forked from rpms/openssl
Synchronize patches from c9s and Fedora
Resolves: RHEL-31762 Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
parent
96988f0060
commit
d508cbed93
@ -11,11 +11,11 @@ Patch-status: |
|
|||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||||
---
|
---
|
||||||
apps/CA.pl.in | 2 +-
|
apps/CA.pl.in | 2 +-
|
||||||
apps/openssl.cnf | 13 +++++++++++--
|
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||||
2 files changed, 12 insertions(+), 3 deletions(-)
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
||||||
index f029470005..729f104a7e 100644
|
index c0afb96716..d6a5fabd16 100644
|
||||||
--- a/apps/CA.pl.in
|
--- a/apps/CA.pl.in
|
||||||
+++ b/apps/CA.pl.in
|
+++ b/apps/CA.pl.in
|
||||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
||||||
@ -27,20 +27,24 @@ index f029470005..729f104a7e 100644
|
|||||||
my $CAKEY = "cakey.pem";
|
my $CAKEY = "cakey.pem";
|
||||||
my $CAREQ = "careq.pem";
|
my $CAREQ = "careq.pem";
|
||||||
my $CACERT = "cacert.pem";
|
my $CACERT = "cacert.pem";
|
||||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
||||||
index 8141ab20cd..3956235fda 100644
|
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
||||||
--- a/apps/openssl.cnf
|
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
||||||
+++ b/apps/openssl.cnf
|
@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||||
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
|
||||||
|
|
||||||
[openssl_init]
|
[openssl_init]
|
||||||
providers = provider_sect
|
providers = provider_sect
|
||||||
+# Load default TLS policy configuration
|
+# Load default TLS policy configuration
|
||||||
+ssl_conf = ssl_module
|
+ssl_conf = ssl_module
|
||||||
|
+alg_section = evp_properties
|
||||||
|
+
|
||||||
|
+[ evp_properties ]
|
||||||
|
+#This section is intentionally added empty here
|
||||||
|
+#to be tuned on particular systems
|
||||||
|
|
||||||
# List of providers to load
|
# List of providers to load
|
||||||
[provider_sect]
|
[provider_sect]
|
||||||
@@ -71,6 +73,13 @@ default = default_sect
|
@@ -64,6 +66,13 @@ default = default_sect
|
||||||
[default_sect]
|
[default_sect]
|
||||||
# activate = 1
|
# activate = 1
|
||||||
|
|
||||||
@ -54,7 +58,7 @@ index 8141ab20cd..3956235fda 100644
|
|||||||
|
|
||||||
####################################################################
|
####################################################################
|
||||||
[ ca ]
|
[ ca ]
|
||||||
@@ -79,7 +88,7 @@ default_ca = CA_default # The default ca section
|
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
||||||
####################################################################
|
####################################################################
|
||||||
[ CA_default ]
|
[ CA_default ]
|
||||||
|
|
||||||
@ -63,7 +67,7 @@ index 8141ab20cd..3956235fda 100644
|
|||||||
certs = $dir/certs # Where the issued certs are kept
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
crl_dir = $dir/crl # Where the issued crl are kept
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
database = $dir/index.txt # database index file.
|
database = $dir/index.txt # database index file.
|
||||||
@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default TSA section
|
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
||||||
[ tsa_config1 ]
|
[ tsa_config1 ]
|
||||||
|
|
||||||
# These are used by the TSA reply generation only.
|
# These are used by the TSA reply generation only.
|
||||||
@ -72,6 +76,3 @@ index 8141ab20cd..3956235fda 100644
|
|||||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||||
crypto_device = builtin # OpenSSL engine to use for signing
|
crypto_device = builtin # OpenSSL engine to use for signing
|
||||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
@ -13,11 +13,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|||||||
doc/man5/config.pod | 8 ++++++++
|
doc/man5/config.pod | 8 ++++++++
|
||||||
2 files changed, 23 insertions(+), 22 deletions(-)
|
2 files changed, 23 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
||||||
index 3956235fda..bddb6bc029 100644
|
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
||||||
--- a/apps/openssl.cnf
|
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
||||||
+++ b/apps/openssl.cnf
|
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
|
||||||
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
|
|
||||||
tsa_policy2 = 1.2.3.4.5.6
|
tsa_policy2 = 1.2.3.4.5.6
|
||||||
tsa_policy3 = 1.2.3.4.5.7
|
tsa_policy3 = 1.2.3.4.5.7
|
||||||
|
|
||||||
@ -32,9 +31,16 @@ index 3956235fda..bddb6bc029 100644
|
|||||||
[openssl_init]
|
[openssl_init]
|
||||||
providers = provider_sect
|
providers = provider_sect
|
||||||
# Load default TLS policy configuration
|
# Load default TLS policy configuration
|
||||||
ssl_conf = ssl_module
|
@@ -42,23 +42,27 @@ [ evp_properties ]
|
||||||
|
#This section is intentionally added empty here
|
||||||
|
#to be tuned on particular systems
|
||||||
|
|
||||||
-# List of providers to load
|
-# List of providers to load
|
||||||
|
-[provider_sect]
|
||||||
|
-default = default_sect
|
||||||
|
-# The fips section name should match the section name inside the
|
||||||
|
-# included fipsmodule.cnf.
|
||||||
|
-# fips = fips_sect
|
||||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||||
+# Loading the legacy provider enables support for the following algorithms:
|
+# Loading the legacy provider enables support for the following algorithms:
|
||||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||||
@ -43,13 +49,7 @@ index 3956235fda..bddb6bc029 100644
|
|||||||
+# In general it is not recommended to use the above mentioned algorithms for
|
+# In general it is not recommended to use the above mentioned algorithms for
|
||||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||||
+# to side-channel attacks and as such have been deprecated.
|
+# to side-channel attacks and as such have been deprecated.
|
||||||
+
|
|
||||||
[provider_sect]
|
|
||||||
default = default_sect
|
|
||||||
-# The fips section name should match the section name inside the
|
|
||||||
-# included fipsmodule.cnf.
|
|
||||||
-# fips = fips_sect
|
|
||||||
-
|
|
||||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
-# If no providers are activated explicitly, the default one is activated implicitly.
|
||||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
-# See man 7 OSSL_PROVIDER-default for more details.
|
||||||
-#
|
-#
|
||||||
@ -58,21 +58,26 @@ index 3956235fda..bddb6bc029 100644
|
|||||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
-# becomes unavailable in openssl. As a consequence applications depending on
|
||||||
-# OpenSSL may not work correctly which could lead to significant system
|
-# OpenSSL may not work correctly which could lead to significant system
|
||||||
-# problems including inability to remotely access the system.
|
-# problems including inability to remotely access the system.
