/evp/build.info.evp-kdf openssl-1.1.1e/crypto/evp/build.info
--- openssl-1.1.1e/crypto/evp/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/build.info 2020-03-19 16:04:11.300063500 +0100
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@ -79,44 +80,37 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
e_chacha20_poly1305.c cmeth_lib.c
diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-02-28 13:05:05.651521474 +0100
@@ -14,8 +14,8 @@
diff -up openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2020-03-19 16:04:11.300063500 +0100
+++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c 2020-03-19 16:16:46.497967633 +0100
@@ -14,9 +14,9 @@
# include <openssl/evp.h>
# include <openssl/objects.h>
-# include "evp_locl.h"
# include "internal/evp_int.h"
+# include "evp_locl.h"
# include "internal/chacha.h"
-# include "evp_local.h"
# include "crypto/evp.h"
# include "crypto/chacha.h"
+# include "evp_local.h"
typedef struct {
diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c
--- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/encode.c 2019-02-28 13:05:05.651521474 +0100
union {
diff -up openssl-1.1.1e/crypto/evp/encode.c.evp-kdf openssl-1.1.1e/crypto/evp/encode.c
--- openssl-1.1.1e/crypto/evp/encode.c.evp-kdf 2020-03-19 16:04:11.301063483 +0100
+++ openssl-1.1.1e/crypto/evp/encode.c 2020-03-19 16:14:13.147628683 +0100
@@ -11,8 +11,8 @@
#include <limits.h>
#include "internal/cryptlib.h"
#include <openssl/evp.h>
-#include "evp_locl.h"
#include "internal/evp_int.h"
+#include "evp_locl.h"
-#include "evp_local.h"
#include "crypto/evp.h"
+#include "evp_local.h"
static unsigned char conv_ascii2bin(unsigned char a,
const unsigned char *table);
diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c
--- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf 2019-02-28 13:05:05.617522103 +0100
+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 13:05:05.651521474 +0100
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun
diff -up openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_err.c
--- openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf 2020-03-19 16:04:11.218064919 +0100
+++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-19 16:04:11.302063465 +0100
@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
"EVP_EncryptFinal_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
@ -126,7 +120,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun
@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun
"PKCS5_v2_PBKDF2_keyivgen"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
"PKCS5_v2_scrypt_keyivgen"},
@ -134,12 +128,14 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
"r_32_12_16_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
{0, NULL}
};
@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea
@@ -241,6 +246,8 @@ static const ERR_STRING_DATA EVP_str_rea
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operaton not initialized"},
@ -148,9 +144,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
"partially overlapping buffers"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h
--- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf 2019-02-28 13:05:05.253528831 +0100
+++ openssl-1.1.1b/crypto/evp/evp_locl.h 2019-02-28 13:05:05.652521456 +0100
diff -up openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1e/crypto/evp/evp_local.h
--- openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf 2020-03-19 16:04:10.657074629 +0100
+++ openssl-1.1.1e/crypto/evp/evp_local.h 2020-03-19 16:04:20.722900404 +0100
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
} /* EVP_CIPHER_CTX */ ;
@ -163,20 +159,20 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param,
const EVP_CIPHER *c, const EVP_MD *md,
diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c
--- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/evp_pbe.c 2019-02-28 13:05:05.652521456 +0100
diff -up openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_pbe.c
--- openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
+++ openssl-1.1.1e/crypto/evp/evp_pbe.c 2020-03-19 16:11:56.425001210 +0100
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
+#include "internal/evp_int.h"
#include "evp_locl.h"
+#include "crypto/evp.h"
#include "evp_local.h"
/* Password based encryption (PBE) functions */
diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c
--- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf 2019-02-28 13:05:05.652521456 +0100
+++ openssl-1.1.1b/crypto/evp/kdf_lib.c 2019-02-28 13:05:05.652521456 +0100
diff -up openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1e/crypto/evp/kdf_lib.c
--- openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
+++ openssl-1.1.1e/crypto/evp/kdf_lib.c 2020-03-19 16:04:20.723900386 +0100
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -195,10 +191,10 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
+#include <openssl/evp.h>
+#include <openssl/x509v3.h>
+#include <openssl/kdf.h>
+#include "internal/asn1_int.h"
+#include "internal/evp_int.h"
+#include "crypto/asn1.h"
+#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "evp_locl.h"
+#include "evp_local.h"
+
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+
@ -343,9 +339,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
+ return ctx->kmeth->derive(ctx->impl, key, keylen);
+}
+
diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c
--- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c 2019-02-28 13:05:05.652521456 +0100
diff -up openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1e/crypto/evp/p5_crpt2.c
--- openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/p5_crpt2.c 2020-03-19 16:17:48.822886126 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -360,13 +356,13 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
-# include <openssl/x509.h>
-# include <openssl/evp.h>
-# include <openssl/hmac.h>
-# include "evp_locl.h"
-# include "evp_local.h"
+#include <openssl/x509.h>
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include <openssl/hmac.h>
+#include "internal/evp_int.h"
+#include "evp_locl.h"
+#include "crypto/evp.h"
+#include "evp_local.h"
/* set this to print out info about the keygen algorithm */
/* #define OPENSSL_DEBUG_PKCS5V2 */
@ -494,9 +490,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
}
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c
--- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c 2019-02-28 13:33:18.446264056 +0100
diff -up openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1e/crypto/evp/pbe_scrypt.c
--- openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c 2020-03-19 16:04:20.725900352 +0100
@@ -7,135 +7,12 @@
* https://www.openssl.org/source/license.html
*/
@ -682,9 +678,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
- */
- if (Blen > INT_MAX) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
- return 0;
- }
-
+ if (r > UINT32_MAX || p > UINT32_MAX) {
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
return 0;
}
- /*
- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
- * This is combined size V, X and T (section 4)
@ -692,21 +690,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
- i = UINT64_MAX / (32 * sizeof(uint32_t));
- if (N + 2 > i / r) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
+ if (r > UINT32_MAX || p > UINT32_MAX) {
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
return 0;
}
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
- /* check total allocated size fits in uint64_t */
- if (Blen > UINT64_MAX - Vlen) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
- return 0;
+ /* Maintain existing behaviour. */
+ if (pass == NULL) {
+ pass = empty;
+ passlen = 0;
+ }
}
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
-
- /* check total allocated size fits in uint64_t */
- if (Blen > UINT64_MAX - Vlen) {
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
- return 0;
+ if (salt == NULL) {
+ salt = (const unsigned char *)empty;
+ saltlen = 0;
@ -768,9 +763,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
}
+
#endif
diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c
--- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf 2019-02-28 13:05:05.653521437 +0100
+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c 2019-02-28 13:05:05.653521437 +0100
diff -up openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1e/crypto/evp/pkey_kdf.c
--- openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf 2020-03-19 16:04:20.726900334 +0100
+++ openssl-1.1.1e/crypto/evp/pkey_kdf.c 2020-03-19 16:04:20.725900352 +0100
@@ -0,0 +1,255 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -786,7 +781,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/kdf.h>
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+
+static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
+{
@ -1027,45 +1022,17 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
+ pkey_kdf_ctrl_str
+};
+
diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h
--- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf 2019-02-28 13:05:05.304527888 +0100
+++ openssl-1.1.1b/crypto/include/internal/evp_int.h 2019-02-28 13:05:05.653521437 +0100
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
extern const EVP_PKEY_METHOD poly1305_pkey_meth;
extern const EVP_PKEY_METHOD siphash_pkey_meth;
+/* struct evp_kdf_impl_st is defined by the implementation */
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
+typedef struct {
+ int type;
+ EVP_KDF_IMPL *(*new) (void);
+ void (*free) (EVP_KDF_IMPL *impl);
+ void (*reset) (EVP_KDF_IMPL *impl);
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
+ size_t (*size) (EVP_KDF_IMPL *impl);
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
+} EVP_KDF_METHOD;
+
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
+extern const EVP_KDF_METHOD scrypt_kdf_meth;
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
+extern const EVP_KDF_METHOD hkdf_kdf_meth;
+
struct evp_md_st {
int type;
int pkey_type;
diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info
--- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/kdf/build.info 2019-02-28 13:05:05.653521437 +0100
diff -up openssl-1.1.1e/crypto/kdf/build.info.evp-kdf openssl-1.1.1e/crypto/kdf/build.info
--- openssl-1.1.1e/crypto/kdf/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/kdf/build.info 2020-03-19 16:04:32.347699194 +0100
@@ -1,3 +1,3 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- tls1_prf.c kdf_err.c hkdf.c scrypt.c
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c
--- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/kdf/hkdf.c 2019-02-28 13:05:05.653521437 +0100
diff -up openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1e/crypto/kdf/hkdf.c
--- openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/kdf/hkdf.c 2020-03-19 16:06:59.757147720 +0100
@@ -8,32 +8,33 @@
*/
@ -1073,11 +1040,10 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
+#include <stdarg.h>
#include <string.h>
#include <openssl/hmac.h>
-#include <openssl/kdf.h>
#include <openssl/kdf.h>
#include <openssl/evp.h>
+#include <openssl/kdf.h>
#include "internal/cryptlib.h"
#include "internal/evp_int.h"
#include "crypto/evp.h"
+#include "kdf_local.h"
#define HKDF_MAXBUF 1024
@ -1198,18 +1164,18 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
return 1;
- if (p1 < 0)
- return 0;
-
- if (kctx->salt != NULL)
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
-
- kctx->salt = OPENSSL_memdup(p2, p1);
- if (kctx->salt == NULL)
+ OPENSSL_free(impl->salt);
+ impl->salt = OPENSSL_memdup(p, len);
+ if (impl->salt == NULL)
return 0;
- if (kctx->salt != NULL)
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
-
- kctx->salt = OPENSSL_memdup(p2, p1);
- if (kctx->salt == NULL)
- return 0;
-
- kctx->salt_len = p1;
+ impl->salt_len = len;
return 1;
@ -1327,14 +1293,14 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)
{
- HKDF_PKEY_CTX *kctx = ctx->data;
-
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
+ return SIZE_MAX;
- OPENSSL_clear_free(kctx->key, kctx->key_len);
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
- OPENSSL_cleanse(kctx->info, kctx->info_len);
- memset(kctx, 0, sizeof(*kctx));
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
+ return SIZE_MAX;
-
- return 1;
+ if (impl->md == NULL) {
+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
@ -1532,9 +1498,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
err:
OPENSSL_cleanse(prev, sizeof(prev));
diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c
--- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/kdf/kdf_err.c 2019-02-28 13:05:05.654521419 +0100
diff -up openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_err.c
--- openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/kdf/kdf_err.c 2020-03-19 16:04:32.349699159 +0100
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
@ -1590,9 +1556,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k
{0, NULL}
};
diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h
--- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf 2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1b/crypto/kdf/kdf_local.h 2019-02-28 13:05:05.654521419 +0100
diff -up openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_local.h
--- openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf 2020-03-19 16:04:32.349699159 +0100
+++ openssl-1.1.1e/crypto/kdf/kdf_local.h 2020-03-19 16:04:32.349699159 +0100
@@ -0,0 +1,22 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1616,9 +1582,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *md_name);
+
diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c
--- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1b/crypto/kdf/kdf_util.c 2019-02-28 13:05:05.654521419 +0100
diff -up openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_util.c
--- openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf 2020-03-19 16:04:32.350699142 +0100
+++ openssl-1.1.1e/crypto/kdf/kdf_util.c 2020-03-19 16:04:32.350699142 +0100
@@ -0,0 +1,73 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1635,7 +1601,7 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+#include <openssl/kdf.h>
+#include <openssl/evp.h>
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "kdf_local.h"
+
@ -1693,9 +1659,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+ return call_ctrl(ctrl, impl, cmd, md);
+}
+
diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c
--- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c 2019-02-28 13:05:05.654521419 +0100
diff -up openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1e/crypto/kdf/pbkdf2.c
--- openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf 2020-03-19 16:04:32.374698727 +0100
+++ openssl-1.1.1e/crypto/kdf/pbkdf2.c 2020-03-19 16:04:32.374698727 +0100
@@ -0,0 +1,264 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1713,7 +1679,7 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "kdf_local.h"
+
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
@ -1961,22 +1927,21 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
+ HMAC_CTX_free(hctx_tpl);
+ return ret;
+}
diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c
--- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/kdf/scrypt.c 2019-02-28 13:05:05.655521400 +0100
@@ -8,25 +8,34 @@
diff -up openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1e/crypto/kdf/scrypt.c
--- openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/kdf/scrypt.c 2020-03-19 16:11:06.215872475 +0100
@@ -8,25 +8,35 @@
*/
#include <stdlib.h>
+#include <stdarg.h>
#include <string.h>
-#include <openssl/hmac.h>
-#include <openssl/kdf.h>
#include <openssl/hmac.h>
#include <openssl/kdf.h>
#include <openssl/evp.h>
-#include "internal/cryptlib.h"
+#include <openssl/kdf.h>
+#include <openssl/err.h>
#include "internal/evp_int.h"
#include "crypto/evp.h"
+#include "internal/numbers.h"
+#include "kdf_local.h"
@ -2005,7 +1970,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
/* Custom uint64_t parser since we do not have strtoull */
static int atou64(const char *nptr, uint64_t *result)
@@ -53,51 +62,53 @@ static int atou64(const char *nptr, uint
@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint
return 1;
}
@ -2090,7 +2055,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
if (new_buflen > 0) {
*buffer = OPENSSL_memdup(new_buffer, new_buflen);
@@ -105,7 +116,7 @@ static int pkey_scrypt_set_membuf(unsign
@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign
*buffer = OPENSSL_malloc(1);
}
if (*buffer == NULL) {
@ -2099,7 +2064,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
return 0;
}
@@ -118,149 +129,378 @@ static int is_power_of_two(uint64_t valu
@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu
return (value != 0) && ((value & (value - 1)) == 0);
}
@ -2552,9 +2517,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
+}
#endif
diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c
--- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c 2019-02-28 13:05:05.655521400 +0100
diff -up openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1e/crypto/kdf/tls1_prf.c
--- openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/kdf/tls1_prf.c 2020-03-19 16:10:32.317460707 +0100
@@ -8,11 +8,15 @@
*/
@ -2562,10 +2527,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
+#include <stdarg.h>
+#include <string.h>
#include "internal/cryptlib.h"
-#include <openssl/kdf.h>
#include <openssl/kdf.h>
#include <openssl/evp.h>
+#include <openssl/kdf.h>
#include "internal/evp_int.h"
#include "crypto/evp.h"
+#include "kdf_local.h"
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
@ -2665,15 +2629,15 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
- kctx->seclen = p1;
+
+ impl->seclen = len;
+ return 1;
+
+ case EVP_KDF_CTRL_RESET_TLS_SEED:
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
+ impl->seedlen = 0;
return 1;
- case EVP_PKEY_CTRL_TLS_SEED:
- if (p1 == 0 || p2 == NULL)
+ case EVP_KDF_CTRL_RESET_TLS_SEED:
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
+ impl->seedlen = 0;
+ return 1;
+
+ case EVP_KDF_CTRL_ADD_TLS_SEED:
+ p = va_arg(args, const unsigned char *);
+ len = va_arg(args, size_t);
@ -2838,9 +2802,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
OPENSSL_clear_free(tmp, olen);
return 0;
}
diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod 2019-02-28 13:05:05.655521400 +0100
diff -up openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
+++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,217 @@
+=pod
+
@ -3059,9 +3023,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod 2019-02-28 13:05:05.656521382 +0100
diff -up openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
--- openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
+++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,180 @@
+=pod
+
@ -3243,9 +3207,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod 2019-02-28 13:05:05.656521382 +0100
diff -up openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
--- openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,78 @@
+=pod
+
@ -3325,9 +3289,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod 2019-02-28 13:05:05.656521382 +0100
diff -up openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
--- openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,149 @@
+=pod
+
@ -3478,9 +3442,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod
--- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-02-28 13:05:05.656521382 +0100
diff -up openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
--- openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,142 @@
+=pod
+
@ -3624,18 +3588,38 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h
--- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf 2019-02-28 13:05:05.633521807 +0100
+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 13:05:05.657521363 +0100
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void);
diff -up openssl-1.1.1e/include/crypto/evp.h.evp-kdf openssl-1.1.1e/include/crypto/evp.h
--- openssl-1.1.1e/include/crypto/evp.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/crypto/evp.h 2020-03-19 16:04:32.347699194 +0100
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
extern const EVP_PKEY_METHOD poly1305_pkey_meth;
extern const EVP_PKEY_METHOD siphash_pkey_meth;
+/* struct evp_kdf_impl_st is defined by the implementation */
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
+typedef struct {
+ int type;
+ EVP_KDF_IMPL *(*new) (void);
+ void (*free) (EVP_KDF_IMPL *impl);
+ void (*reset) (EVP_KDF_IMPL *impl);
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
+ size_t (*size) (EVP_KDF_IMPL *impl);
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
+} EVP_KDF_METHOD;
+
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
+extern const EVP_KDF_METHOD scrypt_kdf_meth;
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
+extern const EVP_KDF_METHOD hkdf_kdf_meth;
+
struct evp_md_st {
int type;
int pkey_type;
diff -up openssl-1.1.1e/include/openssl/evperr.h.evp-kdf openssl-1.1.1e/include/openssl/evperr.h
--- openssl-1.1.1e/include/openssl/evperr.h.evp-kdf 2020-03-19 16:04:11.250064365 +0100
+++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-19 16:04:32.379698640 +0100
@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
# define EVP_F_EVP_ENCRYPTUPDATE 167
@ -3645,7 +3629,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_F_EVP_MD_CTX_COPY_EX 110
# define EVP_F_EVP_MD_SIZE 162
# define EVP_F_EVP_OPENINIT 102
@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void);
@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180
@ -3653,12 +3637,13 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_F_PKEY_SET_TYPE 158
# define EVP_F_RC2_MAGIC_TO_METH 109
# define EVP_F_RC5_CTRL 125
# define EVP_F_R_32_12_16_INIT_KEY 242
# define EVP_F_S390X_AES_GCM_CTRL 201
+# define EVP_F_SCRYPT_ALG 228
# define EVP_F_UPDATE 173
/*
@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void);
@@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151
@ -3666,18 +3651,10 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
# define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h
--- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/include/openssl/kdferr.h 2019-02-28 13:05:05.657521363 +0100
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void);
diff -up openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf openssl-1.1.1e/include/openssl/kdferr.h
--- openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/openssl/kdferr.h 2020-03-19 16:04:32.379698640 +0100
@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
/*
* KDF function codes.
*/
@ -3701,7 +3678,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
# define KDF_F_PKEY_HKDF_CTRL_STR 103
# define KDF_F_PKEY_HKDF_DERIVE 102
# define KDF_F_PKEY_HKDF_INIT 108
@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void);
@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void);
# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
# define KDF_F_PKEY_TLS1_PRF_INIT 110
@ -3709,16 +3686,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
# define KDF_F_TLS1_PRF_ALG 111
/*
@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void);
@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void);
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
# define KDF_R_VALUE_ERROR 108
# define KDF_R_VALUE_MISSING 102
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
#endif
diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h
--- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/include/openssl/kdf.h 2019-02-28 13:05:05.657521363 +0100
diff -up openssl-1.1.1e/include/openssl/kdf.h.evp-kdf openssl-1.1.1e/include/openssl/kdf.h
--- openssl-1.1.1e/include/openssl/kdf.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/openssl/kdf.h 2020-03-19 16:04:32.380698623 +0100
@@ -10,10 +10,50 @@
#ifndef HEADER_KDF_H
# define HEADER_KDF_H
@ -3797,9 +3774,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope
}
# endif
#endif
diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h
--- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/include/openssl/ossl_typ.h 2019-02-28 13:05:05.657521363 +0100
diff -up openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1e/include/openssl/ossl_typ.h
--- openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/openssl/ossl_typ.h 2020-03-19 16:04:32.381698606 +0100
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@ -3809,10 +3786,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
typedef struct hmac_ctx_st HMAC_CTX;
diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
--- openssl-1.1.1b/test/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/build.info 2019-02-28 13:05:05.657521363 +0100
@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
diff -up openssl-1.1.1e/test/build.info.evp-kdf openssl-1.1.1e/test/build.info
--- openssl-1.1.1e/test/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/build.info 2020-03-19 16:04:32.381698606 +0100
@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bio_callback_test bio_memleak_test \
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
@ -3822,7 +3799,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
asn1_encode_test asn1_decode_test asn1_string_table_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest sslbuffertest \
@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
INCLUDE[pkey_meth_kdf_test]=../include
DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
@ -3833,9 +3810,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
SOURCE[x509_time_test]=x509_time_test.c
INCLUDE[x509_time_test]=../include
DEPEND[x509_time_test]=../libcrypto libtestutil.a
diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c
--- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf 2019-02-28 13:05:05.658521345 +0100
+++ openssl-1.1.1b/test/evp_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
diff -up openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf openssl-1.1.1e/test/evp_kdf_test.c
--- openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf 2020-03-19 16:04:32.382698588 +0100
+++ openssl-1.1.1e/test/evp_kdf_test.c 2020-03-19 16:04:32.382698588 +0100
@@ -0,0 +1,237 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -4074,10 +4051,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_
+#endif
+ return 1;
+}
diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
--- openssl-1.1.1b/test/evp_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/evp_test.c 2019-02-28 13:05:05.658521345 +0100
@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test
diff -up openssl-1.1.1e/test/evp_test.c.evp-kdf openssl-1.1.1e/test/evp_test.c
--- openssl-1.1.1e/test/evp_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/evp_test.c 2020-03-19 16:04:32.383698571 +0100
@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
encode_test_run,
};
@ -4093,7 +4070,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
/* Expected output */
unsigned char *output;
size_t output_len;
@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co
@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
return 0;
@ -4111,7 +4088,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
t->data = kdata;
return 1;
}
@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t
@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t
{
KDF_DATA *kdata = t->data;
OPENSSL_free(kdata->output);
@ -4155,7 +4132,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
}
static int kdf_test_parse(EVP_TEST *t,
@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t,
@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t,
if (strcmp(keyword, "Output") == 0)
return parse_bin(value, &kdata->output, &kdata->output_len);
if (strncmp(keyword, "Ctrl", 4) == 0)
@ -4164,7 +4141,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
return 0;
}
@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t)
@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t)
t->err = "INTERNAL_ERROR";
goto err;
}
@ -4173,7 +4150,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
t->err = "KDF_DERIVE_ERROR";
goto err;
}
@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me
@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me
/**
@ -4280,7 +4257,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
*** KEYPAIR TESTS
**/
@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l
@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l
&digestverify_test_method,
&encode_test_method,
&kdf_test_method,
@ -4288,9 +4265,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
&keypair_test_method,
&keygen_test_method,
&mac_test_method,
diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c
--- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
diff -up openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1e/test/pkey_meth_kdf_test.c
--- openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/pkey_meth_kdf_test.c 2020-03-19 16:04:32.386698519 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -4494,9 +4471,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk
}
#endif
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt 2019-02-28 13:05:05.659521326 +0100
diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-19 16:04:32.388698484 +0100
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@ -4895,9 +4872,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
+Ctrl.digest = digest:sha512
+Output = 00ef42cdbfc98d29db20976608e455567fdddf14
+
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-02-28 13:05:05.659521326 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-02-28 13:05:05.659521326 +0100
diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
--- openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2020-03-19 16:04:32.389698467 +0100
+++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-03-19 16:04:32.389698467 +0100
@@ -0,0 +1,305 @@
+#
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5204,9 +5181,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op
+Ctrl.p = p:1
+Result = INTERNAL_ERROR
+
diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t
--- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-02-28 13:05:05.659521326 +0100
+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t 2019-02-28 13:05:05.659521326 +0100
diff -up openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
--- openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf 2020-03-19 16:04:32.390698450 +0100
+++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t 2020-03-19 16:04:32.390698450 +0100
@@ -0,0 +1,13 @@
+#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5221,9 +5198,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
+use OpenSSL::Test::Simple;
+
+simple_test("test_evp_kdf", "evp_kdf_test");
diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
--- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200
+++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200
diff -up openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp.t
--- openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/recipes/30-test_evp.t 2020-03-19 16:04:32.390698450 +0100
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
setup("test_evp");
@ -5233,11 +5210,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r
"evpcase.txt", "evpccmcavs.txt" );
plan tests => scalar(@files);
diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num
--- openssl-1.1.1b/util/libcrypto.num.evp-kdf 2019-02-28 13:05:05.636521752 +0100
+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 13:05:05.660521308 +0100
@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength
diff -up openssl-1.1.1e/util/libcrypto.num.evp-kdf openssl-1.1.1e/util/libcrypto.num
--- openssl-1.1.1e/util/libcrypto.num.evp-kdf 2020-03-19 16:04:11.263064140 +0100
+++ openssl-1.1.1e/util/libcrypto.num 2020-03-19 16:04:32.392698415 +0100
@@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
@ -5249,9 +5225,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num
--- openssl-1.1.1b/util/private.num.evp-kdf 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/util/private.num 2019-02-28 13:05:05.660521308 +0100
diff -up openssl-1.1.1e/util/private.num.evp-kdf openssl-1.1.1e/util/private.num
--- openssl-1.1.1e/util/private.num.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/util/private.num 2020-03-19 16:04:32.393698398 +0100
@@ -21,6 +21,7 @@ CRYPTO_EX_dup
CRYPTO_EX_free datatype
CRYPTO_EX_new datatype