|
||||||
|
-[default_sect]
|
||||||
|
-# activate = 1
|
||||||
|
+[provider_sect]
|
||||||
|
+default = default_sect
|
||||||
+##legacy = legacy_sect
|
+##legacy = legacy_sect
|
||||||
+##
|
+##
|
||||||
[default_sect]
|
+[default_sect]
|
||||||
-# activate = 1
|
|
||||||
+activate = 1
|
+activate = 1
|
||||||
+
|
+
|
||||||
+##[legacy_sect]
|
+##[legacy_sect]
|
||||||
+##activate = 1
|
+##activate = 1
|
||||||
|
+
|
||||||
|
+#Place the third party provider configuration files into this folder
|
||||||
|
+.include /etc/pki/tls/openssl.d
|
||||||
|
|
||||||
[ ssl_module ]
|
[ ssl_module ]
|
||||||
|
|
||||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
||||||
index 8d312c661f..714a10437b 100644
|
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
||||||
--- a/doc/man5/config.pod
|
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
||||||
+++ b/doc/man5/config.pod
|
|
||||||
@@ -273,6 +273,14 @@ significant.
|
@@ -273,6 +273,14 @@ significant.
|
||||||
All parameters in the section as well as sub-sections are made
|
All parameters in the section as well as sub-sections are made
|
||||||
available to the provider.
|
available to the provider.
|
||||||
@ -88,6 +93,3 @@ index 8d312c661f..714a10437b 100644
|
|||||||
=head3 Default provider and its activation
|
=head3 Default provider and its activation
|
||||||
|
|
||||||
If no providers are activated explicitly, the default one is activated implicitly.
|
If no providers are activated explicitly, the default one is activated implicitly.
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
@ -33,7 +33,16 @@ index 058fb58837..5274265a70 100644
|
|||||||
|
|
||||||
if (ok == 1) {
|
if (ok == 1) {
|
||||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||||
@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
|
||||||
|
|
||||||
|
if (ok <= 0)
|
||||||
|
ossl_provider_free(prov);
|
||||||
|
+ } else {
|
||||||
|
+ ok = 1;
|
||||||
|
}
|
||||||
|
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||||
|
|
||||||
|
@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -55,6 +64,9 @@ index 058fb58837..5274265a70 100644
|
|||||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ }
|
+ }
|
||||||
|
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
|
||||||
|
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
|
||||||
|
+ return 0;
|
||||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||||
|
@ -426,3 +426,73 @@ diff -up openssl-3.2.0/providers/fips/self_test.c.fips-self openssl-3.2.0/provid
|
|||||||
|
|
||||||
if (module_checksum == NULL) {
|
if (module_checksum == NULL) {
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||||
|
diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c
|
||||||
|
--- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200
|
||||||
|
+++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200
|
||||||
|
@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI
|
||||||
|
EVP_MAC *mac = NULL;
|
||||||
|
EVP_MAC_CTX *ctx = NULL;
|
||||||
|
OSSL_PARAM params[2], *p = params;
|
||||||
|
- Dl_info info;
|
||||||
|
- void *extra_info = NULL;
|
||||||
|
- struct link_map *lm = NULL;
|
||||||
|
- unsigned long paddr;
|
||||||
|
- unsigned long off = 0;
|
||||||
|
|
||||||
|
if (!integrity_self_test(ev, libctx))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||||
|
|
||||||
|
- if (!dladdr1 ((const void *)fips_hmac_container,
|
||||||
|
- &info, &extra_info, RTLD_DL_LINKMAP))
|
||||||
|
- goto err;
|
||||||
|
- lm = extra_info;
|
||||||
|
- paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||||
|
-
|
||||||
|
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||||
|
if (mac == NULL)
|
||||||
|
goto err;
|
||||||
|
@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI
|
||||||
|
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||||
|
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||||
|
- if (status != 1)
|
||||||
|
- break;
|
||||||
|
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
- goto err;
|
||||||
|
- off += bytes_read;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (off + INTEGRITY_BUF_SIZE > paddr) {
|
||||||
|
- int delta = paddr - off;
|
||||||
|
- status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||||
|
- if (status != 1)
|
||||||
|
- goto err;
|
||||||
|
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
- goto err;
|
||||||
|
- off += bytes_read;
|
||||||
|
-
|
||||||
|
- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||||
|
- memset(buf, 0, HMAC_LEN);
|
||||||
|
- if (status != 1)
|
||||||
|
- goto err;
|
||||||
|
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
- goto err;
|
||||||
|
- off += bytes_read;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- while (bytes_read > 0) {
|
||||||
|
- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||||
|
+ while (1) {
|
||||||
|
+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||||
|
if (status != 1)
|
||||||
|
break;
|
||||||
|
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
goto err;
|
||||||
|
- off += bytes_read;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||||
|
@ -385,4 +385,20 @@ index cd5de6bd51..d4261e8f7d 100644
|
|||||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
|
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
|
||||||
--
|
--
|
||||||
2.41.0
|
2.41.0
|
||||||
|
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
|
||||||
|
index e0d139d..35f23b2 100644
|
||||||
|
--- a/crypto/rsa/rsa_gen.c
|
||||||
|
+++ b/crypto/rsa/rsa_gen.c
|
||||||
|
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
|
||||||
|
rsa->dmp1 = NULL;
|
||||||
|
rsa->dmq1 = NULL;
|
||||||
|
rsa->iqmp = NULL;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ abort();
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ok;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
@ -323,22 +323,6 @@ index 699ada7c52..e534ad0a5f 100644
|
|||||||
return mdnid;
|
return mdnid;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
|
||||||
if (ossl_securitycheck_enabled(ctx))
|
|
||||||
return ossl_digest_get_approved_nid(md) != NID_undef;
|
|
||||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
|
||||||
+
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ {
|
|
||||||
+ int mdnid = EVP_MD_nid(md);
|
|
||||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
|
||||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||||
index 246323493e..2ca7a59f39 100644
|
index 246323493e..2ca7a59f39 100644
|
||||||
--- a/providers/common/securitycheck_default.c
|
--- a/providers/common/securitycheck_default.c
|
||||||
|
53
0056-strcasecmp.patch
Normal file
53
0056-strcasecmp.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
|
||||||
|
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
||||||
|
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
||||||
|
@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
|
||||||
|
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||||
|
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||||
|
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||||
|
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
|
||||||
|
--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
|
||||||
|
+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
|
||||||
|
@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||||
|
+int
|
||||||
|
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||||
|
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
|
||||||
|
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
|
||||||
|
+#endif
|
||||||
|
+OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||||
|
{
|
||||||
|
int t;
|
||||||
|
|
||||||
|
@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
|
||||||
|
return t;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||||
|
+int
|
||||||
|
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||||
|
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
|
||||||
|
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
|
||||||
|
+#endif
|
||||||
|
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||||
|
{
|
||||||
|
int t;
|
||||||
|
size_t i;
|