View File

@ -1,33 +1,17 @@
diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h
--- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200
+++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+/* CRNG test entropy filter callbacks. */
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance);
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
+ unsigned char *out, size_t outlen);
+
/*
* RAND_POOL functions
*/
diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info
--- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200
+++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200
@@ -1,4 +1,4 @@
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- randfile.c rand_lib.c rand_err.c rand_egd.c \
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c
--- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200
INCLUDE[drbg_ctr.o]=../modes
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
@ -51,9 +35,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r
#ifndef RAND_DRBG_GET_RANDOM_NONCE
drbg->get_nonce = rand_drbg_get_nonce;
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c
--- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200
+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -71,9 +55,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+
+#include <string.h>
+#include <openssl/evp.h>
+#include "internal/rand_int.h"
+#include "crypto/rand.h"
+#include "internal/thread_once.h"
+#include "rand_lcl.h"
+#include "rand_local.h"
+
+static RAND_POOL *crngt_pool;
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
@ -110,7 +94,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+{
+ unsigned char buf[CRNGT_BUFSIZ];
+
+ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
+ return 0;
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
+ OPENSSL_cleanse(buf, sizeof(buf));
@ -147,7 +131,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
+ return 0;
+
+ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL)
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
+ return 0;
+
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
@ -173,9 +157,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
+{
+ OPENSSL_secure_clear_free(out, outlen);
+}
diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h
--- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200
+++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
@@ -33,7 +33,15 @@
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
@ -193,17 +177,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
@@ -44,7 +52,8 @@
@@ -44,6 +52,8 @@
*/
# define DRBG_MAX_LENGTH INT32_MAX
-
+/* The default nonce */
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
/*
* Maximum allocation size for RANDOM_POOL buffers
@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
/* initializes the AES-CTR DRBG implementation */
int drbg_ctr_init(RAND_DRBG *drbg);
@ -226,10 +209,28 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
+int rand_crngt_single_init(void);
+
#endif
diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
--- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200
@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+/* CRNG test entropy filter callbacks. */
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
+ unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance);
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
+ unsigned char *out, size_t outlen);
+
/*
* RAND_POOL functions
*/
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
return t->noncelen;
}
@ -261,7 +262,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
static int uninstantiate(RAND_DRBG *drbg)
{
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
return 0;
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
@ -271,7 +272,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
failures++;
goto err;
}
@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
unsigned int reseed_counter_tmp;
int ret = 0;
@ -281,7 +282,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
goto err;
/*
@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void)
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|| !TEST_ptr_eq(private->parent, master))
return 0;
@ -292,7 +293,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
/* uninstantiate the three global DRBGs */
RAND_DRBG_uninstantiate(private);
RAND_DRBG_uninstantiate(public);
@@ -919,7 +950,8 @@ static int test_rand_seed(void)
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
size_t rand_buflen;
size_t required_seed_buflen = 0;
@ -302,7 +303,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
return 0;
#ifdef OPENSSL_RAND_SEED_NONE
@@ -968,6 +1000,95 @@ static int test_rand_add(void)
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
return 1;
}
@ -398,7 +399,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
int setup_tests(void)
{
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
@@ -980,5 +1101,6 @@ int setup_tests(void)
@@ -1025,5 +1146,6 @@ int setup_tests(void)
#if defined(OPENSSL_THREADS)
ADD_TEST(test_multi_thread);
#endif