||||||
|
diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
|
||||||
|
--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
|
||||||
|
+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
|
||||||
|
@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
|
||||||
|
s| .*||;
|
||||||
|
# Drop OpenSSL dynamic version information if there is any
|
||||||
|
s|\@\@.+$||;
|
||||||
|
+ s|\@.+$||;
|
||||||
|
# Return the result
|
||||||
|
$_
|
||||||
|
}
|
@ -1,27 +1,26 @@
|
|||||||
From 89c00cc67b9b34bc94f9dc3a9fce9374bbaade03 Mon Sep 17 00:00:00 2001
|
From 0329eb6523363705946887d4f145dd77c741ae4a Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Mon, 31 Jul 2023 09:41:29 +0200
|
Date: Wed, 6 Mar 2024 19:17:16 +0100
|
||||||
Subject: [PATCH 32/48] 0076-FIPS-140-3-DRBG.patch
|
Subject: [PATCH 30/49] 0076-FIPS-140-3-DRBG.patch
|
||||||
|
|
||||||
Patch-name: 0076-FIPS-140-3-DRBG.patch
|
Patch-name: 0076-FIPS-140-3-DRBG.patch
|
||||||
Patch-id: 76
|
Patch-id: 76
|
||||||
Patch-status: |
|
Patch-status: |
|
||||||
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
|
# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||||
---
|
---
|
||||||
crypto/rand/prov_seed.c | 9 ++-
|
crypto/rand/prov_seed.c | 9 ++-
|
||||||
providers/implementations/rands/crngt.c | 6 +-
|
providers/implementations/rands/crngt.c | 6 +-
|
||||||
providers/implementations/rands/drbg.c | 11 +++-
|
providers/implementations/rands/drbg.c | 11 ++-
|
||||||
providers/implementations/rands/drbg_local.h | 2 +-
|
providers/implementations/rands/drbg_local.h | 2 +-
|
||||||
.../implementations/rands/seeding/rand_unix.c | 64 ++-----------------
|
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
|
||||||
5 files changed, 28 insertions(+), 64 deletions(-)
|
5 files changed, 28 insertions(+), 68 deletions(-)
|
||||||
|
|
||||||
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
|
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||||
index 96c499c957..61c4cd8779 100644
|
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||||
--- a/crypto/rand/prov_seed.c
|
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||||
+++ b/crypto/rand/prov_seed.c
|
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
|
|
||||||
size_t entropy_available;
|
size_t entropy_available;
|
||||||
RAND_POOL *pool;
|
RAND_POOL *pool;
|
||||||
|
|
||||||
@ -37,11 +36,10 @@ index 96c499c957..61c4cd8779 100644
|
|||||||
if (pool == NULL) {
|
if (pool == NULL) {
|
||||||
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
|
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
|
||||||
return 0;
|
return 0;
|
||||||
diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
|
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||||
index fa4a2db14a..1f13fc759e 100644
|
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||||
--- a/providers/implementations/rands/crngt.c
|
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||||
+++ b/providers/implementations/rands/crngt.c
|
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||||
@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
|
|
||||||
* to the nearest byte. If the entropy is of less than full quality,
|
* to the nearest byte. If the entropy is of less than full quality,
|
||||||
* the amount required should be scaled up appropriately here.
|
* the amount required should be scaled up appropriately here.
|
||||||
*/
|
*/
|
||||||
@ -54,11 +52,10 @@ index fa4a2db14a..1f13fc759e 100644
|
|||||||
if (bytes_needed < min_len)
|
if (bytes_needed < min_len)
|
||||||
bytes_needed = min_len;
|
bytes_needed = min_len;
|
||||||
if (bytes_needed > max_len)
|
if (bytes_needed > max_len)
|
||||||
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
|
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||||
index ea55363bf8..1b2410b3db 100644
|
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||||
--- a/providers/implementations/rands/drbg.c
|
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||||
+++ b/providers/implementations/rands/drbg.c
|
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||||
@@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -68,7 +65,7 @@ index ea55363bf8..1b2410b3db 100644
|
|||||||
/* Reseed using our sources in addition */
|
/* Reseed using our sources in addition */
|
||||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||||
drbg->min_entropylen, drbg->max_entropylen,
|
drbg->min_entropylen, drbg->max_entropylen,
|
||||||
@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
|
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
||||||
reseed_required = 1;
|
reseed_required = 1;
|
||||||
}
|
}
|
||||||
if (drbg->parent != NULL
|
if (drbg->parent != NULL
|
||||||
@ -84,10 +81,9 @@ index ea55363bf8..1b2410b3db 100644
|
|||||||
|
|
||||||
if (reseed_required || prediction_resistance) {
|
if (reseed_required || prediction_resistance) {
|
||||||
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
|
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
|
||||||
diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
|
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
||||||
index 3b5417b43b..d27c50950b 100644
|
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
||||||
--- a/providers/implementations/rands/drbg_local.h
|
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
||||||
+++ b/providers/implementations/rands/drbg_local.h
|
|
||||||
@@ -38,7 +38,7 @@
|
@@ -38,7 +38,7 @@
|
||||||
*
|
*
|
||||||
* The value is in bytes.
|
* The value is in bytes.
|
||||||
@ -97,10 +93,9 @@ index 3b5417b43b..d27c50950b 100644
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||||
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
|
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
||||||
index cd02a0236d..98c917b6d8 100644
|
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
||||||
--- a/providers/implementations/rands/seeding/rand_unix.c
|
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
||||||
+++ b/providers/implementations/rands/seeding/rand_unix.c
|
|
||||||
@@ -48,6 +48,8 @@
|
@@ -48,6 +48,8 @@
|
||||||
# include <fcntl.h>
|
# include <fcntl.h>
|
||||||
# include <unistd.h>
|
# include <unistd.h>
|
||||||
@ -110,10 +105,7 @@ index cd02a0236d..98c917b6d8 100644
|
|||||||
|
|
||||||
static uint64_t get_time_stamp(void);
|
static uint64_t get_time_stamp(void);
|
||||||
|
|
||||||
diff -up openssl-3.2.0/providers/implementations/rands/seeding/rand_unix.c.rand-patch openssl-3.2.0/providers/implementations/rands/seeding/rand_unix.c
|
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
||||||
--- openssl-3.2.0/providers/implementations/rands/seeding/rand_unix.c.rand-patch 2024-01-02 11:52:21.837712036 +0100
|
|
||||||
+++ openssl-3.2.0/providers/implementations/rands/seeding/rand_unix.c 2024-01-02 11:54:40.576083169 +0100
|
|
||||||
@@ -339,70 +339,8 @@ static ssize_t syscall_random(void *buf,
|
|
||||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||||
* between size_t and ssize_t is safe even without a range check.
|
* between size_t and ssize_t is safe even without a range check.
|
||||||
*/
|
*/
|
||||||
@ -181,8 +173,64 @@ diff -up openssl-3.2.0/providers/implementations/rands/seeding/rand_unix.c.rand-
|
|||||||
- errno = ENOSYS;
|
- errno = ENOSYS;
|
||||||
- return -1;
|
- return -1;
|
||||||
-# endif
|
-# endif
|
||||||
+ /* Red Hat uses downstream patch to always seed from getrandom() */
|
+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||||
}
|
}
|
||||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||||
|
|
||||||
|
diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
|
||||||
|
--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
|
||||||
|
+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
|
||||||
|
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
|
||||||
|
+ /*
|
||||||
|
+ * OpenSSL still implements an internal entropy pool of
|
||||||
|
+ * some size that is hashed to get seed data.
|
||||||
|
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||||
|
+ * 64 additional bits from the entropy source to claim the requested
|
||||||
|
+ * amount of entropy.