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/ec/ec_curve.c
--- openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves 2019-11-25 13:18:40.719532357 +0100
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-25 13:18:40.765531559 +0100
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
@@ -13,6 +13,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
@ -106,18 +106,10 @@ diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1c/crypto/e
}
/* Functions to translate between common NIST curve names and NIDs */
diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
--- openssl-1.1.1c/ssl/t1_lib.c.fips-curves 2019-11-25 13:18:40.658533416 +0100
+++ openssl-1.1.1c/ssl/t1_lib.c 2019-11-26 17:57:15.014742428 +0100
@@ -20,6 +20,7 @@
#include "internal/nelem.h"
#include "ssl_locl.h"
#include <openssl/ct.h>
+#include <openssl/crypto.h>
SSL3_ENC_METHOD const TLSv1_enc_data = {
tls1_enc,
@@ -676,6 +677,36 @@ static const uint16_t tls12_sigalgs[] =
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
#endif
};
@ -154,20 +146,16 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
@@ -890,8 +921,11 @@ static const SIGALG_LOOKUP *tls1_get_leg
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
}
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
return NULL;
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
- const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
+ const SIGALG_LOOKUP *lu;
+ if (FIPS_mode()) /* We do not allow SHA1 signatures in FIPS mode */
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
+ return NULL;
+ lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
if (!tls1_lookup_md(lu, NULL))
return NULL;
return lu;
@@ -945,6 +979,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
} else if (s->cert->conf_sigalgs) {
*psigs = s->cert->conf_sigalgs;
return s->cert->conf_sigalgslen;
@ -177,7 +165,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
} else {
*psigs = tls12_sigalgs;
return OSSL_NELEM(tls12_sigalgs);
@@ -964,6 +1001,9 @@ int tls_check_sigalg_curve(const SSL *s,
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
if (s->cert->conf_sigalgs) {
sigs = s->cert->conf_sigalgs;
siglen = s->cert->conf_sigalgslen;
@ -187,7 +175,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
} else {
sigs = tls12_sigalgs;
siglen = OSSL_NELEM(tls12_sigalgs);
@@ -1582,6 +1622,8 @@ static int tls12_sigalg_allowed(SSL *s,
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
if (lu->sig == NID_id_GostR3410_2012_256
|| lu->sig == NID_id_GostR3410_2012_512
|| lu->sig == NID_id_GostR3410_2001) {
@ -196,7 +184,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips-curves openssl-1.1.1c/ssl/t1_lib.c
/* We never allow GOST sig algs on the server with TLSv1.3 */
if (s->server && SSL_IS_TLS13(s))
return 0;
@@ -2720,6 +2762,13 @@ int tls_choose_sigalg(SSL *s, int fatale
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
const uint16_t *sent_sigs;
size_t sent_sigslen;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,587 @@
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
@@ -67,12 +67,18 @@
# include <openssl/fips.h>
# include "crypto/fips.h"
+# include "crypto/rand.h"
# include "fips_locl.h"
/* Run all selftests */
int FIPS_selftest(void)
{
int rv = 1;
+ if (!rand_drbg_selftest()) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
+ rv = 0;
+ }
if (!FIPS_selftest_drbg())
rv = 0;
if (!FIPS_selftest_sha1())
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
INCLUDE[drbg_ctr.o]=../modes
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
@@ -0,0 +1,537 @@
+/*
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <stddef.h>
+#include "internal/nelem.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/rand_drbg.h>
+#include <openssl/obj_mac.h>
+#include "internal/thread_once.h"
+#include "crypto/rand.h"
+
+typedef struct test_ctx_st {
+ const unsigned char *entropy;
+ size_t entropylen;
+ int entropycnt;
+ const unsigned char *nonce;
+ size_t noncelen;
+ int noncecnt;
+} TEST_CTX;
+
+static int app_data_index = -1;
+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
+{
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+
+ return 1;
+}
+
+enum drbg_kat_type {
+ NO_RESEED,
+ PR_FALSE,
+ PR_TRUE
+};
+
+enum drbg_df {
+ USE_DF,
+ NO_DF,
+ NA
+};
+
+struct drbg_kat_no_reseed {
+ size_t count;
+ const unsigned char *entropyin;
+ const unsigned char *nonce;
+ const unsigned char *persstr;
+ const unsigned char *addin1;
+ const unsigned char *addin2;
+ const unsigned char *retbytes;
+};
+
+struct drbg_kat_pr_false {
+ size_t count;
+ const unsigned char *entropyin;
+ const unsigned char *nonce;
+ const unsigned char *persstr;
+ const unsigned char *entropyinreseed;
+ const unsigned char *addinreseed;
+ const unsigned char *addin1;
+ const unsigned char *addin2;
+ const unsigned char *retbytes;
+};
+
+struct drbg_kat_pr_true {
+ size_t count;
+ const unsigned char *entropyin;
+ const unsigned char *nonce;
+ const unsigned char *persstr;
+ const unsigned char *entropyinpr1;
+ const unsigned char *addin1;
+ const unsigned char *entropyinpr2;
+ const unsigned char *addin2;
+ const unsigned char *retbytes;
+};
+
+struct drbg_kat {
+ enum drbg_kat_type type;
+ enum drbg_df df;
+ int nid;
+
+ size_t entropyinlen;
+ size_t noncelen;
+ size_t persstrlen;
+ size_t addinlen;
+ size_t retbyteslen;
+
+ const void *t;
+};
+
+/*
+ * Excerpt from test/drbg_cavs_data.c
+ * DRBG test vectors from:
+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
+ */
+
+static const unsigned char kat1308_entropyin[] = {
+ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
+ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
+ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
+ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
+};
+static const unsigned char kat1308_nonce[] = {0};
+static const unsigned char kat1308_persstr[] = {
+ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
+ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
+ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
+ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
+};
+static const unsigned char kat1308_addin0[] = {
+ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
+ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
+ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
+ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
+};
+static const unsigned char kat1308_addin1[] = {
+ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
+ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
+ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
+ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
+};
+static const unsigned char kat1308_retbits[] = {
+ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
+ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
+ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
+ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
+ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
+ 0x26, 0x32, 0xd0, 0xb8,
+};
+static const struct drbg_kat_no_reseed kat1308_t = {
+ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
+ kat1308_addin0, kat1308_addin1, kat1308_retbits
+};
+static const struct drbg_kat kat1308 = {
+ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
+};
+
+static const unsigned char kat1465_entropyin[] = {
+ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
+ 0x87, 0xbe, 0xaa, 0xc0,
+};
+static const unsigned char kat1465_nonce[] = {
+ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
+};
+static const unsigned char kat1465_persstr[] = {0};
+static const unsigned char kat1465_entropyinreseed[] = {
+ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
+ 0x1f, 0x4b, 0x7b, 0x51,
+};
+static const unsigned char kat1465_addinreseed[] = {
+ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
+ 0x61, 0x9f, 0x26, 0x5f,
+};
+static const unsigned char kat1465_addin0[] = {
+ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
+ 0x10, 0x5a, 0x73, 0x9c,
+};
+static const unsigned char kat1465_addin1[] = {
+ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
+ 0x47, 0x99, 0x1f, 0xeb,
+};
+static const unsigned char kat1465_retbits[] = {
+ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
+ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
+ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
+ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
+ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
+ 0x58, 0xdb, 0x27, 0xba,
+};
+static const struct drbg_kat_pr_false kat1465_t = {
+ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
+ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
+ kat1465_addin1, kat1465_retbits
+};
+static const struct drbg_kat kat1465 = {
+ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
+};
+
+static const unsigned char kat3146_entropyin[] = {
+ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
+ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
+};
+static const unsigned char kat3146_nonce[] = {
+ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
+ 0x50, 0x86, 0xca, 0xca,
+};
+static const unsigned char kat3146_persstr[] = {0};
+static const unsigned char kat3146_entropyinpr1[] = {
+ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
+ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
+};
+static const unsigned char kat3146_addinpr1[] = {
+ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
+ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
+ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
+};
+static const unsigned char kat3146_entropyinpr2[] = {
+ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
+ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
+};
+static const unsigned char kat3146_addinpr2[] = {
+ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
+ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
+ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
+};
+static const unsigned char kat3146_retbits[] = {
+ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
+ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
+ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
+ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
+ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
+ 0xd4, 0x30, 0x73, 0xbb,
+};
+static const struct drbg_kat_pr_true kat3146_t = {
+ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
+ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
+ kat3146_addinpr2, kat3146_retbits
+};
+static const struct drbg_kat kat3146 = {
+ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
+};
+
+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
+
+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
+
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len,
+ int prediction_resistance)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+ t->entropycnt++;
+ *pout = (unsigned char *)t->entropy;
+ return t->entropylen;
+}
+
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
+
+ t->noncecnt++;
+ *pout = (unsigned char *)t->nonce;
+ return t->noncelen;
+}
+
+/*
+ * Do a single NO_RESEED KAT:
+ *
+ * Instantiate
+ * Generate Random Bits (pr=false)
+ * Generate Random Bits (pr=false)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_no_reseed(const struct drbg_kat *td)
+{
+ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
+ RAND_DRBG *drbg = NULL;
+ unsigned char *buff = NULL;
+ unsigned int flags = 0;
+ int failures = 0;
+ TEST_CTX t;
+
+ if (td->df != USE_DF)
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+ return 0;
+
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL)) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.entropy = data->entropyin;
+ t.entropylen = td->entropyinlen;
+ t.nonce = data->nonce;
+ t.noncelen = td->noncelen;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+ buff = OPENSSL_malloc(td->retbyteslen);
+ if (buff == NULL) {
+ failures++;
+ goto err;
+ }
+
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+ data->addin1, td->addinlen)
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+ data->addin2, td->addinlen)
+ || memcmp(data->retbytes, buff,
+ td->retbyteslen) != 0)
+ failures++;
+
+err:
+ OPENSSL_free(buff);
+ RAND_DRBG_uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ return failures == 0;
+}
+
+/*-
+ * Do a single PR_FALSE KAT:
+ *
+ * Instantiate
+ * Reseed
+ * Generate Random Bits (pr=false)
+ * Generate Random Bits (pr=false)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_pr_false(const struct drbg_kat *td)
+{
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
+ RAND_DRBG *drbg = NULL;
+ unsigned char *buff = NULL;
+ unsigned int flags = 0;
+ int failures = 0;
+ TEST_CTX t;
+
+ if (td->df != USE_DF)
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+ return 0;
+
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL)) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.entropy = data->entropyin;
+ t.entropylen = td->entropyinlen;
+ t.nonce = data->nonce;
+ t.noncelen = td->noncelen;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+ buff = OPENSSL_malloc(td->retbyteslen);
+ if (buff == NULL) {
+ failures++;
+ goto err;
+ }
+
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+ failures++;
+
+ t.entropy = data->entropyinreseed;
+ t.entropylen = td->entropyinlen;
+
+ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+ data->addin1, td->addinlen)
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
+ data->addin2, td->addinlen)
+ || memcmp(data->retbytes, buff,
+ td->retbyteslen) != 0)
+ failures++;
+
+err:
+ OPENSSL_free(buff);
+ RAND_DRBG_uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ return failures == 0;
+}
+
+/*-
+ * Do a single PR_TRUE KAT:
+ *
+ * Instantiate
+ * Generate Random Bits (pr=true)
+ * Generate Random Bits (pr=true)
+ * Uninstantiate
+ *
+ * Return 0 on failure.
+ */
+static int single_kat_pr_true(const struct drbg_kat *td)
+{
+ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
+ RAND_DRBG *drbg = NULL;
+ unsigned char *buff = NULL;
+ unsigned int flags = 0;
+ int failures = 0;
+ TEST_CTX t;
+
+ if (td->df != USE_DF)
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+ return 0;
+
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL)) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.nonce = data->nonce;
+ t.noncelen = td->noncelen;
+ t.entropy = data->entropyin;
+ t.entropylen = td->entropyinlen;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+ buff = OPENSSL_malloc(td->retbyteslen);
+ if (buff == NULL) {
+ failures++;
+ goto err;
+ }
+
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+ failures++;
+
+ t.entropy = data->entropyinpr1;
+ t.entropylen = td->entropyinlen;
+
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
+ data->addin1, td->addinlen))
+ failures++;
+
+ t.entropy = data->entropyinpr2;
+ t.entropylen = td->entropyinlen;
+
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
+ data->addin2, td->addinlen)
+ || memcmp(data->retbytes, buff,
+ td->retbyteslen) != 0)
+ failures++;
+
+err:
+ OPENSSL_free(buff);
+ RAND_DRBG_uninstantiate(drbg);
+ RAND_DRBG_free(drbg);
+ return failures == 0;
+}
+
+static int test_kats(int i)
+{
+ const struct drbg_kat *td = drbg_test[i];
+ int rv = 0;
+
+ switch (td->type) {
+ case NO_RESEED:
+ if (!single_kat_no_reseed(td))
+ goto err;
+ break;
+ case PR_FALSE:
+ if (!single_kat_pr_false(td))
+ goto err;
+ break;
+ case PR_TRUE:
+ if (!single_kat_pr_true(td))
+ goto err;
+ break;
+ default: /* cant happen */
+ goto err;
+ }
+ rv = 1;
+err:
+ return rv;
+}
+
+/*-
+ * Do one expected-error test:
+ *
+ * Instantiate with no entropy supplied
+ *
+ * Return 0 on failure.
+ */
+static int test_drbg_sanity(const struct drbg_kat *td)
+{
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
+ RAND_DRBG *drbg = NULL;
+ unsigned int flags = 0;
+ int failures = 0;
+ TEST_CTX t;
+
+ if (td->df != USE_DF)
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
+
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
+ return 0;
+
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+ kat_nonce, NULL)) {
+ failures++;
+ goto err;
+ }
+ memset(&t, 0, sizeof(t));
+ t.entropy = data->entropyin;
+ t.entropylen = 0; /* No entropy */
+ t.nonce = data->nonce;
+ t.noncelen = td->noncelen;
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
+
+ ERR_set_mark();
+ /* This must fail. */
+ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
+ failures++;
+ RAND_DRBG_uninstantiate(drbg);
+ ERR_pop_to_mark();
+
+err:
+ RAND_DRBG_free(drbg);
+ return failures == 0;
+}
+
+
+int rand_drbg_selftest(void)
+{
+ int i;
+
+ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
+ return 0;
+
+ for (i = 0; i < drbg_test_nelem; i++) {
+ if (test_kats(i) <= 0)
+ return 0;
+ }
+
+ if (test_drbg_sanity(&kat1465) <= 0)
+ return 0;
+
+ return 1;
+}
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
*/
void rand_pool_keep_random_devices_open(int keep);
+/*
+ * Perform the DRBG KAT selftests
+ */
+int rand_drbg_selftest(void);
+
#endif

View File

@ -1,11 +1,11 @@
diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
--- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200
diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100
+++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100
@@ -68,6 +68,7 @@
# include <openssl/fips.h>
# include "internal/thread_once.h"
+# include "internal/rand_int.h"
+# include "crypto/rand.h"
# ifndef PATH_MAX
# define PATH_MAX 1024
@ -46,41 +46,52 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/
+
fips_set_mode(onoff);
+ /* force RNG reseed with entropy from getrandom() on next call */
+ rand_fork();
+ rand_force_reseed();
+
ret = 1;
goto end;
}
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
+int fips_in_post(void);
+void rand_force_reseed(void)
+{
+ RAND_DRBG *drbg;
+
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
--- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200
@@ -16,10 +16,12 @@
#include <openssl/rand.h>
#include "rand_lcl.h"
#include "internal/rand_int.h"
+#include "internal/fips_int.h"
+ drbg = RAND_DRBG_get0_master();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_private();
+ drbg->fork_id = 0;
+
+ drbg = RAND_DRBG_get0_public();
+ drbg->fork_id = 0;
+}
+
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100
@@ -17,10 +17,12 @@
#include <openssl/crypto.h>
#include "rand_local.h"
#include "crypto/rand.h"
+#include "crypto/fips.h"
#include <stdio.h>
#include "internal/dso.h"
#if defined(__linux)
-# include <asm/unistd.h>
+# include <sys/syscall.h>
#ifdef __linux
# include <sys/syscall.h>
+# include <sys/random.h>
#endif
#if defined(__FreeBSD__)
# include <sys/types.h>
@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
# ifdef DEVRANDOM_WAIT
# include <sys/shm.h>
# include <sys/utsname.h>
@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
*/
@ -89,7 +100,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
{
/*
* Note: 'buflen' equals the size of the buffer which is used by the
@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
*/
@ -97,7 +108,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif
@ -111,19 +122,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen);
# else
@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
-
@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
+ int in_post;
+
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
{
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t bytes_needed;
unsigned char *buffer;
@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@ -132,7 +141,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes;
@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3;
const int fd = get_random_device(i);
@ -144,8 +153,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
}
@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
return entropy_available;
}
# endif
-
@ -155,3 +164,26 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
return rand_pool_entropy_available(pool);
# endif
}
diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100
+++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
+int fips_in_post(void);
+
int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen,
const unsigned char *kat,
diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100
@@ -24,6 +24,7 @@
typedef struct rand_pool_st RAND_POOL;
void rand_cleanup_int(void);
+void rand_force_reseed(void);
void rand_drbg_cleanup_int(void);
void drbg_delete_thread_state(void);