|
||||||
|
+ */
|
||||||
|
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
|
||||||
|
if (pool == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||||
|
return 0;
|
||||||
|
@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
|
||||||
|
size_t i;
|
||||||
|
RAND_POOL *pool;
|
||||||
|
|
||||||
|
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||||
|
+ /*
|
||||||
|
+ * OpenSSL still implements an internal entropy pool of
|
||||||
|
+ * some size that is hashed to get seed data.
|
||||||
|
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||||
|
+ * 64 additional bits from the entropy source to claim the requested
|
||||||
|
+ * amount of entropy.
|
||||||
|
+ */
|
||||||
|
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||||
|
if (pool == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||||
|
return 0;
|
||||||
|
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
||||||
|
index 14999540ab..b05b84717b 100644
|
||||||
|
--- a/crypto/rand/rand_lib.c
|
||||||
|
+++ b/crypto/rand/rand_lib.c
|
||||||
|
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifndef FIPS_MODULE
|
||||||
|
- if (dgbl->seed == NULL) {
|
||||||
|
- ERR_set_mark();
|
||||||
|
- dgbl->seed = rand_new_seed(ctx);
|
||||||
|
- ERR_pop_to_mark();
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
|
||||||
|
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
|
||||||
|
PRIMARY_RESEED_INTERVAL,
|
||||||
|
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||||
|
/*
|
||||||
|
@ -1,50 +1,85 @@
|
|||||||
diff -up openssl-3.2.0/test/recipes/30-test_pairwise_fail.t.skip-test openssl-3.2.0/test/recipes/30-test_pairwise_fail.t
|
From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001
|
||||||
--- openssl-3.2.0/test/recipes/30-test_pairwise_fail.t.skip-test 2024-02-01 16:09:31.250757364 +0100
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||||
+++ openssl-3.2.0/test/recipes/30-test_pairwise_fail.t 2024-02-01 16:09:43.243887179 +0100
|
Date: Thu, 4 Apr 2024 11:50:58 +0200
|
||||||
@@ -22,7 +22,7 @@ use lib bldtop_dir('.');
|
Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch
|
||||||
plan skip_all => "These tests are unsupported in a non fips build"
|
|
||||||
if disabled("fips");
|
Patch-name: 0115-skip-quic-pairwise.patch
|
||||||
|
Patch-id: 115
|
||||||
|
Patch-status: |
|
||||||
|
# Amend tests according to Fedora/RHEL code
|
||||||
|
---
|
||||||
|
test/quicapitest.c | 4 +++-
|
||||||
|
test/recipes/01-test_symbol_presence.t | 1 +
|
||||||
|
test/recipes/30-test_pairwise_fail.t | 13 +++++++++++--
|
||||||
|
3 files changed, 15 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/quicapitest.c b/test/quicapitest.c
|
||||||
|
index 41cf0fc7a8..0fb7492700 100644
|
||||||
|
--- a/test/quicapitest.c
|
||||||
|
+++ b/test/quicapitest.c
|
||||||
|
@@ -2139,7 +2139,9 @@ int setup_tests(void)
|
||||||
|
ADD_TEST(test_cipher_find);
|
||||||
|
ADD_TEST(test_version);
|
||||||
|
#if defined(DO_SSL_TRACE_TEST)
|
||||||
|
- ADD_TEST(test_ssl_trace);
|
||||||
|
+ if (is_fips == 0) {
|
||||||
|
+ ADD_TEST(test_ssl_trace);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
ADD_TEST(test_quic_forbidden_apis_ctx);
|
||||||
|
ADD_TEST(test_quic_forbidden_apis);
|
||||||
|
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
|
||||||
|
index c837d48fb4..f06ef04b1a 100644
|
||||||
|
--- a/test/recipes/30-test_pairwise_fail.t
|
||||||
|
+++ b/test/recipes/30-test_pairwise_fail.t
|
||||||
|
@@ -9,7 +9,7 @@
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
-plan tests => 5;
|
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
|
||||||
+plan skip_all => 5;
|
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
|
||||||
my $provconf = srctop_file("test", "fips-and-base.cnf");
|
use OpenSSL::Test::Utils;
|
||||||
|
|
||||||
run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
|
BEGIN {
|
||||||
diff -up openssl-3.2.0/test/recipes/75-test_quicapi.t.skip-test-quic openssl-3.2.0/test/recipes/75-test_quicapi.t
|
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
|
||||||
--- openssl-3.2.0/test/recipes/75-test_quicapi.t.skip-test-quic 2024-02-01 16:13:37.974733154 +0100
|
SKIP: {
|
||||||
+++ openssl-3.2.0/test/recipes/75-test_quicapi.t 2024-02-01 16:14:13.450183541 +0100
|
skip "Skip RSA test because of no rsa in this build", 1
|
||||||
@@ -25,7 +25,7 @@ plan skip_all => "QUIC protocol is not s
|
if disabled("rsa");
|
||||||
plan skip_all => "These tests are not supported in a fuzz build"
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
if config('options') =~ /-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION|enable-fuzz-afl/;
|
+ sub {
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "rsa"])),
|
||||||
|
"fips provider rsa keygen pairwise failure test");
|
||||||
|
+ });
|
||||||
|
}
|
||||||
|
|
||||||
-plan tests =>
|
SKIP: {
|
||||||
+plan skip_all =>
|
skip "Skip EC test because of no ec in this build", 2
|
||||||
($no_fips ? 0 : 1) # quicapitest with fips
|
if disabled("ec");
|
||||||
+ 1; # quicapitest with default provider
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
|
+ sub {
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "ec"])),
|
||||||
|
"fips provider ec keygen pairwise failure test");
|
||||||
|
+ });
|
||||||
|
|
||||||
diff -up openssl-3.2.0/test/recipes/70-test_quic_record.t.disable-quic-record openssl-3.2.0/test/recipes/70-test_quic_record.t
|
skip "FIPS provider version is too old", 1
|
||||||
--- openssl-3.2.0/test/recipes/70-test_quic_record.t.disable-quic-record 2024-02-06 13:25:09.081772272 +0100
|
if !$fips_exit;
|
||||||
+++ openssl-3.2.0/test/recipes/70-test_quic_record.t 2024-02-06 13:25:47.469243950 +0100
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
@@ -17,6 +17,6 @@ plan skip_all => "QUIC protocol is not s
|
+ sub {
|
||||||
plan skip_all => "These tests are not supported in a fuzz build"
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
if config('options') =~ /-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION|enable-fuzz-afl/;
|
"-pairwise", "eckat"])),
|
||||||
|
"fips provider ec keygen kat failure test");
|
||||||
|
+ });
|
||||||
|
}
|
||||||
|
|
||||||
-plan tests => 1;
|
SKIP: {
|
||||||
+plan skip_all => 1;
|
skip "Skip DSA tests because of no dsa in this build", 2
|
||||||
|
- if disabled("dsa");
|
||||||
ok(run(test(["quic_record_test"])));
|
+ if 1; #if disabled("dsa");
|
||||||
diff -up openssl-3.2.0/test/recipes/01-test_symbol_presence.t.skip-fail-686 openssl-3.2.0/test/recipes/01-test_symbol_presence.t
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
--- openssl-3.2.0/test/recipes/01-test_symbol_presence.t.skip-fail-686 2024-02-06 13:55:48.981028882 +0100
|
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
|
||||||
+++ openssl-3.2.0/test/recipes/01-test_symbol_presence.t 2024-02-06 13:56:56.896819560 +0100
|
"fips provider dsa keygen pairwise failure test");
|
||||||
@@ -53,8 +53,9 @@ my $testcount
|
--
|
||||||
$testcount
|
2.44.0
|
||||||
+= (scalar keys %shlibpath) # Check for missing symbols in shared lib
|
|
||||||
unless disabled('shared');
|
|
||||||
-
|
|
||||||
-plan tests => $testcount;
|
|
||||||
+#Fix later, skipping this test as it fails in i686 due to duplicate
|
|
||||||
+#symbol OPENSSL_ia32cap_P
|
|
||||||
+plan skip_all => $testcount;
|
|
||||||
|
|
||||||
######################################################################
|
|
||||||
# Collect symbols
|
|
||||||
|
@ -1,48 +1,75 @@
|
|||||||
diff -up openssl-3.2.1/crypto/evp/digest.c.dup-patch openssl-3.2.1/crypto/evp/digest.c
|
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
|
||||||
--- openssl-3.2.1/crypto/evp/digest.c.dup-patch 2024-02-09 20:41:56.277567514 +0100
|
From: rpm-build <rpm-build>
|
||||||
+++ openssl-3.2.1/crypto/evp/digest.c 2024-02-09 20:42:59.317767764 +0100
|
Date: Wed, 6 Mar 2024 19:17:17 +0100
|
||||||
@@ -553,7 +554,10 @@ legacy:
|
Subject: [PATCH 46/49] 0116-version-aliasing.patch
|
||||||
|
|
||||||
|
Patch-name: 0116-version-aliasing.patch
|
||||||
|
Patch-id: 116
|
||||||
|
Patch-status: |
|
||||||
|
# Add version aliasing due to
|
||||||
|
# https://github.com/openssl/openssl/issues/23534
|
||||||
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||||
|
---
|
||||||
|
crypto/evp/digest.c | 7 ++++++-
|
||||||
|
crypto/evp/evp_enc.c | 7 ++++++-
|
||||||
|
test/recipes/01-test_symbol_presence.t | 1 +
|
||||||
|
util/libcrypto.num | 2 ++
|
||||||
|
4 files changed, 15 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||||
|
index 42331703da..3a280acc0e 100644
|
||||||
|
--- a/crypto/evp/digest.c
|
||||||
|
+++ b/crypto/evp/digest.c
|
||||||
|
@@ -553,7 +553,12 @@ legacy:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||||
+EVP_MD_CTX
|
+EVP_MD_CTX
|
||||||
|
+#if !defined(FIPS_MODULE)
|
||||||
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||||
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||||
|
+#endif
|
||||||
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||||
{
|
{
|
||||||
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
||||||
|
|
||||||
diff -up openssl-3.2.1/crypto/evp/evp_enc.c.dup-patch openssl-3.2.1/crypto/evp/evp_enc.c
|
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||||
--- openssl-3.2.1/crypto/evp/evp_enc.c.dup-patch 2024-02-09 18:47:04.054258303 +0100
|
index e9faf31057..5a29b8dbb7 100644
|
||||||
+++ openssl-3.2.1/crypto/evp/evp_enc.c 2024-02-09 20:43:00.926772711 +0100
|
--- a/crypto/evp/evp_enc.c
|
||||||
@@ -1444,7 +1445,10 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_C
|
+++ b/crypto/evp/evp_enc.c
|
||||||
|
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||||
#endif /* FIPS_MODULE */
|
#endif /* FIPS_MODULE */
|
||||||
}
|
}
|
||||||
|
|
||||||
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||||
+EVP_CIPHER_CTX
|
+EVP_CIPHER_CTX
|
||||||
|
+#if !defined(FIPS_MODULE)
|
||||||
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||||
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||||
|
+#endif
|
||||||
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||||
{
|
{
|
||||||
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
||||||
|
|
||||||
diff -up openssl-3.2.1/test/recipes/01-test_symbol_presence.t.dup-patch openssl-3.2.1/test/recipes/01-test_symbol_presence.t
|
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
|
||||||
--- openssl-3.2.1/test/recipes/01-test_symbol_presence.t.dup-patch 2024-02-09 20:44:10.860756724 +0100
|
index 222b1886ae..7e2f65cccb 100644
|
||||||
+++ openssl-3.2.1/test/recipes/01-test_symbol_presence.t 2024-02-09 20:45:14.981136289 +0100
|
--- a/test/recipes/01-test_symbol_presence.t
|
||||||
@@ -132,6 +132,7 @@ foreach (sort keys %stlibname) {
|
+++ b/test/recipes/01-test_symbol_presence.t
|
||||||
s| .*||;
|
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
|
||||||
# Drop OpenSSL dynamic version information if there is any
|
}
|
||||||
s|\@\@.+$||;
|
}
|
||||||
+ s|\@.+$||;
|
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
|
||||||
# Return the result
|
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
|
||||||
$_
|
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
|
||||||
}
|
if (@duplicates) {
|
||||||
diff -up openssl-3.2.1/util/libcrypto.num.dup-patch openssl-3.2.1/util/libcrypto.num
|
note "Duplicates:";
|
||||||
--- openssl-3.2.1/util/libcrypto.num.dup-patch 2024-02-09 18:16:43.006553105 +0100
|
note join('\n', @duplicates);
|
||||||
+++ openssl-3.2.1/util/libcrypto.num 2024-02-09 18:19:17.554159687 +0100
|
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||||
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key
|
index 8046454025..068e9904e2 100644
|
||||||
|
--- a/util/libcrypto.num
|
||||||
|
+++ b/util/libcrypto.num
|
||||||
|
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
|
||||||
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
||||||
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
||||||
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
||||||
@ -52,31 +79,6 @@ diff -up openssl-3.2.1/util/libcrypto.num.dup-patch openssl-3.2.1/util/libcrypto
|
|||||||
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
||||||
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
||||||
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
||||||
diff -up openssl-3.2.1/crypto/evp/evp_enc.c.fips-dup openssl-3.2.1/crypto/evp/evp_enc.c
|
--
|
||||||
--- openssl-3.2.1/crypto/evp/evp_enc.c.fips-dup 2024-02-09 21:03:46.662261648 +0100
|
2.44.0
|
||||||
+++ openssl-3.2.1/crypto/evp/evp_enc.c 2024-02-09 21:04:33.427691451 +0100
|
|
||||||
@@ -1445,8 +1445,10 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_C
|
|
||||||
}
|
|
||||||
|
|
||||||
EVP_CIPHER_CTX
|
|
||||||
+#if !defined(FIPS_MODULE)
|
|
||||||
__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
|
||||||
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
|
||||||
+#endif
|
|
||||||
*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
|
||||||
{
|
|
||||||
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
|
||||||
diff -up openssl-3.2.1/crypto/evp/digest.c.new-fips-dup openssl-3.2.1/crypto/evp/digest.c
|
|
||||||
--- openssl-3.2.1/crypto/evp/digest.c.new-fips-dup 2024-02-09 21:08:11.605474971 +0100
|
|
||||||
+++ openssl-3.2.1/crypto/evp/digest.c 2024-02-09 21:08:47.095723742 +0100
|
|
||||||
@@ -554,8 +554,10 @@ legacy:
|
|
||||||
}
|
|
||||||
|
|
||||||
EVP_MD_CTX
|
|
||||||
+#if !defined(FIPS_MODULE)
|
|
||||||
__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
|
||||||
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
|
||||||
+#endif
|
|
||||||
*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
|
||||||
{
|
|
||||||
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
|
||||||
|
318
0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
318
0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
@ -0,0 +1,318 @@
|
|||||||
|
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Thu, 14 Dec 2023 17:08:56 +0100
|
||||||
|
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
|
|
||||||
|
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
|
Patch-id: 117
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/23050
|
||||||
|
---
|
||||||
|
CHANGES.md | 13 +++++++
|
||||||
|
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
|
||||||
|
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
|
||||||
|
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
|
||||||
|
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 132 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/CHANGES.md b/CHANGES.md
|
||||||
|
index ca29762ac2..4e21d0ddf9 100644
|
||||||
|
--- a/CHANGES.md
|
||||||
|
+++ b/CHANGES.md
|
||||||
|
@@ -27,6 +27,19 @@ OpenSSL 3.2
|
||||||
|
|
||||||
|
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
|
||||||
|
|
||||||
|
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
|
||||||
|
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
|
||||||
|
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
|
||||||
|
+ ignored and the configuration will still be used.