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,500 @@
diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100
@@ -275,6 +275,7 @@ $code.=<<___;
.align 16
${PREFIX}_encrypt:
.cfi_startproc
+ endbranch
movups ($inp),$inout0 # load input
mov 240($key),$rounds # key->rounds
___
@@ -293,6 +294,7 @@ $code.=<<___;
.align 16
${PREFIX}_decrypt:
.cfi_startproc
+ endbranch
movups ($inp),$inout0 # load input
mov 240($key),$rounds # key->rounds
___
@@ -613,6 +615,7 @@ $code.=<<___;
.align 16
aesni_ecb_encrypt:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
@@ -985,6 +988,7 @@ $code.=<<___;
.align 16
aesni_ccm64_encrypt_blocks:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
@@ -1077,6 +1081,7 @@ $code.=<<___;
.align 16
aesni_ccm64_decrypt_blocks:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
@@ -1203,6 +1208,7 @@ $code.=<<___;
.align 16
aesni_ctr32_encrypt_blocks:
.cfi_startproc
+ endbranch
cmp \$1,$len
jne .Lctr32_bulk
@@ -1775,6 +1781,7 @@ $code.=<<___;
.align 16
aesni_xts_encrypt:
.cfi_startproc
+ endbranch
lea (%rsp),%r11 # frame pointer
.cfi_def_cfa_register %r11
push %rbp
@@ -2258,6 +2265,7 @@ $code.=<<___;
.align 16
aesni_xts_decrypt:
.cfi_startproc
+ endbranch
lea (%rsp),%r11 # frame pointer
.cfi_def_cfa_register %r11
push %rbp
@@ -2783,6 +2791,7 @@ $code.=<<___;
.align 32
aesni_ocb_encrypt:
.cfi_startproc
+ endbranch
lea (%rsp),%rax
push %rbx
.cfi_push %rbx
@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
.align 32
aesni_ocb_decrypt:
.cfi_startproc
+ endbranch
lea (%rsp),%rax
push %rbx
.cfi_push %rbx
@@ -3737,6 +3747,7 @@ $code.=<<___;
.align 16
${PREFIX}_cbc_encrypt:
.cfi_startproc
+ endbranch
test $len,$len # check length
jz .Lcbc_ret
diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100
@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
.align 16
${PREFIX}_set_encrypt_key:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0xb8(%rsp),%rsp
@@ -746,6 +747,7 @@ $code.=<<___;
.align 16
${PREFIX}_set_decrypt_key:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0xb8(%rsp),%rsp
@@ -801,6 +803,7 @@ $code.=<<___;
.align 16
${PREFIX}_encrypt:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0xb8(%rsp),%rsp
@@ -846,6 +849,7 @@ $code.=<<___;
.align 16
${PREFIX}_decrypt:
.cfi_startproc
+ endbranch
___
$code.=<<___ if ($win64);
lea -0xb8(%rsp),%rsp
@@ -897,6 +901,7 @@ $code.=<<___;
.align 16
${PREFIX}_cbc_encrypt:
.cfi_startproc
+ endbranch
xchg $key,$len
___
($len,$key)=($key,$len);
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100
@@ -34,7 +34,9 @@ void async_local_cleanup(void)
int async_fibre_makecontext(async_fibre *fibre)
{
+#ifndef USE_SWAPCONTEXT
fibre->env_init = 0;
+#endif
if (getcontext(&fibre->fibre) == 0) {
fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
if (fibre->fibre.uc_stack.ss_sp != NULL) {
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100
+++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100
@@ -25,17 +25,33 @@
# define ASYNC_POSIX
# define ASYNC_ARCH
+# ifdef __CET__
+/*
+ * When Intel CET is enabled, makecontext will create a different
+ * shadow stack for each context. async_fibre_swapcontext cannot
+ * use _longjmp. It must call swapcontext to swap shadow stack as
+ * well as normal stack.
+ */
+# define USE_SWAPCONTEXT
+# endif
# include <ucontext.h>
-# include <setjmp.h>
+# ifndef USE_SWAPCONTEXT
+# include <setjmp.h>
+# endif
typedef struct async_fibre_st {
ucontext_t fibre;
+# ifndef USE_SWAPCONTEXT
jmp_buf env;
int env_init;
+# endif
} async_fibre;
static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
{
+# ifdef USE_SWAPCONTEXT
+ swapcontext(&o->fibre, &n->fibre);
+# else
o->env_init = 1;
if (!r || !_setjmp(o->env)) {
@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
else
setcontext(&n->fibre);
}
+# endif
return 1;
}
diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
@@ -685,6 +685,7 @@ $code.=<<___;
.align 16
Camellia_cbc_encrypt:
.cfi_startproc
+ endbranch
cmp \$0,%rdx
je .Lcbc_abort
push %rbx
diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
@@ -239,6 +239,7 @@ $code=<<___;
.align 16
gcm_gmult_4bit:
.cfi_startproc
+ endbranch
push %rbx
.cfi_push %rbx
push %rbp # %rbp and others are pushed exclusively in
@@ -286,6 +287,7 @@ $code.=<<___;
.align 16
gcm_ghash_4bit:
.cfi_startproc
+ endbranch
push %rbx
.cfi_push %rbx
push %rbp
@@ -612,6 +614,7 @@ $code.=<<___;
.align 16
gcm_gmult_clmul:
.cfi_startproc
+ endbranch
.L_gmult_clmul:
movdqu ($Xip),$Xi
movdqa .Lbswap_mask(%rip),$T3
@@ -663,6 +666,7 @@ $code.=<<___;
.align 32
gcm_ghash_clmul:
.cfi_startproc
+ endbranch
.L_ghash_clmul:
___
$code.=<<___ if ($win64);
@@ -1166,6 +1170,7 @@ $code.=<<___;
.align 32
gcm_gmult_avx:
.cfi_startproc
+ endbranch
jmp .L_gmult_clmul
.cfi_endproc
.size gcm_gmult_avx,.-gcm_gmult_avx
@@ -1177,6 +1182,7 @@ $code.=<<___;
.align 32
gcm_ghash_avx:
.cfi_startproc
+ endbranch
___
if ($avx) {
my ($Xip,$Htbl,$inp,$len)=@_4args;
diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100
@@ -165,21 +165,28 @@ sub cbc
&jmp_ptr($count);
&set_label("ej7");
+ &endbranch()
&movb(&HB("edx"), &BP(6,$in,"",0));
&shl("edx",8);
&set_label("ej6");
+ &endbranch()
&movb(&HB("edx"), &BP(5,$in,"",0));
&set_label("ej5");
+ &endbranch()
&movb(&LB("edx"), &BP(4,$in,"",0));
&set_label("ej4");
+ &endbranch()
&mov("ecx", &DWP(0,$in,"",0));
&jmp(&label("ejend"));
&set_label("ej3");
+ &endbranch()
&movb(&HB("ecx"), &BP(2,$in,"",0));
&shl("ecx",8);
&set_label("ej2");
+ &endbranch()
&movb(&HB("ecx"), &BP(1,$in,"",0));
&set_label("ej1");
+ &endbranch()
&movb(&LB("ecx"), &BP(0,$in,"",0));
&set_label("ejend");
diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100
@@ -101,6 +101,33 @@ elsif (!$gas)
$decor="\$L\$";
}
+my $cet_property;
+if ($flavour =~ /elf/) {
+ # Always generate .note.gnu.property section for ELF outputs to
+ # mark Intel CET support since all input files must be marked
+ # with Intel CET support in order for linker to mark output with
+ # Intel CET support.
+ my $p2align=3; $p2align=2 if ($flavour eq "elf32");
+ $cet_property = <<_____;
+ .section ".note.gnu.property", "a"
+ .p2align $p2align
+ .long 1f - 0f
+ .long 4f - 1f
+ .long 5
+0:
+ .asciz "GNU"
+1:
+ .p2align $p2align
+ .long 0xc0000002
+ .long 3f - 2f
+2:
+ .long 3
+3:
+ .p2align $p2align
+4:
+_____
+}
+
my $current_segment;
my $current_function;
my %globals;
@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
print $line,"\n";
}
+print "$cet_property" if ($cet_property);
print "\n$current_segment\tENDS\n" if ($current_segment && $masm);
print "END\n" if ($masm);
diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100
@@ -124,6 +124,7 @@ sub ::function_begin_B
push(@out,".align\t$align\n");
push(@out,"$func:\n");
push(@out,"$begin:\n") if ($global);
+ &::endbranch();
$::stack=4;
}
@@ -172,6 +173,26 @@ sub ::file_end
else { push (@out,"$tmp\n"); }
}
push(@out,$initseg) if ($initseg);
+ if ($::elf) {
+ push(@out,"
+ .section \".note.gnu.property\", \"a\"
+ .p2align 2
+ .long 1f - 0f
+ .long 4f - 1f
+ .long 5
+0:
+ .asciz \"GNU\"
+1:
+ .p2align 2
+ .long 0xc0000002
+ .long 3f - 2f
+2:
+ .long 3
+3:
+ .p2align 2
+4:
+");
+ }
}
sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); }
diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100
+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100
@@ -2806,6 +2806,7 @@ $code.=<<___;
.align 32
poly1305_blocks_vpmadd52:
.cfi_startproc
+ endbranch
shr \$4,$len
jz .Lno_data_vpmadd52 # too short
@@ -3739,6 +3740,7 @@ $code.=<<___;
.align 32
poly1305_emit_base2_44:
.cfi_startproc
+ endbranch
mov 0($ctx),%r8 # load hash value
mov 8($ctx),%r9
mov 16($ctx),%r10
diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100
+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100
@@ -140,6 +140,7 @@ $code=<<___;
.align 16
RC4:
.cfi_startproc
+ endbranch
or $len,$len
jne .Lentry
ret
@@ -455,6 +456,7 @@ $code.=<<___;
.align 16
RC4_set_key:
.cfi_startproc
+ endbranch
lea 8($dat),$dat
lea ($inp,$len),$inp
neg $len
@@ -529,6 +531,7 @@ RC4_set_key:
.align 16
RC4_options:
.cfi_startproc
+ endbranch
lea .Lopts(%rip),%rax
mov OPENSSL_ia32cap_P(%rip),%edx
bt \$20,%edx
diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100
@@ -40,6 +40,7 @@ print<<___;
.align 16
OPENSSL_atomic_add:
.cfi_startproc
+ endbranch
movl ($arg1),%eax
.Lspin: leaq ($arg2,%rax),%r8
.byte 0xf0 # lock
@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
.align 16
OPENSSL_rdtsc:
.cfi_startproc
+ endbranch
rdtsc
shl \$32,%rdx
or %rdx,%rax
@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
.align 16
OPENSSL_ia32_cpuid:
.cfi_startproc
+ endbranch
mov %rbx,%r8 # save %rbx
.cfi_register %rbx,%r8
@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
.align 16
OPENSSL_cleanse:
.cfi_startproc
+ endbranch
xor %rax,%rax
cmp \$15,$arg2
jae .Lot
@@ -274,6 +278,7 @@ OPENSSL_cleanse:
.align 16
CRYPTO_memcmp:
.cfi_startproc
+ endbranch
xor %rax,%rax
xor %r10,%r10
cmp \$0,$arg3
@@ -312,6 +317,7 @@ print<<___ if (!$win64);
.align 16
OPENSSL_wipe_cpu:
.cfi_startproc
+ endbranch
pxor %xmm0,%xmm0
pxor %xmm1,%xmm1
pxor %xmm2,%xmm2
@@ -346,6 +352,8 @@ print<<___ if ($win64);
.type OPENSSL_wipe_cpu,\@abi-omnipotent
.align 16
OPENSSL_wipe_cpu:
+.cfi_startproc
+ endbranch
pxor %xmm0,%xmm0
pxor %xmm1,%xmm1
pxor %xmm2,%xmm2
@@ -376,6 +384,7 @@ print<<___;
.align 16
OPENSSL_instrument_bus:
.cfi_startproc
+ endbranch
mov $arg1,$out # tribute to Win64
mov $arg2,$cnt
mov $arg2,$max
@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
.align 16
OPENSSL_instrument_bus2:
.cfi_startproc
+ endbranch
mov $arg1,$out # tribute to Win64
mov $arg2,$cnt
mov $arg3,$max
@@ -465,6 +475,7 @@ print<<___;
.align 16
OPENSSL_ia32_${rdop}_bytes:
.cfi_startproc
+ endbranch
xor %rax, %rax # return value
cmp \$0,$arg2
je .Ldone_${rdop}_bytes

View File

@ -0,0 +1,170 @@
diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
- fips_dh_selftest.c fips_ers.c
+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
PROGRAMS_NO_INST=\
fips_standalone_hmac
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
@@ -0,0 +1,117 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include "crypto/fips.h"
+
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+
+#ifdef OPENSSL_FIPS
+int FIPS_selftest_pbkdf2(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[32];
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ {
+ const unsigned char expected[sizeof(out)] = {
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
+ };
+ if (memcmp(out, expected, sizeof(expected))) {
+ goto err;
+ }
+ }
+ ret = 1;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
+ * 5) appendix A. */
+int FIPS_selftest_kbkdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ char *label = "prf", *prf_input = "test";
+ static unsigned char input_key[] = {
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
+ };
+ static unsigned char output[] = {
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
+ };
+ unsigned char result[sizeof(output)] = { 0 };
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
+ goto err;
+ }
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
+ && memcmp(result, output, sizeof(output)) == 0;
+err:
+
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+int FIPS_selftest_kdf(void)
+{
+ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
+}
+
+#endif
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
@@ -111,6 +111,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_ecdh())
rv = 0;
+ if (!FIPS_selftest_kdf())
+ rv = 0;
return rv;
}
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
+int FIPS_selftest_kbkdf(void);
+int FIPS_selftest_pbkdf2(void);
+int FIPS_selftest_kdf(void);
int fips_in_post(void);
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -123,6 +123,8 @@ extern "C" {
# define FIPS_F_FIPS_SELFTEST_DSA 112
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
# define FIPS_F_FIPS_SELFTEST_HMAC 113
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
# define FIPS_F_FIPS_SELFTEST_SHA1 115
# define FIPS_F_FIPS_SELFTEST_SHA2 105
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143

View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/err/openssl.txt
--- openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf 2019-11-14 16:25:09.445914709 +0100
+++ openssl-1.1.1c/crypto/err/openssl.txt 2019-11-14 16:26:10.333811902 +0100
@@ -816,6 +816,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt
--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
+++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-14 15:07:05.342094129 +0100
@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g
EVP_F_SCRYPT_ALG:228:scrypt_alg
EVP_F_UPDATE:173:update
KDF_F_HKDF_EXTRACT:112:HKDF_Extract
@ -13,7 +13,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
@@ -835,6 +840,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
@@ -840,6 +845,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
@ -22,7 +22,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
@@ -848,6 +855,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl
@@ -853,6 +860,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
@ -32,10 +32,10 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
@@ -2315,7 +2325,13 @@ EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
@@ -2325,7 +2335,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
+KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key
+KDF_R_INVALID_CIPHER:116:invalid cipher
+KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length
@ -46,7 +46,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
KDF_R_MISSING_KEY:104:missing key
KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest
@@ -2330,6 +2346,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas
@@ -2340,6 +2356,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_ERROR:108:value error
KDF_R_VALUE_MISSING:102:value missing
@ -54,9 +54,9 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1c/crypto/er
KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid
diff -up openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1c/crypto/evp/kdf_lib.c
--- openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 16:25:09.445914709 +0100
+++ openssl-1.1.1c/crypto/evp/kdf_lib.c 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c
--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
+++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-14 15:07:05.342094129 +0100
@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me
&tls1_prf_kdf_meth,
&hkdf_kdf_meth,
@ -67,9 +67,9 @@ diff -up openssl-1.1.1c/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1c/crypto/evp/
};
DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1c/crypto/include/internal/evp_int.h
--- openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
+++ openssl-1.1.1c/crypto/include/internal/evp_int.h 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/include/crypto/evp.h.krb5-kdf openssl-1.1.1d/include/crypto/evp.h
--- openssl-1.1.1d/include/crypto/evp.h.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
+++ openssl-1.1.1d/include/crypto/evp.h 2019-11-14 15:07:05.342094129 +0100
@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m
extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
extern const EVP_KDF_METHOD hkdf_kdf_meth;
@ -80,17 +80,17 @@ diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1
struct evp_md_st {
int type;
diff -up openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf openssl-1.1.1c/crypto/kdf/build.info
--- openssl-1.1.1c/crypto/kdf/build.info.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
+++ openssl-1.1.1c/crypto/kdf/build.info 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info
--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
+++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-14 15:07:05.342094129 +0100
@@ -1,3 +1,3 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c
diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kbkdf.c
--- openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 16:25:09.475914166 +0100
+++ openssl-1.1.1c/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100
diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c
--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 15:07:05.343094112 +0100
+++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100
@@ -0,0 +1,540 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -129,7 +129,7 @@ diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kb
+
+#include "internal/numbers.h"
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "kdf_local.h"
+
+#include "e_os.h"
@ -632,9 +632,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kb
+ kbkdf_derive,
+};
+
diff -up openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_err.c
--- openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 16:25:09.446914691 +0100
+++ openssl-1.1.1c/crypto/kdf/kdf_err.c 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c
--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-14 15:07:05.343094112 +0100
@@ -15,6 +15,11 @@
static const ERR_STRING_DATA KDF_str_functs[] = {
@ -688,9 +688,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
{ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),
"wrong output buffer size"},
{0, NULL}
diff -up openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_local.h
--- openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 16:25:09.438914836 +0100
+++ openssl-1.1.1c/crypto/kdf/kdf_local.h 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h
--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 15:07:05.313094646 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-14 15:07:05.344094093 +0100
@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
int kdf_md2ctrl(EVP_KDF_IMPL *impl,
int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
@ -699,9 +699,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1c/crypto/kd
+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl,
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *cipher_name);
diff -up openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1c/crypto/kdf/kdf_util.c
--- openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 16:25:09.438914836 +0100
+++ openssl-1.1.1c/crypto/kdf/kdf_util.c 2019-11-14 16:25:09.475914166 +0100
diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c
--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 15:07:05.313094646 +0100
+++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-14 15:07:05.344094093 +0100
@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl,
return call_ctrl(ctrl, impl, cmd, md);
}
@ -719,9 +719,9 @@ diff -up openssl-1.1.1c/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1c/crypto/kdf
+ }
+ return call_ctrl(ctrl, impl, cmd, cipher);
+}
diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/krb5kdf.c
--- openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 16:25:09.476914148 +0100
+++ openssl-1.1.1c/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100
diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c
--- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100
+++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100
@@ -0,0 +1,423 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -741,7 +741,7 @@ diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
+#include <openssl/kdf.h>
+
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "kdf_local.h"
+
+/* KRB5 KDF defined in RFC 3961, Section 5.1 */
@ -1146,10 +1146,18 @@ diff -up openssl-1.1.1c/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/
+ krb5kdf_derive,
+};
+
diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sshkdf.c
--- openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-15 14:53:14.769279878 +0100
+++ openssl-1.1.1c/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100
@@ -69,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u
diff -up openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sshkdf.c
--- openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-14 15:07:05.327094396 +0100
+++ openssl-1.1.1d/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100
@@ -12,6 +12,7 @@
#include <string.h>
#include <openssl/evp.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "crypto/evp.h"
#include "kdf_local.h"
@@ -68,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u
p = va_arg(args, const unsigned char *);
len = va_arg(args, size_t);
OPENSSL_clear_free(*dst, *dst_len);
@ -1162,9 +1170,9 @@ diff -up openssl-1.1.1c/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/s
*dst = OPENSSL_memdup(p, len);
if (*dst == NULL)
return 0;
diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/sskdf.c
--- openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 16:25:09.476914148 +0100
+++ openssl-1.1.1c/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100
diff -up openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sskdf.c
--- openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100
+++ openssl-1.1.1d/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100
@@ -0,0 +1,255 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -1210,7 +1218,7 @@ diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/ss
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "kdf_local.h"
+
+struct evp_kdf_impl_st {
@ -1421,9 +1429,9 @@ diff -up openssl-1.1.1c/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1c/crypto/kdf/ss
+ sskdf_size,
+ sskdf_derive
+};
diff -up openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1c/crypto/objects/obj_dat.h
--- openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
+++ openssl-1.1.1c/crypto/objects/obj_dat.h 2019-11-14 16:25:09.477914130 +0100
diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h
--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
+++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-14 15:07:05.345094076 +0100
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
};
@ -1493,9 +1501,9 @@ diff -up openssl-1.1.1c/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1c/crypto/
16, /* "stateOrProvinceName" */
660, /* "streetAddress" */
498, /* "subtreeMaximumQuality" */
diff -up openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1c/crypto/objects/objects.txt
--- openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
+++ openssl-1.1.1c/crypto/objects/objects.txt 2019-11-14 16:25:09.477914130 +0100
diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt
--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
+++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-14 15:07:05.345094076 +0100
@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor
# NID for SSHKDF
: SSHKDF : sshkdf
@ -1512,9 +1520,9 @@ diff -up openssl-1.1.1c/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1c/crypt
# RFC 4556
1 3 6 1 5 2 3 : id-pkinit
id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth
diff -up openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1c/crypto/objects/obj_mac.num
--- openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 16:25:09.447914673 +0100
+++ openssl-1.1.1c/crypto/objects/obj_mac.num 2019-11-14 16:25:09.477914130 +0100
diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num
--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 15:07:05.322094485 +0100
+++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-14 15:07:05.346094058 +0100
@@ -1193,3 +1193,6 @@ magma_mac 1192
hmacWithSHA512_224 1193
hmacWithSHA512_256 1194
@ -1522,9 +1530,9 @@ diff -up openssl-1.1.1c/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1c/crypt
+kbkdf 1196
+krb5kdf 1197
+sskdf 1198
diff -up openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 16:25:09.439914818 +0100
+++ openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod 2019-11-14 16:25:09.477914130 +0100
diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 15:07:05.314094628 +0100
+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-14 15:07:05.346094058 +0100
@@ -140,7 +140,14 @@ The value string is expected to be a dec
This control expects one argument: C<EVP_MD *md>
@ -1541,9 +1549,9 @@ diff -up openssl-1.1.1c/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1c/doc/man
EVP_KDF_ctrl_str() type string: "md"
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod
--- openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
+++ openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod 2019-11-14 16:25:09.478914112 +0100
diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod
--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,173 @@
+=pod
+
@ -1718,9 +1726,9 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1c/doc/man7
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod
--- openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
+++ openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 16:25:09.478914112 +0100
diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod
--- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,107 @@
+=pod
+
@ -1829,9 +1837,9 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1c/doc
+
+=cut
+
diff -up openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod
--- openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 16:25:09.478914112 +0100
+++ openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod 2019-11-14 16:25:09.478914112 +0100
diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod
--- openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100
+++ openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod 2019-11-14 15:07:05.346094058 +0100
@@ -0,0 +1,146 @@
+=pod
+
@ -1979,10 +1987,10 @@ diff -up openssl-1.1.1c/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1c/doc/man7
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include/openssl/kdferr.h
--- openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf 2019-11-14 16:25:09.448914655 +0100
+++ openssl-1.1.1c/include/openssl/kdferr.h 2019-11-14 16:25:09.478914112 +0100
@@ -20,6 +20,11 @@ int ERR_load_KDF_strings(void);
diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h
--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
+++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-14 15:07:05.347094040 +0100
@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void);
* KDF function codes.
*/
# define KDF_F_HKDF_EXTRACT 112
@ -1994,7 +2002,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_F_KDF_HKDF_DERIVE 113
# define KDF_F_KDF_HKDF_NEW 114
# define KDF_F_KDF_HKDF_SIZE 115
@@ -39,6 +44,8 @@ int ERR_load_KDF_strings(void);
@@ -43,6 +48,8 @@ int ERR_load_KDF_strings(void);
# define KDF_F_KDF_TLS1_PRF_CTRL_STR 125
# define KDF_F_KDF_TLS1_PRF_DERIVE 126
# define KDF_F_KDF_TLS1_PRF_NEW 127
@ -2003,7 +2011,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_F_PBKDF2_SET_MEMBUF 128
# define KDF_F_PKEY_HKDF_CTRL_STR 103
# define KDF_F_PKEY_HKDF_DERIVE 102
@@ -52,12 +59,21 @@ int ERR_load_KDF_strings(void);
@@ -56,12 +63,21 @@ int ERR_load_KDF_strings(void);
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
# define KDF_F_PKEY_TLS1_PRF_INIT 110
# define KDF_F_SCRYPT_SET_MEMBUF 129
@ -2025,7 +2033,7 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_R_MISSING_ITERATION_COUNT 109
# define KDF_R_MISSING_KEY 104
# define KDF_R_MISSING_MESSAGE_DIGEST 105
@@ -72,6 +88,7 @@ int ERR_load_KDF_strings(void);
@@ -76,6 +92,7 @@ int ERR_load_KDF_strings(void);
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
# define KDF_R_VALUE_ERROR 108
# define KDF_R_VALUE_MISSING 102
@ -2033,9 +2041,9 @@ diff -up openssl-1.1.1c/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1c/include
# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
#endif
diff -up openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf openssl-1.1.1c/include/openssl/kdf.h
--- openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf 2019-11-14 16:25:09.448914655 +0100
+++ openssl-1.1.1c/include/openssl/kdf.h 2019-11-14 16:25:09.478914112 +0100
diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h
--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
+++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-14 15:07:05.347094040 +0100
@@ -21,6 +21,9 @@ extern "C" {
# define EVP_KDF_TLS1_PRF NID_tls1_prf
# define EVP_KDF_HKDF NID_hkdf
@ -2073,9 +2081,9 @@ diff -up openssl-1.1.1c/include/openssl/kdf.h.krb5-kdf openssl-1.1.1c/include/op
/**** The legacy PKEY-based KDF API follows. ****/
# define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL)
diff -up openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1c/include/openssl/obj_mac.h
--- openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 16:25:09.449914637 +0100
+++ openssl-1.1.1c/include/openssl/obj_mac.h 2019-11-14 16:25:09.479914093 +0100
diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h
--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100
+++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-14 15:07:05.347094040 +0100
@@ -4974,6 +4974,18 @@
#define LN_sshkdf "sshkdf"
#define NID_sshkdf 1203
@ -2095,9 +2103,9 @@ diff -up openssl-1.1.1c/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1c/includ
#define SN_id_pkinit "id-pkinit"
#define NID_id_pkinit 1031
#define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L
diff -up openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1c/test/evp_kdf_test.c
--- openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf 2019-11-14 16:25:09.441914782 +0100
+++ openssl-1.1.1c/test/evp_kdf_test.c 2019-11-14 16:25:09.479914093 +0100
diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c
--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-14 15:07:05.315094610 +0100
+++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-14 15:07:05.348094022 +0100
@@ -225,13 +225,358 @@ err:
}
#endif
@ -2457,9 +2465,9 @@ diff -up openssl-1.1.1c/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1c/test/evp_kdf
+ ADD_TEST(test_kdf_ss_hash);
return 1;
}
diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 16:25:09.451914601 +0100
+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 16:25:09.480914075 +0100
diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 15:07:05.327094396 +0100
+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 15:07:05.349094005 +0100
@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd
Ctrl.type = type:A
Output = FF

View File

@ -1,17 +1,16 @@
diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200
@@ -141,22 +141,23 @@ our @tests = (
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200
@@ -147,22 +147,22 @@ our @tests = (
{
name => "ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
+# "Groups" => "brainpoolP256r1",
+ "CipherString" => "aNULL",
},
client => {
#We don't restrict this to TLSv1.2, although use of brainpool
@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
"ExpectedResult" => "Success"
},
},
@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
{
name => "TLS 1.3 ECDSA with brainpool",
server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
+# "Groups" => "brainpoolP256r1",
+ "CipherString" => "aNULL",
},
client => {
"RequestCAFile" => test_pem("root-cert.pem"),
@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
},
},
);
diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200
@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200
@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
client = 5-ECDSA with brainpool-client
[5-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aNULL
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
[5-ECDSA with brainpool-client]
CipherString = aECDSA
@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
# ===========================================================
@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool
client = 47-TLS 1.3 ECDSA with brainpool-client
@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
client = 52-TLS 1.3 ECDSA with brainpool-client
[47-TLS 1.3 ECDSA with brainpool-server]
[52-TLS 1.3 ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aNULL
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
[47-TLS 1.3 ECDSA with brainpool-client]
[52-TLS 1.3 ECDSA with brainpool-client]
CipherString = DEFAULT
-Groups = brainpoolP256r1
MaxProtocol = TLSv1.3
MinProtocol = TLSv1.3
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
VerifyMode = Peer
[test-47]
[test-52]
-ExpectedResult = ServerFail
+ExpectedResult = Success

View File

@ -0,0 +1,12 @@
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r "$(DESTDIR)$(DOCDIR)"

View File

@ -1,16 +0,0 @@
diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c
--- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200
@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(
{
OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
- if (ret != NULL)
- memset(ret, 0, sizeof(*ret));
+ if (ret == NULL)
+ return NULL;
+
+ memset(ret, 0, sizeof(*ret));
ret->flags = DEFAULT_CONF_MFLAGS;
return ret;

View File

@ -0,0 +1,44 @@
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with

View File

@ -0,0 +1,170 @@
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
int FIPS_drbg_reseed(DRBG_CTX *dctx,
const unsigned char *adin, size_t adinlen)
{
+ int len = (int)adinlen;
+
+ if (len < 0 || (size_t)len != adinlen) {
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
+ return 0;
+ }
+ RAND_seed(adin, len);
+ return 1;
+}
+
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+{
return drbg_reseed(dctx, adin, adinlen, 1);
}
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
+ int len = (int)outlen;
+
+ if (len < 0 || (size_t)len != outlen) {
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
+ return 0;
+ }
+ return RAND_bytes(out, len);
+}
+
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+{
int r = 0;
if (FIPS_selftest_failed()) {
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
@@ -57,6 +57,8 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/fips.h>
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
#include <openssl/fips_rand.h>
#include "fips_rand_lcl.h"
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
@@ -55,6 +55,8 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/fips.h>
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
#include <openssl/fips_rand.h>
#include "fips_rand_lcl.h"
#include "fips_locl.h"
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
rv = 0;
}
- if (!FIPS_selftest_drbg())
- rv = 0;
if (!FIPS_selftest_sha1())
rv = 0;
if (!FIPS_selftest_sha2())
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
int FIPS_rand_seed(const void *buf, int num)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
if (fips_rand_meth && fips_rand_meth->seed)
fips_rand_meth->seed(buf, num);
return 1;
+#else
+ RAND_seed(buf, num);
+ return 1;
+#endif
}
int FIPS_rand_bytes(unsigned char *buf, int num)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
if (fips_rand_meth && fips_rand_meth->bytes)
return fips_rand_meth->bytes(buf, num);
return 0;
+#else
+ return RAND_bytes(buf, num);
+#endif
}
int FIPS_rand_status(void)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
if (fips_rand_meth && fips_rand_meth->status)
return fips_rand_meth->status();
return 0;
+#else
+ return RAND_status();
+#endif
}
/* Return instantiated strength of PRNG. For DRBG this is an internal
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
@@ -64,6 +64,11 @@ extern "C" {
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
+
+ /*
+ * This function is deprecated as it performs selftest of the old FIPS drbg
+ * implementation that is not validated.
+ */
int FIPS_selftest_drbg_all(void);
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
@@ -60,6 +60,20 @@
# ifdef __cplusplus
extern "C" {
# endif
+
+/*
+ * IMPORTANT NOTE:
+ * All functions in this header file are deprecated and should not be used
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
+ * anymore.
+ * To provide backwards compatibility for applications that need FIPS compliant
+ * RNG number generation and use FIPS_drbg_generate, this function was
+ * re-wired to call the FIPS validated DRBG instance instead through
+ * the RAND_bytes() call.
+ *
+ * All these functions will be removed in future.
+ */
+
typedef struct drbg_ctx_st DRBG_CTX;
/* DRBG external flags */
/* Flag for CTR mode only: use derivation function ctr_df */