|
||||||
|
+
|
||||||
|
+ Similarly unknown entries that start with `?` character in a TLS
|
||||||
|
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
|
||||||
|
+ and the configuration will still be used.
|
||||||
|
+
|
||||||
|
+ In both cases if the resulting list is empty, an error is returned.
|
||||||
|
+
|
||||||
|
+ *Tomáš Mráz*
|
||||||
|
+
|
||||||
|
* A file in PKCS12 format can contain certificates and keys and may come from
|
||||||
|
an untrusted source. The PKCS12 specification allows certain fields to be
|
||||||
|
NULL, but OpenSSL did not correctly check for this case. A fix has been
|
||||||
|
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
index c26ef00306..f0566e148e 100644
|
||||||
|
--- a/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
+++ b/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
|
||||||
|
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
|
||||||
|
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
|
||||||
|
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
|
||||||
|
-added by external providers.
|
||||||
|
+added by external providers. If a group name is preceded with the C<?>
|
||||||
|
+character, it will be ignored if an implementation is missing.
|
||||||
|
|
||||||
|
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
|
||||||
|
supported groups for the SSL structure B<ssl>.
|
||||||
|
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
|
||||||
|
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
|
||||||
|
was added in OpenSSL 3.0.0.
|
||||||
|
|
||||||
|
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
|
||||||
|
+SSL_set1_groups_list() was added in OpenSSL 3.3.
|
||||||
|
+
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
index eb31006346..5b7de7d956 100644
|
||||||
|
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
|
||||||
|
must be a null terminated string consisting of a colon separated list of
|
||||||
|
elements, where each element is either a combination of a public key
|
||||||
|
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
|
||||||
|
-SignatureScheme such as rsa_pss_pss_sha256.
|
||||||
|
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
|
||||||
|
+with the C<?> character, it will be ignored if an implementation is missing.
|
||||||
|
+
|
||||||
|
|
||||||
|
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
|
||||||
|
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
|
||||||
|
@@ -106,6 +108,13 @@ using a string:
|
||||||
|
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
|
||||||
|
L<SSL_CONF_CTX_new(3)>
|
||||||
|
|
||||||
|
+=head1 HISTORY
|
||||||
|
+
|
||||||
|
+Support for ignoring unknown signature algorithms in
|
||||||
|
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
|
||||||
|
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
|
||||||
|
+was added in OpenSSL 3.3.
|
||||||
|
+
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index 056aae3863..fe680449c5 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||||
|
size_t i;
|
||||||
|
uint16_t gid = 0;
|
||||||
|
char etmp[GROUP_NAME_BUFFER_LENGTH];
|
||||||
|
+ int ignore_unknown = 0;
|
||||||
|
|
||||||
|
if (elem == NULL)
|
||||||
|
return 0;
|
||||||
|
+ if (elem[0] == '?') {
|
||||||
|
+ ignore_unknown = 1;
|
||||||
|
+ ++elem;
|
||||||
|
+ --len;
|
||||||
|
+ }
|
||||||
|
if (garg->gidcnt == garg->gidmax) {
|
||||||
|
uint16_t *tmp =
|
||||||
|
OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
|
||||||
|
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||||
|
|
||||||
|
gid = tls1_group_name2id(garg->ctx, etmp);
|
||||||
|
if (gid == 0) {
|
||||||
|
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
- "group '%s' cannot be set", etmp);
|
||||||
|
- return 0;
|
||||||
|
+ /* Unknown group - ignore, if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
}
|
||||||
|
for (i = 0; i < garg->gidcnt; i++)
|
||||||
|
- if (garg->gid_arr[i] == gid)
|
||||||
|
- return 0;
|
||||||
|
+ if (garg->gid_arr[i] == gid) {
|
||||||
|
+ /* Duplicate group - ignore */
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
garg->gid_arr[garg->gidcnt++] = gid;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
||||||
|
gcb.ctx = ctx;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
|
||||||
|
goto end;
|
||||||
|
+ if (gcb.gidcnt == 0) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
+ "No valid groups in '%s'", str);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
if (pext == NULL) {
|
||||||
|
ret = 1;
|
||||||
|
goto end;
|
||||||
|
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
const SIGALG_LOOKUP *s;
|
||||||
|
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||||
|
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||||
|
+ int ignore_unknown = 0;
|
||||||
|
+
|
||||||
|
if (elem == NULL)
|
||||||
|
return 0;
|
||||||
|
+ if (elem[0] == '?') {
|
||||||
|
+ ignore_unknown = 1;
|
||||||
|
+ ++elem;
|
||||||
|
+ --len;
|
||||||
|
+ }
|
||||||
|
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
|
||||||
|
return 0;
|
||||||
|
if (len > (int)(sizeof(etmp) - 1))
|
||||||
|
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||||
|
- return 0;
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
*p = 0;
|
||||||
|
p++;
|
||||||
|
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
return 0;
|
||||||
|
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
||||||
|
get_sigorhash(&sig_alg, &hash_alg, p);
|
||||||
|
- if (sig_alg == NID_undef || hash_alg == NID_undef)
|
||||||
|
- return 0;
|
||||||
|
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||||
|
i++, s++) {
|
||||||
|
if (s->hash == hash_alg && s->sig == sig_alg) {
|
||||||
|
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||||
|
- return 0;
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Reject duplicates */
|
||||||
|
+ /* Ignore duplicates */
|
||||||
|
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
|
||||||
|
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
|
||||||
|
sarg->sigalgcnt--;
|
||||||
|
- return 0;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||||
|
sig.sigalgcnt = 0;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||||
|
return 0;
|
||||||
|
+ if (sig.sigalgcnt == 0) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
+ "No valid signature algorithms in '%s'", str);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if (c == NULL)
|
||||||
|
return 1;
|
||||||
|
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
||||||
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||||
|
index 1c14f93ed1..184a0f1055 100644
|
||||||
|
--- a/test/sslapitest.c
|
||||||
|
+++ b/test/sslapitest.c
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
|
#include "testutil.h"
|
||||||
|
#include "testutil/output.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
+#include "internal/tlsgroups.h"
|
||||||
|
#include "internal/ktls.h"
|
||||||
|
#include "../ssl/ssl_local.h"
|
||||||
|
#include "../ssl/record/methods/recmethod_local.h"
|
||||||
|
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
|
||||||
|
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
|
||||||
|
# endif
|
||||||
|
{NULL, 0, "RSA+SHA256", 1, 1},
|
||||||
|
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
|
||||||
|
# ifndef OPENSSL_NO_EC
|
||||||
|
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
|
||||||
|
{NULL, 0, "ECDSA+SHA512", 1, 0},
|
||||||
|
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
|
||||||
|