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1c/Configurations/00-base-templates.conf
--- openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/Configurations/00-base-templates.conf 2019-11-20 11:36:02.190860451 +0100
diff -up openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc openssl-1.1.1g/Configurations/00-base-templates.conf
--- openssl-1.1.1g/Configurations/00-base-templates.conf.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/Configurations/00-base-templates.conf 2020-05-18 12:45:40.855234262 +0200
@@ -289,6 +289,7 @@ my %targets=(
template => 1,
cpuid_asm_src => "s390xcap.c s390xcpuid.S",
@ -9,10 +9,10 @@ diff -up openssl-1.1.1c/Configurations/00-base-templates.conf.s390x-ecc openssl-
aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake",
sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
rc4_asm_src => "rc4-s390x.s",
diff -up openssl-1.1.1c/Configure.s390x-ecc openssl-1.1.1c/Configure
--- openssl-1.1.1c/Configure.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
+++ openssl-1.1.1c/Configure 2019-11-20 11:36:02.191860433 +0100
@@ -1410,6 +1410,9 @@ unless ($disabled{asm}) {
diff -up openssl-1.1.1g/Configure.s390x-ecc openssl-1.1.1g/Configure
--- openssl-1.1.1g/Configure.s390x-ecc 2020-05-18 12:45:40.781233618 +0200
+++ openssl-1.1.1g/Configure 2020-05-18 12:45:40.856234270 +0200
@@ -1398,6 +1398,9 @@ unless ($disabled{asm}) {
if ($target{ec_asm_src} =~ /ecp_nistz256/) {
push @{$config{lib_defines}}, "ECP_NISTZ256_ASM";
}
@ -22,21 +22,9 @@ diff -up openssl-1.1.1c/Configure.s390x-ecc openssl-1.1.1c/Configure
if ($target{ec_asm_src} =~ /x25519/) {
push @{$config{lib_defines}}, "X25519_ASM";
}
diff -up openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc openssl-1.1.1c/crypto/bn/asm/s390x.S
--- openssl-1.1.1c/crypto/bn/asm/s390x.S.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/bn/asm/s390x.S 2019-11-20 11:36:02.191860433 +0100
@@ -511,7 +511,7 @@ bn_mul_comba4:
lghi zero,0
mul_add_c(0,0,c1,c2,c3);
- stg c1,0*8(%r3)
+ stg c1,0*8(%r2)
lghi c1,0
mul_add_c(0,1,c2,c3,c1);
diff -up openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/cmac/cm_pmeth.c
--- openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.078862415 +0100
+++ openssl-1.1.1c/crypto/cmac/cm_pmeth.c 2019-11-20 11:36:02.191860433 +0100
diff -up openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/cmac/cm_pmeth.c
--- openssl-1.1.1g/crypto/cmac/cm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
+++ openssl-1.1.1g/crypto/cmac/cm_pmeth.c 2020-05-18 12:45:42.661249957 +0200
@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
pkey_cmac_ctrl,
pkey_cmac_ctrl_str
@ -46,9 +34,9 @@ diff -up openssl-1.1.1c/crypto/cmac/cm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/c
+{
+ return &cmac_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dh/dh_pmeth.c
--- openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc 2019-11-20 11:36:02.079862397 +0100
+++ openssl-1.1.1c/crypto/dh/dh_pmeth.c 2019-11-20 11:36:02.191860433 +0100
diff -up openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dh/dh_pmeth.c
--- openssl-1.1.1g/crypto/dh/dh_pmeth.c.s390x-ecc 2020-05-18 12:45:40.782233627 +0200
+++ openssl-1.1.1g/crypto/dh/dh_pmeth.c 2020-05-18 12:45:42.661249957 +0200
@@ -512,6 +512,11 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
pkey_dh_ctrl_str
};
@ -70,10 +58,10 @@ diff -up openssl-1.1.1c/crypto/dh/dh_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dh/
+{
+ return &dhx_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/dsa/dsa_pmeth.c
--- openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
+++ openssl-1.1.1c/crypto/dsa/dsa_pmeth.c 2019-11-20 11:36:02.191860433 +0100
@@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
diff -up openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/dsa/dsa_pmeth.c
--- openssl-1.1.1g/crypto/dsa/dsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.783233636 +0200
+++ openssl-1.1.1g/crypto/dsa/dsa_pmeth.c 2020-05-18 12:45:42.662249966 +0200
@@ -271,3 +271,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
pkey_dsa_ctrl,
pkey_dsa_ctrl_str
};
@ -82,9 +70,9 @@ diff -up openssl-1.1.1c/crypto/dsa/dsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/d
+{
+ return &dsa_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/ec/build.info.s390x-ecc openssl-1.1.1c/crypto/ec/build.info
--- openssl-1.1.1c/crypto/ec/build.info.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/build.info 2019-11-20 11:36:02.192860416 +0100
diff -up openssl-1.1.1g/crypto/ec/build.info.s390x-ecc openssl-1.1.1g/crypto/ec/build.info
--- openssl-1.1.1g/crypto/ec/build.info.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/build.info 2020-05-18 12:45:42.662249966 +0200
@@ -26,6 +26,9 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n
INCLUDE[ecp_nistz256-armv8.o]=..
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME)
@ -95,9 +83,9 @@ diff -up openssl-1.1.1c/crypto/ec/build.info.s390x-ecc openssl-1.1.1c/crypto/ec/
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME)
GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME)
diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_curve.c
--- openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc 2019-11-20 11:36:02.043863029 +0100
+++ openssl-1.1.1c/crypto/ec/ec_curve.c 2019-11-20 11:36:02.192860416 +0100
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_curve.c
--- openssl-1.1.1g/crypto/ec/ec_curve.c.s390x-ecc 2020-05-18 12:45:40.753233375 +0200
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:45:42.663249975 +0200
@@ -255,20 +255,29 @@ static const ec_list_element curve_list[
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
"SECG curve over a 256 bit prime field"},
@ -136,9 +124,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_curve.c.s390x-ecc openssl-1.1.1c/crypto/ec/
EC_GFp_nistp256_method,
#else
0,
diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecdsa_ossl.c
--- openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc 2019-11-20 11:36:02.100862029 +0100
+++ openssl-1.1.1c/crypto/ec/ecdsa_ossl.c 2019-11-20 11:36:02.192860416 +0100
diff -up openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecdsa_ossl.c
--- openssl-1.1.1g/crypto/ec/ecdsa_ossl.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
+++ openssl-1.1.1g/crypto/ec/ecdsa_ossl.c 2020-05-18 12:45:42.664249983 +0200
@@ -18,6 +18,41 @@
# include <openssl/fips.h>
#endif
@ -181,7 +169,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
@@ -149,15 +184,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke
return ret;
}
@ -202,7 +190,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL;
@@ -210,25 +245,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
@@ -218,25 +253,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
@ -232,7 +220,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
}
@@ -242,11 +277,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
@@ -250,11 +285,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
@ -246,7 +234,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/*
@@ -255,7 +290,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
@@ -263,7 +298,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
*/
if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
@ -255,7 +243,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
@@ -265,7 +300,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
@@ -273,7 +308,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
@ -264,7 +252,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
} else {
@@ -317,8 +352,8 @@ int ossl_ecdsa_verify(int type, const un
@@ -325,8 +360,8 @@ int ossl_ecdsa_verify(int type, const un
return ret;
}
@ -275,7 +263,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
{
int ret = -1, i;
BN_CTX *ctx;
@@ -338,18 +373,18 @@ int ossl_ecdsa_verify_sig(const unsigned
@@ -346,18 +381,18 @@ int ossl_ecdsa_verify_sig(const unsigned
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
@ -297,7 +285,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
return -1;
}
BN_CTX_start(ctx);
@@ -358,26 +393,26 @@ int ossl_ecdsa_verify_sig(const unsigned
@@ -366,26 +401,26 @@ int ossl_ecdsa_verify_sig(const unsigned
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (X == NULL) {
@ -328,7 +316,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/* digest -> m */
@@ -388,41 +423,41 @@ int ossl_ecdsa_verify_sig(const unsigned
@@ -396,41 +431,41 @@ int ossl_ecdsa_verify_sig(const unsigned
if (8 * dgst_len > i)
dgst_len = (i + 7) / 8;
if (!BN_bin2bn(dgst, dgst_len, m)) {
@ -378,9 +366,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecdsa_ossl.c.s390x-ecc openssl-1.1.1c/crypto/e
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
diff -up openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_err.c
--- openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ec_err.c 2019-11-20 11:36:02.192860416 +0100
diff -up openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_err.c
--- openssl-1.1.1g/crypto/ec/ec_err.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ec_err.c 2020-05-18 12:45:42.664249983 +0200
@@ -31,6 +31,11 @@ static const ERR_STRING_DATA EC_str_func
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"},
{ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"},
@ -423,18 +411,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_err.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
"curve does not support signing"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec_lcl.h
--- openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc 2019-11-20 11:36:01.676869466 +0100
+++ openssl-1.1.1c/crypto/ec/ec_lcl.h 2019-11-20 11:36:02.192860416 +0100
@@ -154,7 +154,7 @@ struct ec_method_st {
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/*-
- * 'field_inv' computes the multipicative inverse of a in the field,
+ * 'field_inv' computes the multiplicative inverse of a in the field,
* storing the result in r.
*
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
diff -up openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc openssl-1.1.1g/crypto/ec/ec_local.h
--- openssl-1.1.1g/crypto/ec/ec_local.h.s390x-ecc 2020-05-18 12:45:40.554231646 +0200
+++ openssl-1.1.1g/crypto/ec/ec_local.h 2020-05-18 12:45:44.564266496 +0200
@@ -179,6 +179,14 @@ struct ec_method_st {
/* custom ECDH operation */
int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
@ -462,7 +441,7 @@ diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec
size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
unsigned char *buf, size_t len);
@@ -649,6 +662,13 @@ int ossl_ecdsa_verify(int type, const un
@@ -651,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
@ -476,9 +455,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_lcl.h.s390x-ecc openssl-1.1.1c/crypto/ec/ec
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
const uint8_t public_key[32], const uint8_t private_key[32]);
diff -up openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ec_pmeth.c
--- openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc 2019-11-20 11:36:02.101862012 +0100
+++ openssl-1.1.1c/crypto/ec/ec_pmeth.c 2019-11-20 11:36:02.193860398 +0100
diff -up openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ec_pmeth.c
--- openssl-1.1.1g/crypto/ec/ec_pmeth.c.s390x-ecc 2020-05-18 12:45:40.784233644 +0200
+++ openssl-1.1.1g/crypto/ec/ec_pmeth.c 2020-05-18 12:45:44.565266505 +0200
@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
pkey_ec_ctrl,
pkey_ec_ctrl_str
@ -488,9 +467,9 @@ diff -up openssl-1.1.1c/crypto/ec/ec_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+{
+ return &ec_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_mont.c
--- openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_mont.c 2019-11-20 11:36:02.193860398 +0100
diff -up openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_mont.c
--- openssl-1.1.1g/crypto/ec/ecp_mont.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_mont.c 2020-05-18 12:45:44.567266523 +0200
@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void
0, /* keycopy */
0, /* keyfinish */
@ -501,9 +480,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_mont.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
diff -up openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nist.c
--- openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_nist.c 2019-11-20 11:36:02.193860398 +0100
diff -up openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nist.c
--- openssl-1.1.1g/crypto/ec/ecp_nist.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_nist.c 2020-05-18 12:45:44.567266523 +0200
@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void
0, /* keycopy */
0, /* keyfinish */
@ -514,9 +493,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nist.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp224.c
--- openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_nistp224.c 2019-11-20 11:36:02.193860398 +0100
diff -up openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp224.c
--- openssl-1.1.1g/crypto/ec/ecp_nistp224.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_nistp224.c 2020-05-18 12:45:44.568266531 +0200
@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method(
0, /* keycopy */
0, /* keyfinish */
@ -527,10 +506,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp224.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp256.c
--- openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_nistp256.c 2019-11-20 11:36:02.194860380 +0100
@@ -1823,6 +1823,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
diff -up openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp256.c
--- openssl-1.1.1g/crypto/ec/ecp_nistp256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_nistp256.c 2020-05-18 12:45:44.568266531 +0200
@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@ -540,10 +519,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp256.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
diff -up openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistp521.c
--- openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_nistp521.c 2019-11-20 11:36:02.194860380 +0100
@@ -1665,6 +1665,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
diff -up openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistp521.c
--- openssl-1.1.1g/crypto/ec/ecp_nistp521.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_nistp521.c 2020-05-18 12:45:44.569266540 +0200
@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@ -553,10 +532,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistp521.c.s390x-ecc openssl-1.1.1c/crypto
0, /* field_inverse_mod_ord */
0, /* blind_coordinates */
0, /* ladder_pre */
diff -up openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_nistz256.c
--- openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecp_nistz256.c 2019-11-20 11:36:02.195860363 +0100
@@ -1689,6 +1689,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
diff -up openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_nistz256.c
--- openssl-1.1.1g/crypto/ec/ecp_nistz256.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_nistz256.c 2020-05-18 12:45:44.570266549 +0200
@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method(
0, /* keycopy */
0, /* keyfinish */
ecdh_simple_compute_key,
@ -566,9 +545,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_nistz256.c.s390x-ecc openssl-1.1.1c/crypto
ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */
0, /* blind_coordinates */
0, /* ladder_pre */
diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c
--- openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2019-11-20 11:36:02.195860363 +0100
+++ openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c 2019-11-20 11:36:02.195860363 +0100
diff -up openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c
--- openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c.s390x-ecc 2020-05-18 12:45:44.571266557 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_s390x_nistp.c 2020-05-18 12:45:44.571266557 +0200
@@ -0,0 +1,394 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -583,7 +562,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/cry
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "ec_lcl.h"
+#include "ec_local.h"
+#include "s390x_arch.h"
+
+/* Size of parameter blocks */
@ -964,9 +943,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_s390x_nistp.c.s390x-ecc openssl-1.1.1c/cry
+EC_GFP_S390X_NISTP_METHOD(256)
+EC_GFP_S390X_NISTP_METHOD(384)
+EC_GFP_S390X_NISTP_METHOD(521)
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecp_smpl.c
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc 2019-11-20 11:36:02.066862626 +0100
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-11-20 11:36:02.195860363 +0100
diff -up openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecp_smpl.c
--- openssl-1.1.1g/crypto/ec/ecp_smpl.c.s390x-ecc 2020-05-18 12:45:40.769233514 +0200
+++ openssl-1.1.1g/crypto/ec/ecp_smpl.c 2020-05-18 12:45:44.572266566 +0200
@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo
0, /* keycopy */
0, /* keyfinish */
@ -977,9 +956,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.s390x-ecc openssl-1.1.1c/crypto/ec/
0, /* field_inverse_mod_ord */
ec_GFp_simple_blind_coordinates,
ec_GFp_simple_ladder_pre,
diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/ecx_meth.c
--- openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/ec/ecx_meth.c 2019-11-20 11:36:02.196860345 +0100
diff -up openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1g/crypto/ec/ecx_meth.c
--- openssl-1.1.1g/crypto/ec/ecx_meth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/ec/ecx_meth.c 2020-05-18 12:45:44.573266575 +0200
@@ -20,6 +20,7 @@
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
@ -995,7 +974,7 @@ diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+
+#ifdef S390X_EC_ASM
+# include "s390x_arch.h"
+# include "internal/constant_time_locl.h"
+# include "internal/constant_time.h"
+
+static void s390x_x25519_mod_p(unsigned char u[32])
+{
@ -1655,10 +1634,10 @@ diff -up openssl-1.1.1c/crypto/ec/ecx_meth.c.s390x-ecc openssl-1.1.1c/crypto/ec/
+#endif
+ return &ed448_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/err/openssl.txt
--- openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
+++ openssl-1.1.1c/crypto/err/openssl.txt 2019-11-20 11:36:02.196860345 +0100
@@ -495,6 +495,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
diff -up openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1g/crypto/err/openssl.txt
--- openssl-1.1.1g/crypto/err/openssl.txt.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
+++ openssl-1.1.1g/crypto/err/openssl.txt 2020-05-18 12:45:44.575266592 +0200
@@ -496,6 +496,11 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
EC_F_ECDSA_VERIFY:253:ECDSA_verify
@ -1670,7 +1649,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
@@ -656,6 +661,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
@@ -657,6 +662,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_
EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
@ -1678,7 +1657,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
@@ -671,6 +677,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
@@ -672,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
@ -1691,7 +1670,7 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
ENGINE_F_DIGEST_UPDATE:198:digest_update
ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
@@ -2149,6 +2161,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
@@ -2160,6 +2172,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma
EC_R_CANNOT_INVERT:165:cannot invert
EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
@ -1699,11 +1678,11 @@ diff -up openssl-1.1.1c/crypto/err/openssl.txt.s390x-ecc openssl-1.1.1c/crypto/e
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
EC_R_DECODE_ERROR:142:decode error
diff -up openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1c/crypto/evp/pmeth_lib.c
--- openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc 2019-11-20 11:36:02.105861942 +0100
+++ openssl-1.1.1c/crypto/evp/pmeth_lib.c 2019-11-20 11:36:02.197860328 +0100
diff -up openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1g/crypto/evp/pmeth_lib.c
--- openssl-1.1.1g/crypto/evp/pmeth_lib.c.s390x-ecc 2020-05-18 12:45:40.787233671 +0200
+++ openssl-1.1.1g/crypto/evp/pmeth_lib.c 2020-05-18 12:45:44.576266601 +0200
@@ -17,60 +17,67 @@
#include "internal/evp_int.h"
#include "crypto/evp.h"
#include "internal/numbers.h"
+typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
@ -1833,9 +1812,9 @@ diff -up openssl-1.1.1c/crypto/evp/pmeth_lib.c.s390x-ecc openssl-1.1.1c/crypto/e
if (app_pkey_methods == NULL)
return NULL;
idx -= OSSL_NELEM(standard_methods);
diff -up openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/hmac/hm_pmeth.c
--- openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc 2019-11-20 11:36:02.115861766 +0100
+++ openssl-1.1.1c/crypto/hmac/hm_pmeth.c 2019-11-20 11:36:02.197860328 +0100
diff -up openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/hmac/hm_pmeth.c
--- openssl-1.1.1g/crypto/hmac/hm_pmeth.c.s390x-ecc 2020-05-18 12:45:40.796233749 +0200
+++ openssl-1.1.1g/crypto/hmac/hm_pmeth.c 2020-05-18 12:45:44.576266601 +0200
@@ -210,3 +210,8 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
pkey_hmac_ctrl,
pkey_hmac_ctrl_str
@ -1845,35 +1824,9 @@ diff -up openssl-1.1.1c/crypto/hmac/hm_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/h
+{
+ return &hmac_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc openssl-1.1.1c/crypto/include/internal/evp_int.h
--- openssl-1.1.1c/crypto/include/internal/evp_int.h.s390x-ecc 2019-11-20 11:36:02.158861012 +0100
+++ openssl-1.1.1c/crypto/include/internal/evp_int.h 2019-11-20 11:36:02.197860328 +0100
@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
#define EVP_ENCODE_CTX_NO_NEWLINES 1
/* Use the SRP base64 alphabet instead of the standard one */
#define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
+
+const EVP_PKEY_METHOD *cmac_pkey_method(void);
+const EVP_PKEY_METHOD *dh_pkey_method(void);
+const EVP_PKEY_METHOD *dhx_pkey_method(void);
+const EVP_PKEY_METHOD *dsa_pkey_method(void);
+const EVP_PKEY_METHOD *ec_pkey_method(void);
+const EVP_PKEY_METHOD *sm2_pkey_method(void);
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
+const EVP_PKEY_METHOD *ecx448_pkey_method(void);
+const EVP_PKEY_METHOD *ed25519_pkey_method(void);
+const EVP_PKEY_METHOD *ed448_pkey_method(void);
+const EVP_PKEY_METHOD *hmac_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
+const EVP_PKEY_METHOD *scrypt_pkey_method(void);
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
+const EVP_PKEY_METHOD *hkdf_pkey_method(void);
+const EVP_PKEY_METHOD *poly1305_pkey_method(void);
+const EVP_PKEY_METHOD *siphash_pkey_method(void);
diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/hkdf.c
--- openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc 2019-11-20 11:36:02.148861187 +0100
+++ openssl-1.1.1c/crypto/kdf/hkdf.c 2019-11-20 11:36:02.198860310 +0100
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/hkdf.c
--- openssl-1.1.1g/crypto/kdf/hkdf.c.s390x-ecc 2020-05-18 12:45:40.826234009 +0200
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:45:44.577266609 +0200
@@ -233,6 +233,11 @@ const EVP_KDF_METHOD hkdf_kdf_meth = {
kdf_hkdf_derive
};
@ -1886,10 +1839,10 @@ diff -up openssl-1.1.1c/crypto/kdf/hkdf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/hk
static int HKDF(const EVP_MD *evp_md,
const unsigned char *salt, size_t salt_len,
const unsigned char *key, size_t key_len,
diff -up openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1c/crypto/kdf/scrypt.c
--- openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
+++ openssl-1.1.1c/crypto/kdf/scrypt.c 2019-11-20 11:36:02.198860310 +0100
@@ -503,4 +503,9 @@ static int scrypt_alg(const char *pass,
diff -up openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1g/crypto/kdf/scrypt.c
--- openssl-1.1.1g/crypto/kdf/scrypt.c.s390x-ecc 2020-05-18 12:45:40.827234018 +0200
+++ openssl-1.1.1g/crypto/kdf/scrypt.c 2020-05-18 12:45:44.578266618 +0200
@@ -504,4 +504,9 @@ static int scrypt_alg(const char *pass,
return rv;
}
@ -1899,9 +1852,9 @@ diff -up openssl-1.1.1c/crypto/kdf/scrypt.c.s390x-ecc openssl-1.1.1c/crypto/kdf/
+}
+
#endif
diff -up openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1c/crypto/kdf/tls1_prf.c
--- openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc 2019-11-20 11:36:02.149861170 +0100
+++ openssl-1.1.1c/crypto/kdf/tls1_prf.c 2019-11-20 11:36:02.198860310 +0100
diff -up openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1g/crypto/kdf/tls1_prf.c
--- openssl-1.1.1g/crypto/kdf/tls1_prf.c.s390x-ecc 2020-05-18 12:45:40.828234027 +0200
+++ openssl-1.1.1g/crypto/kdf/tls1_prf.c 2020-05-18 12:45:44.578266618 +0200
@@ -168,6 +168,11 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth =
kdf_tls1_prf_derive
};
@ -1914,9 +1867,9 @@ diff -up openssl-1.1.1c/crypto/kdf/tls1_prf.c.s390x-ecc openssl-1.1.1c/crypto/kd
static int tls1_prf_P_hash(const EVP_MD *md,
const unsigned char *sec, size_t sec_len,
const unsigned char *seed, size_t seed_len,
diff -up openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c
--- openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c 2019-11-20 11:36:02.199860293 +0100
diff -up openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c
--- openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/poly1305/poly1305_pmeth.c 2020-05-18 12:45:44.579266627 +0200
@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth
pkey_poly1305_ctrl,
pkey_poly1305_ctrl_str
@ -1926,9 +1879,9 @@ diff -up openssl-1.1.1c/crypto/poly1305/poly1305_pmeth.c.s390x-ecc openssl-1.1.1
+{
+ return &poly1305_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/rsa/rsa_pmeth.c
--- openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc 2019-11-20 11:36:02.117861731 +0100
+++ openssl-1.1.1c/crypto/rsa/rsa_pmeth.c 2019-11-20 11:36:02.199860293 +0100
diff -up openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/rsa/rsa_pmeth.c
--- openssl-1.1.1g/crypto/rsa/rsa_pmeth.c.s390x-ecc 2020-05-18 12:45:40.798233766 +0200
+++ openssl-1.1.1g/crypto/rsa/rsa_pmeth.c 2020-05-18 12:45:44.580266635 +0200
@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
pkey_rsa_ctrl_str
};
@ -1950,9 +1903,9 @@ diff -up openssl-1.1.1c/crypto/rsa/rsa_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/r
+{
+ return &rsa_pss_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1c/crypto/s390x_arch.h
--- openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc 2019-11-20 11:36:01.867866116 +0100
+++ openssl-1.1.1c/crypto/s390x_arch.h 2019-11-20 11:36:02.199860293 +0100
diff -up openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1g/crypto/s390x_arch.h
--- openssl-1.1.1g/crypto/s390x_arch.h.s390x-ecc 2020-05-18 12:45:40.603232072 +0200
+++ openssl-1.1.1g/crypto/s390x_arch.h 2020-05-18 12:45:44.580266635 +0200
@@ -26,6 +26,12 @@ void s390x_kmf(const unsigned char *in,
unsigned int fc, void *param);
void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
@ -2023,9 +1976,9 @@ diff -up openssl-1.1.1c/crypto/s390x_arch.h.s390x-ecc openssl-1.1.1c/crypto/s390
+# define S390X_KDSA_D 0x80
#endif
diff -up openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1c/crypto/s390xcpuid.pl
--- openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/s390xcpuid.pl 2019-11-20 11:36:02.199860293 +0100
diff -up openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1g/crypto/s390xcpuid.pl
--- openssl-1.1.1g/crypto/s390xcpuid.pl.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/s390xcpuid.pl 2020-05-18 12:45:44.581266644 +0200
@@ -58,6 +58,10 @@ OPENSSL_s390x_facilities:
stg %r0,S390X_PRNO+8(%r4)
stg %r0,S390X_KMA(%r4)
@ -2195,9 +2148,9 @@ diff -up openssl-1.1.1c/crypto/s390xcpuid.pl.s390x-ecc openssl-1.1.1c/crypto/s39
$code.=<<___;
.section .init
brasl $ra,OPENSSL_cpuid_setup
diff -up openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/siphash/siphash_pmeth.c
--- openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/siphash/siphash_pmeth.c 2019-11-20 11:36:02.200860275 +0100
diff -up openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/siphash/siphash_pmeth.c
--- openssl-1.1.1g/crypto/siphash/siphash_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/siphash/siphash_pmeth.c 2020-05-18 12:45:44.581266644 +0200
@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth
pkey_siphash_ctrl,
pkey_siphash_ctrl_str
@ -2207,10 +2160,10 @@ diff -up openssl-1.1.1c/crypto/siphash/siphash_pmeth.c.s390x-ecc openssl-1.1.1c/
+{
+ return &siphash_pkey_meth;
+}
diff -up openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/sm2/sm2_pmeth.c
--- openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/sm2/sm2_pmeth.c 2019-11-20 11:36:02.200860275 +0100
@@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
diff -up openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1g/crypto/sm2/sm2_pmeth.c
--- openssl-1.1.1g/crypto/sm2/sm2_pmeth.c.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/sm2/sm2_pmeth.c 2020-05-18 12:45:44.582266653 +0200
@@ -327,3 +327,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
pkey_sm2_digest_custom
};
@ -2219,10 +2172,36 @@ diff -up openssl-1.1.1c/crypto/sm2/sm2_pmeth.c.s390x-ecc openssl-1.1.1c/crypto/s
+{
+ return &sm2_pkey_meth;
+}
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc openssl-1.1.1c/include/internal/constant_time_locl.h
--- openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc 2019-11-20 11:36:02.176860696 +0100
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-11-20 11:36:02.200860275 +0100
@@ -347,6 +347,34 @@ static ossl_inline void constant_time_co
diff -up openssl-1.1.1g/include/crypto/evp.h.s390x-ecc openssl-1.1.1g/include/crypto/evp.h
--- openssl-1.1.1g/include/crypto/evp.h.s390x-ecc 2020-05-18 12:45:40.834234079 +0200
+++ openssl-1.1.1g/include/crypto/evp.h 2020-05-18 12:45:44.577266609 +0200
@@ -459,3 +459,22 @@ void evp_encode_ctx_set_flags(EVP_ENCODE
#define EVP_ENCODE_CTX_NO_NEWLINES 1
/* Use the SRP base64 alphabet instead of the standard one */
#define EVP_ENCODE_CTX_USE_SRP_ALPHABET 2
+
+const EVP_PKEY_METHOD *cmac_pkey_method(void);
+const EVP_PKEY_METHOD *dh_pkey_method(void);
+const EVP_PKEY_METHOD *dhx_pkey_method(void);
+const EVP_PKEY_METHOD *dsa_pkey_method(void);
+const EVP_PKEY_METHOD *ec_pkey_method(void);
+const EVP_PKEY_METHOD *sm2_pkey_method(void);
+const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
+const EVP_PKEY_METHOD *ecx448_pkey_method(void);
+const EVP_PKEY_METHOD *ed25519_pkey_method(void);
+const EVP_PKEY_METHOD *ed448_pkey_method(void);
+const EVP_PKEY_METHOD *hmac_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pkey_method(void);
+const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
+const EVP_PKEY_METHOD *scrypt_pkey_method(void);
+const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
+const EVP_PKEY_METHOD *hkdf_pkey_method(void);
+const EVP_PKEY_METHOD *poly1305_pkey_method(void);
+const EVP_PKEY_METHOD *siphash_pkey_method(void);
diff -up openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc openssl-1.1.1g/include/internal/constant_time.h
--- openssl-1.1.1g/include/internal/constant_time.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/internal/constant_time.h 2020-05-18 12:45:44.582266653 +0200
@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co
}
/*
@ -2257,10 +2236,10 @@ diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.s390x-ecc openssl-
* table is a two dimensional array of bytes. Each row has rowsize elements.
* Copies row number idx into out. rowsize and numrows are not considered
* private.
diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include/openssl/ecerr.h
--- openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/openssl/ecerr.h 2019-11-20 11:36:02.200860275 +0100
@@ -38,6 +38,11 @@ int ERR_load_EC_strings(void);
diff -up openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1g/include/openssl/ecerr.h
--- openssl-1.1.1g/include/openssl/ecerr.h.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ecerr.h 2020-05-18 12:45:44.583266662 +0200
@@ -42,6 +42,11 @@ int ERR_load_EC_strings(void);
# define EC_F_ECDSA_SIGN_SETUP 248
# define EC_F_ECDSA_SIG_NEW 265
# define EC_F_ECDSA_VERIFY 253
@ -2272,7 +2251,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_ECD_ITEM_VERIFY 270
# define EC_F_ECKEY_PARAM2TYPE 223
# define EC_F_ECKEY_PARAM_DECODE 212
@@ -181,6 +186,7 @@ int ERR_load_EC_strings(void);
@@ -185,6 +190,7 @@ int ERR_load_EC_strings(void);
# define EC_F_O2I_ECPUBLICKEY 152
# define EC_F_OLD_EC_PRIV_DECODE 222
# define EC_F_OSSL_ECDH_COMPUTE_KEY 247
@ -2280,7 +2259,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_OSSL_ECDSA_SIGN_SIG 249
# define EC_F_OSSL_ECDSA_VERIFY_SIG 250
# define EC_F_PKEY_ECD_CTRL 271
@@ -196,6 +202,12 @@ int ERR_load_EC_strings(void);
@@ -200,6 +206,12 @@ int ERR_load_EC_strings(void);
# define EC_F_PKEY_EC_KEYGEN 199
# define EC_F_PKEY_EC_PARAMGEN 219
# define EC_F_PKEY_EC_SIGN 218
@ -2293,7 +2272,7 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_F_VALIDATE_ECX_DERIVE 278
/*
@@ -208,6 +220,7 @@ int ERR_load_EC_strings(void);
@@ -212,6 +224,7 @@ int ERR_load_EC_strings(void);
# define EC_R_CANNOT_INVERT 165
# define EC_R_COORDINATES_OUT_OF_RANGE 146
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
@ -2301,9 +2280,9 @@ diff -up openssl-1.1.1c/include/openssl/ecerr.h.s390x-ecc openssl-1.1.1c/include
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
# define EC_R_DECODE_ERROR 142
diff -up openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt
--- openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/test/recipes/30-test_evp_data/evppkey.txt 2019-11-20 11:36:02.203860223 +0100
diff -up openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt
--- openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt.s390x-ecc 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/recipes/30-test_evp_data/evppkey.txt 2020-05-18 12:45:44.590266722 +0200
@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw

View File

@ -1,13 +1,6 @@
diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl
--- openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl 2019-05-06 10:54:00.035367605 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
diff -up openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl
--- openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 16:45:05.483440129 +0100
@@ -20,41 +20,53 @@
#
# 3 times faster than compiler-generated code.
@ -472,7 +465,7 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
+ vsldb (@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5);
+ vsldb (@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5);
}
-close STDOUT;
-close STDOUT or die "error closing STDOUT: $!";
+
+PERLASM_BEGIN($output);
+
@ -1290,9 +1283,9 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
+ALIGN (4);
+
+PERLASM_END();
diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/crypto/perlasm/s390x.pm
--- openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update 2019-05-06 10:54:00.037367571 +0200
+++ openssl-1.1.1b/crypto/perlasm/s390x.pm 2019-05-06 10:54:00.038367554 +0200
diff -up openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1e/crypto/perlasm/s390x.pm
--- openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update 2020-03-19 16:20:22.039227394 +0100
+++ openssl-1.1.1e/crypto/perlasm/s390x.pm 2020-03-19 16:20:22.039227394 +0100
@@ -0,0 +1,3060 @@
+#!/usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -4354,9 +4347,9 @@ diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/cryp
+}
+
+1;
diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl
--- openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
+++ openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl 2019-05-06 10:54:00.036367588 +0200
diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl
--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2020-03-19 16:20:22.041227359 +0100
+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl 2020-03-19 16:23:22.364098257 +0100
@@ -24,204 +24,961 @@
#
# On side note, z13 enables vector base 2^26 implementation...
@ -5494,11 +5487,11 @@ diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update opens
+STRING ("\"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
-print $code;
-close STDOUT;
-close STDOUT or die "error closing STDOUT: $!";
+PERLASM_END();
diff -up openssl-1.1.1b/crypto/poly1305/build.info.s390x-update openssl-1.1.1b/crypto/poly1305/build.info
--- openssl-1.1.1b/crypto/poly1305/build.info.s390x-update 2019-05-06 10:54:00.036367588 +0200
+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-06 10:56:14.964105164 +0200
diff -up openssl-1.1.1e/crypto/poly1305/build.info.s390x-update openssl-1.1.1e/crypto/poly1305/build.info
--- openssl-1.1.1e/crypto/poly1305/build.info.s390x-update 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/poly1305/build.info 2020-03-19 16:20:22.042227342 +0100
@@ -18,6 +18,7 @@ INCLUDE[poly1305-armv8.o]=..
GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
INCLUDE[poly1305-mips.o]=..