return testresult;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int test_unknown_sigalgs_groups(void)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ SSL_CTX *ctx = NULL;
|
||||||
|
+
|
||||||
|
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
|
||||||
|
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
|
||||||
|
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "nonexistent"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "P-256:nonexistent"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "P-384:?nonexistent:?P-521"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
|
||||||
|
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
|
||||||
|
+ goto end;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ ret = 1;
|
||||||
|
+ end:
|
||||||
|
+ SSL_CTX_free(ctx);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#if !defined(OPENSSL_NO_EC) \
|
||||||
|
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||||
|
/*
|
||||||
|
@@ -11519,6 +11579,7 @@ int setup_tests(void)
|
||||||
|
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
|
||||||
|
#endif
|
||||||
|
ADD_ALL_TESTS(test_servername, 10);
|
||||||
|
+ ADD_TEST(test_unknown_sigalgs_groups);
|
||||||
|
#if !defined(OPENSSL_NO_EC) \
|
||||||
|
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||||
|
ADD_ALL_TESTS(test_sigalgs_available, 6);
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
80
0118-no-crl-memleak.patch
Normal file
80
0118-no-crl-memleak.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
Date: Tue, 27 Feb 2024 15:22:58 +0100
|
||||||
|
Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
|
||||||
|
|
||||||
|
Patch-name: 0118-no-crl-memleak.patch
|
||||||
|
Patch-id: 118
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/23770
|
||||||
|
---
|
||||||
|
crypto/x509/by_file.c | 2 ++
|
||||||
|
test/recipes/60-test_x509_load_cert_file.t | 3 ++-
|
||||||
|
test/x509_load_cert_file_test.c | 8 +++++++-
|
||||||
|
3 files changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
|
||||||
|
index 5073c137a2..85923804ac 100644
|
||||||
|
--- a/crypto/x509/by_file.c
|
||||||
|
+++ b/crypto/x509/by_file.c
|
||||||
|
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
count++;
|
||||||
|
+ X509_CRL_free(x);
|
||||||
|
+ x = NULL;
|
||||||
|
}
|
||||||
|
} else if (type == X509_FILETYPE_ASN1) {
|
||||||
|
x = d2i_X509_CRL_bio(in, NULL);
|
||||||
|
diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
index 75aeac362c..e329d7675c 100644
|
||||||
|
--- a/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
+++ b/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
|
||||||
|
|
||||||
|
plan tests => 1;
|
||||||
|
|
||||||
|
-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
|
||||||
|
+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
|
||||||
|
+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
|
||||||
|
diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
|
||||||
|
index 4a736071ae..c07d329915 100644
|
||||||
|
--- a/test/x509_load_cert_file_test.c
|
||||||
|
+++ b/test/x509_load_cert_file_test.c
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#include "testutil.h"
|
||||||
|
|
||||||
|
static const char *chain;
|
||||||
|
+static const char *crl;
|
||||||
|
|
||||||
|
static int test_load_cert_file(void)
|
||||||
|
{
|
||||||
|
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
|
||||||
|
&& TEST_int_eq(sk_X509_num(certs), 4))
|
||||||
|
ret = 1;
|
||||||
|
|
||||||
|
+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
OSSL_STACK_OF_X509_free(certs);
|
||||||
|
X509_STORE_free(store);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-OPT_TEST_DECLARE_USAGE("cert.pem...\n")
|
||||||
|
+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
|
||||||
|
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
@@ -45,6 +49,8 @@ int setup_tests(void)
|
||||||
|
if (chain == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ crl = test_get_argument(1);
|
||||||
|
+
|
||||||
|
ADD_TEST(test_load_cert_file);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
170
0119-provider-sigalgs-in-signaturealgorithms-conf.patch
Normal file
170
0119-provider-sigalgs-in-signaturealgorithms-conf.patch
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||||
|
Date: Fri, 8 Mar 2024 11:18:12 +0100
|
||||||
|
Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||||
|
|
||||||
|
Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||||
|
Patch-id: 119
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/22779
|
||||||
|
---
|
||||||
|
ssl/s3_lib.c | 8 ++++----
|
||||||
|
ssl/ssl_lib.c | 2 +-
|
||||||
|
ssl/ssl_local.h | 2 +-
|
||||||
|
ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
|
||||||
|
4 files changed, 40 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||||
|
index e8ec98c221..48a1aa0e61 100644
|
||||||
|
--- a/ssl/s3_lib.c
|
||||||
|
+++ b/ssl/s3_lib.c
|
||||||
|
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_sigalgs(sc->cert, parg, larg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(sc->cert, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||||
|
return tls1_set_sigalgs(sc->cert, parg, larg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(sc->cert, parg, 1);
|
||||||
|
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
|
||||||
|
{
|
||||||
|
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||||
|
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
||||||
|
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
||||||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
|
index 1329841aaf..4d95ab71cd 100644
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_groups_list(ctx, NULL, NULL, parg);
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(NULL, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
||||||
|
index 0d3acfbe66..a73b2c4770 100644
|
||||||
|
--- a/ssl/ssl_local.h
|
||||||
|
+++ b/ssl/ssl_local.h
|
||||||
|
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
|
||||||
|
|
||||||
|
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
|
||||||
|
|
||||||
|
-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
|
||||||
|
+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
|
||||||
|
__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
|
||||||
|
int client);
|
||||||
|
__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index fe680449c5..87f2ae7000 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
|
||||||
|
|
||||||
|
/* now populate ctx->ssl_cert_info */
|
||||||
|
if (ctx->sigalg_list_len > 0) {
|
||||||
|
+ OPENSSL_free(ctx->ssl_cert_info);
|
||||||
|
ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
|
||||||
|
if (ctx->ssl_cert_info == NULL)
|
||||||
|
return 0;
|
||||||
|
@@ -2889,6 +2890,7 @@ typedef struct {
|
||||||
|
size_t sigalgcnt;
|
||||||
|
/* TLSEXT_SIGALG_XXX values */
|
||||||
|
uint16_t sigalgs[TLS_MAX_SIGALGCNT];
|
||||||
|
+ SSL_CTX *ctx;
|
||||||
|
} sig_cb_st;
|
||||||
|
|
||||||
|
static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||||
|
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||||
|
static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
{
|
||||||
|
sig_cb_st *sarg = arg;
|
||||||
|
- size_t i;
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ int load_success = 0;
|
||||||
|
const SIGALG_LOOKUP *s;
|
||||||
|
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||||
|
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||||
|
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
* in the table.