View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 14:34:43.083145020 +0200
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
-
- return secbits >= minbits_table[level - 1];
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
+ if (FIPS_mode())
+ /*
+ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
+ * disable SHA1 flag is not set.
+ */
+ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
+ return secbits >= minbits_table[level - 1];
+ return secbits >= minbits_digest_table[level - 1];
}
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 14:34:43.083145020 +0200
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
@@ -27,6 +27,7 @@
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex);
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
static volatile int ssl_x509_store_ctx_idx = -1;
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
/* Set suite B flags if needed */
- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
if (!X509_STORE_CTX_set_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
goto end;
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
return 0;
break;
default:
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
+ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
+ break;
if (bits < minbits)
return 0;
}
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 14:34:43.084145044 +0200
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
return 1;
}
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
+{
+ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
+ const CERT *c;
+
+ if (FIPS_mode())
+ return ret;
+
+ if (ctx != NULL) {
+ c = ctx->cert;
+ } else {
+ c = s->cert;
+ }
+ if (tls1_cert_sigalgs_have_sha1(c))
+ return 0;
+ return ret;
+}
+
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
{
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
+++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
__owur int tls1_process_sigalgs(SSL *s);
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
# ifndef OPENSSL_NO_EC
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
return 0;
}
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
+{
+ size_t i;
+
+ for (i = 0; i < sigalgslen; i++, sigalgs++) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
+
+ if (lu == NULL)
+ continue;
+ if (lu->hash == NID_sha1)
+ return 1;
+ }
+ return 0;
+}
+
+
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
+{
+ if (c->client_sigalgs != NULL) {
+ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
+ return 1;
+ }
+ if (c->conf_sigalgs != NULL) {
+ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
+ return 1;
+ return 0;
+ }
+ return 1;
+}
+
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
int sig_nid, use_pc_sigalgs = 0;
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");

View File

@ -51,10 +51,10 @@ index 05f5cec3a9..811fe727f6 100644
};
DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index a109e561b3..8c313c65ac 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
extern const EVP_KDF_METHOD scrypt_kdf_meth;
extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
@ -119,7 +119,7 @@ index 0000000000..24f37cbed4
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+#include "internal/cryptlib.h"
+#include "internal/evp_int.h"
+#include "crypto/evp.h"
+#include "kdf_local.h"
+
+/* See RFC 4253, Section 7.2 */

View File

@ -1,26 +0,0 @@
diff -up openssl-1.1.1c/ssl/record/ssl3_record.c.compliance openssl-1.1.1c/ssl/record/ssl3_record.c
--- openssl-1.1.1c/ssl/record/ssl3_record.c.compliance 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/record/ssl3_record.c 2019-11-25 13:10:53.890637381 +0100
@@ -559,7 +559,7 @@ int ssl3_get_record(SSL *s)
RECORD_LAYER_reset_read_sequence(&s->rlayer);
return 1;
}
- SSLfatal(s, SSL_AD_DECRYPTION_FAILED, SSL_F_SSL3_GET_RECORD,
+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, SSL_F_SSL3_GET_RECORD,
SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
return -1;
}
diff -up openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance openssl-1.1.1c/ssl/statem/extensions_srvr.c
--- openssl-1.1.1c/ssl/statem/extensions_srvr.c.compliance 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/ssl/statem/extensions_srvr.c 2019-11-25 13:12:59.329459528 +0100
@@ -1487,6 +1487,10 @@ EXT_RETURN tls_construct_stoc_status_req
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;

View File

@ -1,534 +0,0 @@
diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200
@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
- return 2;
+ return 1;
default:
return -2;
diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
--- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200
@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
}
#ifndef OPENSSL_NO_ERR
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
-# define SPACE_SYS_STR_REASONS 4 * 1024
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
+# define SPACE_SYS_STR_REASONS 8 * 1024
# define NUM_SYS_STR_REASONS 127
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
- if (str->string == NULL) {
+ /*
+ * If we have used up all the space in strerror_pool,
+ * there's no point in calling openssl_strerror_r()
+ */
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
size_t l = strlen(cur);
str->string = cur;
cnt += l;
- if (cnt > sizeof(strerror_pool))
- cnt = sizeof(strerror_pool);
cur += l;
/*
* VMS has an unusual quirk of adding spaces at the end of
- * some (most? all?) messages. Lets trim them off.
+ * some (most? all?) messages. Lets trim them off.
*/
- while (ossl_isspace(cur[-1])) {
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
cur--;
cnt--;
}
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
--- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200
@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr
struct {
void * instance;
int count;
- } data = { NULL, 0 };
+ } data;
+ memset(&data, 0, sizeof(data));
pool = rand_pool_new(0, min_len, max_len);
if (pool == NULL)
return 0;
From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 17 Apr 2019 11:09:05 +0100
Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are
complete
If we receive a KeyUpdate message (update requested) from the peer while
we are in the middle of a write, we should defer sending the responding
KeyUpdate message until after the current write is complete. We do this
by waiting to send the KeyUpdate until the next time we write and there is
no pending write data.
This does imply a subtle change in behaviour. Firstly the responding
KeyUpdate message won't be sent straight away as it is now. Secondly if
the peer sends multiple KeyUpdates without us doing any writing then we
will only send one response, as opposed to previously where we sent a
response for each KeyUpdate received.
Fixes #8677
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8773)
(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
---
ssl/record/rec_layer_s3.c | 7 +++++++
ssl/statem/statem_clnt.c | 6 ------
ssl/statem/statem_lib.c | 7 ++-----
ssl/statem/statem_srvr.c | 6 ------
4 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index b2f97ef905..b65137c332 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
s->rlayer.wnum = 0;
+ /*
+ * If we are supposed to be sending a KeyUpdate then go into init unless we
+ * have writes pending - in which case we should finish doing that first.
+ */
+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
+ ossl_statem_set_in_init(s, 1);
+
/*
* When writing early data on the server side we could be "in_init" in
* between receiving the EoED and the CF - but we don't want to handle those
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 87800cd835..6410414fb6 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_CR_KEY_UPDATE:
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
- st->hand_state = TLS_ST_CW_KEY_UPDATE;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
-
case TLS_ST_CW_KEY_UPDATE:
case TLS_ST_CR_SESSION_TICKET:
case TLS_ST_CW_FINISHED:
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index c0482b0a90..2960dafa52 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
/*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
- * not also request an update (otherwise we get into an infinite loop). We
- * ignore a request for us to update our sending keys too if we already
- * sent close_notify.
+ * not also request an update (otherwise we get into an infinite loop).
*/
- if (updatetype == SSL_KEY_UPDATE_REQUESTED
- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
if (!tls13_update_key(s, 0)) {
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d454326a99..04a23320fc 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
return WRITE_TRAN_CONTINUE;
case TLS_ST_SR_KEY_UPDATE:
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
- st->hand_state = TLS_ST_SW_KEY_UPDATE;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
-
case TLS_ST_SW_KEY_UPDATE:
st->hand_state = TLS_ST_OK;
return WRITE_TRAN_CONTINUE;
--
2.20.1
From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 17 Apr 2019 10:30:53 +0100
Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested)
while writing
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8773)
(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f)
---
test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++
test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++
test/ssltestlib.h | 3 ++
3 files changed, 191 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 2261fe4a7a..577342644d 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -4290,6 +4290,11 @@ static int test_key_update(void)
|| !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
strlen(mess)))
goto end;
+
+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
+ strlen(mess)))
+ goto end;
}
testresult = 1;
@@ -4302,6 +4307,91 @@ static int test_key_update(void)
return testresult;
}
+
+/*
+ * Test we can handle a KeyUpdate (update requested) message while write data
+ * is pending.
+ * Test 0: Client sends KeyUpdate while Server is writing
+ * Test 1: Server sends KeyUpdate while Client is writing
+ */
+static int test_key_update_in_write(int tst)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ char buf[20];
+ static char *mess = "A test message";
+ BIO *bretry = BIO_new(bio_s_always_retry());
+ BIO *tmp = NULL;
+ SSL *peerupdate = NULL, *peerwrite = NULL;
+
+ if (!TEST_ptr(bretry)
+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ TLS1_3_VERSION,
+ 0,
+ &sctx, &cctx, cert, privkey))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL))
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ peerupdate = tst == 0 ? clientssl : serverssl;
+ peerwrite = tst == 0 ? serverssl : clientssl;
+
+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
+ || !TEST_true(SSL_do_handshake(peerupdate)))
+ goto end;
+
+ /* Swap the writing endpoint's write BIO to force a retry */
+ tmp = SSL_get_wbio(peerwrite);
+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
+ tmp = NULL;
+ goto end;
+ }
+ SSL_set0_wbio(peerwrite, bretry);
+ bretry = NULL;
+
+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
+ goto end;
+
+ /* Reinstate the original writing endpoint's write BIO */
+ SSL_set0_wbio(peerwrite, tmp);
+ tmp = NULL;
+
+ /* Now read some data - we will read the key update */
+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
+ goto end;
+
+ /*
+ * Complete the write we started previously and read it from the other
+ * endpoint
+ */
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
+ goto end;
+
+ /* Write more data to ensure we send the KeyUpdate message back */
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ BIO_free(bretry);
+ BIO_free(tmp);
+
+ return testresult;
+}
#endif /* OPENSSL_NO_TLS1_3 */
static int test_ssl_clear(int idx)
@@ -5982,6 +6072,7 @@ int setup_tests(void)
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_export_key_mat_early, 3);
ADD_TEST(test_key_update);
+ ADD_ALL_TESTS(test_key_update_in_write, 2);
#endif
ADD_ALL_TESTS(test_ssl_clear, 2);
ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
@@ -6002,4 +6093,5 @@ int setup_tests(void)
void cleanup_tests(void)
{
bio_s_mempacket_test_free();
+ bio_s_always_retry_free();
}
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 05139be750..e1038620ac 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str);
/* Choose a sufficiently large type likely to be unused for this custom BIO */
#define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER)
#define BIO_TYPE_MEMPACKET_TEST 0x81
+#define BIO_TYPE_ALWAYS_RETRY 0x82
static BIO_METHOD *method_tls_dump = NULL;
static BIO_METHOD *meth_mem = NULL;
+static BIO_METHOD *meth_always_retry = NULL;
/* Note: Not thread safe! */
const BIO_METHOD *bio_f_tls_dump_filter(void)
@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str)
return mempacket_test_write(bio, str, strlen(str));
}
+static int always_retry_new(BIO *bi);
+static int always_retry_free(BIO *a);
+static int always_retry_read(BIO *b, char *out, int outl);
+static int always_retry_write(BIO *b, const char *in, int inl);
+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr);
+static int always_retry_gets(BIO *bp, char *buf, int size);
+static int always_retry_puts(BIO *bp, const char *str);
+
+const BIO_METHOD *bio_s_always_retry(void)
+{
+ if (meth_always_retry == NULL) {
+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY,
+ "Always Retry"))
+ || !TEST_true(BIO_meth_set_write(meth_always_retry,
+ always_retry_write))
+ || !TEST_true(BIO_meth_set_read(meth_always_retry,
+ always_retry_read))
+ || !TEST_true(BIO_meth_set_puts(meth_always_retry,
+ always_retry_puts))
+ || !TEST_true(BIO_meth_set_gets(meth_always_retry,
+ always_retry_gets))
+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry,
+ always_retry_ctrl))
+ || !TEST_true(BIO_meth_set_create(meth_always_retry,
+ always_retry_new))
+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry,
+ always_retry_free)))
+ return NULL;
+ }
+ return meth_always_retry;
+}
+
+void bio_s_always_retry_free(void)
+{
+ BIO_meth_free(meth_always_retry);
+}
+
+static int always_retry_new(BIO *bio)
+{
+ BIO_set_init(bio, 1);
+ return 1;
+}
+
+static int always_retry_free(BIO *bio)
+{
+ BIO_set_data(bio, NULL);
+ BIO_set_init(bio, 0);
+ return 1;
+}
+
+static int always_retry_read(BIO *bio, char *out, int outl)
+{
+ BIO_set_retry_read(bio);
+ return -1;
+}
+
+static int always_retry_write(BIO *bio, const char *in, int inl)
+{
+ BIO_set_retry_write(bio);
+ return -1;
+}
+
+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
+{
+ long ret = 1;
+
+ switch (cmd) {
+ case BIO_CTRL_FLUSH:
+ BIO_set_retry_write(bio);
+ /* fall through */
+ case BIO_CTRL_EOF:
+ case BIO_CTRL_RESET:
+ case BIO_CTRL_DUP:
+ case BIO_CTRL_PUSH:
+ case BIO_CTRL_POP:
+ default:
+ ret = 0;
+ break;
+ }
+ return ret;
+}
+
+static int always_retry_gets(BIO *bio, char *buf, int size)
+{
+ BIO_set_retry_read(bio);
+ return -1;
+}
+
+static int always_retry_puts(BIO *bio, const char *str)
+{
+ BIO_set_retry_write(bio);
+ return -1;
+}
+
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index fa19e7d80d..56e323f5bc 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void);
const BIO_METHOD *bio_s_mempacket_test(void);
void bio_s_mempacket_test_free(void);
+const BIO_METHOD *bio_s_always_retry(void);
+void bio_s_always_retry_free(void);
+
/* Packet types - value 0 is reserved */
#define INJECT_PACKET 1
#define INJECT_PACKET_IGNORE_REC_SEQ 2
--
2.20.1
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
+/* Returns the value unmodified, but avoids optimizations. */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ unsigned int r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile unsigned int r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint32_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint32_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ uint64_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile uint64_t r = a;
+#endif
+ return r;
+}
+
+/* Convenience method for size_t. */
+static ossl_inline size_t value_barrier_s(size_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+ size_t r;
+ __asm__("" : "=r"(r) : "0"(a));
+#else
+ volatile size_t r = a;
+#endif
+ return r;
+}
+
static ossl_inline unsigned int constant_time_select(unsigned int mask,
unsigned int a,
unsigned int b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
}
static ossl_inline size_t constant_time_select_s(size_t mask,
size_t a,
size_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
}
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
uint32_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
}
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
uint64_t b)
{
- return (mask & a) | (~mask & b);
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
}
/*

View File

@ -1,12 +1,12 @@
diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
--- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200
+++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010103fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019"
# define OPENSSL_VERSION_NUMBER 0x1010107fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1c
Release: 12%{?dist}
Version: 1.1.1g
Release: 9%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -40,7 +40,7 @@ Source13: ectest.c
# Build changes
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-defaults.patch
Patch3: openssl-1.1.0-no-html.patch
Patch3: openssl-1.1.1-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
@ -62,23 +62,23 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
Patch51: openssl-1.1.1-intel-cet.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
Patch61: openssl-1.1.1-edk2-build.patch
Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch
Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-regression-fixes.patch
Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch
Patch57: openssl-1.1.1-cve-2019-1547.patch
Patch58: openssl-1.1.1-cve-2019-1563.patch
Patch59: openssl-1.1.1-cve-2019-1549.patch
Patch63: openssl-1.1.1-tls-compliance.patch
License: OpenSSL
Group: System Environment/Libraries
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
@ -89,6 +89,7 @@ BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -100,7 +101,6 @@ protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
Group: System Environment/Libraries
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
@ -116,7 +116,6 @@ support cryptographic algorithms and protocols.
%package devel
Summary: Files for development of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
Requires: pkgconfig
@ -128,7 +127,6 @@ support various cryptographic algorithms and protocols.
%package static
Summary: Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description static
@ -139,7 +137,6 @@ protocols.
%package perl
Summary: Perl scripts provided with OpenSSL
Group: Applications/Internet
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
@ -182,19 +179,21 @@ cp %{SOURCE13} test/
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .upstream-sync
%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch54 -p1 -b .regression
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
%patch57 -p1 -b .compute-cofactor
%patch58 -p1 -b .cms-padding-oracle
%patch59 -p1 -b .fork-safety
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
%patch63 -p1 -b .compliance
%patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
%build
# Figure out which flags we want to use.
@ -478,6 +477,34 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
- Rewire FIPS_drbg API to use the RAND_DRBG
- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters
* Mon Jun 8 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
- Disallow dropping Extended Master Secret extension
on renegotiation
- Return alert from s_server if ALPN protocol does not match
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
TLS SigAlgs configuration
* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
- Add FIPS selftest for PBKDF2 and KBKDF
* Wed May 27 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-5
- Allow only well known DH groups in the FIPS mode
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
- update to the 1.1.1g release
- FIPS module installed state definition is modified
* Thu Mar 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15
- add selftest of the RAND_DRBG implementation
* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14
- fix incorrect error return value from FIPS_selftest_dsa
- S390x: properly restore SIGILL signal handler
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
- additional fix for the edk2 build