|
||||||
|
*/
|
||||||
|
if (p == NULL) {
|
||||||
|
- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||||
|
- i++, s++) {
|
||||||
|
- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||||
|
- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ /* Load provider sigalgs */
|
||||||
|
+ if (sarg->ctx) {
|
||||||
|
+ load_success = ssl_load_sigalgs(sarg->ctx);
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
- /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
- return ignore_unknown;
|
||||||
|
+ if (load_success) {
|
||||||
|
+ /* Check if a provider supports the sigalg */
|
||||||
|
+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
|
||||||
|
+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
|
||||||
|
+ && strcmp(etmp,
|
||||||
|
+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
|
||||||
|
+ sarg->sigalgs[sarg->sigalgcnt++] =
|
||||||
|
+ sarg->ctx->sigalg_list[i].code_point;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ /* Check the built-in sigalgs */
|
||||||
|
+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
|
||||||
|
+ for (i = 0, s = sigalg_lookup_tbl;
|
||||||
|
+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
|
||||||
|
+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||||
|
+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
*p = 0;
|
||||||
|
p++;
|
||||||
|
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
* Set supported signature algorithms based on a colon separated list of the
|
||||||
|
* form sig+hash e.g. RSA+SHA512:DSA+SHA512
|
||||||
|
*/
|
||||||
|
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||||
|
+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
|
||||||
|
{
|
||||||
|
sig_cb_st sig;
|
||||||
|
sig.sigalgcnt = 0;
|
||||||
|
+ sig.ctx = ctx;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||||
|
return 0;
|
||||||
|
if (sig.sigalgcnt == 0) {
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
65
0121-FIPS-cms-defaults.patch
Normal file
65
0121-FIPS-cms-defaults.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
|
||||||
|
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
|
||||||
|
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
#include <openssl/x509_vfy.h>
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
|
#include <openssl/cms.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
|
||||||
|
static int cms_cb(int ok, X509_STORE_CTX *ctx);
|
||||||
|
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
|
||||||
|
|
||||||
|
if (operation == SMIME_ENCRYPT) {
|
||||||
|
if (!cipher) {
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
|
||||||
|
+ } else {
|
||||||
|
#ifndef OPENSSL_NO_DES
|
||||||
|
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||||
|
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||||
|
#else
|
||||||
|
- BIO_printf(bio_err, "No cipher selected\n");
|
||||||
|
- goto end;
|
||||||
|
+ BIO_printf(bio_err, "No cipher selected\n");
|
||||||
|
+ goto end;
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (secret_key && !secret_keyid) {
|
||||||
|
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
|
||||||
|
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
|
||||||
|
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/cms.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include "internal/sizes.h"
|
||||||
|
#include "crypto/asn1.h"
|
||||||
|
#include "crypto/evp.h"
|
||||||
|
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
|
||||||
|
return 0;
|
||||||
|
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
|
||||||
|
return 0;
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
|
||||||
|
return 0;
|
||||||
|
return 1;
|
||||||
|
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
|
||||||
|
|
||||||
|
if (EVP_PKEY_encrypt_init(pctx) <= 0)
|
||||||
|
goto err;
|
||||||
|
+
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
|
47
openssl.spec
47
openssl.spec
@ -91,6 +91,12 @@ Patch47: 0047-FIPS-early-KATS.patch
|
|||||||
Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
|
Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
|
||||||
# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
|
# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
|
||||||
Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
||||||
|
# Originally from https://github.com/openssl/openssl/pull/18103
|
||||||
|
# As we rebased to 3.0.7 and used the version of the function
|
||||||
|
# not matching the upstream one, we have to use aliasing.
|
||||||
|
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
|
||||||
|
# should also be removed
|
||||||
|
Patch56: 0056-strcasecmp.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||||
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
||||||
@ -143,11 +149,19 @@ Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
|||||||
# # We believe that some changes present in CentOS are not necessary
|
# # We believe that some changes present in CentOS are not necessary
|
||||||
# # because ustream has a check for FIPS version
|
# # because ustream has a check for FIPS version
|
||||||
Patch114: 0114-FIPS-enforce-EMS-support.patch
|
Patch114: 0114-FIPS-enforce-EMS-support.patch
|
||||||
# skip quic and pairwise tests temporarily
|
# Amend tests according to Fedora/RHEL code
|
||||||
Patch115: 0115-skip-quic-pairwise.patch
|
Patch115: 0115-skip-quic-pairwise.patch
|
||||||
# Add version aliasing due to
|
# Add version aliasing due to
|
||||||
# https://github.com/openssl/openssl/issues/23534
|
# https://github.com/openssl/openssl/issues/23534
|
||||||
Patch116: 0116-version-aliasing.patch
|
Patch116: 0116-version-aliasing.patch
|
||||||
|
# https://github.com/openssl/openssl/issues/23050
|
||||||
|
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
|
# https://github.com/openssl/openssl/issues/23770
|
||||||
|
Patch118: 0118-no-crl-memleak.patch
|
||||||
|
# https://github.com/openssl/openssl/issues/22779
|
||||||
|
Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||||
|
# From CentOS 9
|
||||||
|
Patch121: 0121-FIPS-cms-defaults.patch
|
||||||
|
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -176,10 +190,8 @@ protocols.
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Requires: ca-certificates >= 2008-5
|
Requires: ca-certificates >= 2008-5
|
||||||
Requires: crypto-policies >= 20180730
|
Requires: crypto-policies >= 20180730
|
||||||
%if 0%{?fedora} >= 40 || 0%{?rhel} >= 10
|
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||||
Recommends: pkcs11-provider%{?_isa}
|
Requires: openssl-fips-provider
|
||||||
%else
|
|
||||||
Recommends: openssl-pkcs11%{?_isa}
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%description libs
|
%description libs
|
||||||
@ -292,7 +304,7 @@ export HASHBANGPERL=/usr/bin/perl
|
|||||||
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||||
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE \
|
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
|
||||||
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
|
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
|
||||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
|
||||||
-Wl,--allow-multiple-definition
|
-Wl,--allow-multiple-definition
|
||||||
@ -324,14 +336,12 @@ patch -p1 < %{SOURCE14}
|
|||||||
|
|
||||||
OPENSSL_ENABLE_MD5_VERIFY=
|
OPENSSL_ENABLE_MD5_VERIFY=
|
||||||
export OPENSSL_ENABLE_MD5_VERIFY
|
export OPENSSL_ENABLE_MD5_VERIFY
|
||||||
%if 0%{?rhel}
|
|
||||||
OPENSSL_ENABLE_SHA1_SIGNATURES=
|
OPENSSL_ENABLE_SHA1_SIGNATURES=
|
||||||
export OPENSSL_ENABLE_SHA1_SIGNATURES
|
export OPENSSL_ENABLE_SHA1_SIGNATURES
|
||||||
%endif
|
|
||||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||||
#embed HMAC into fips provider for test run
|
#embed HMAC into fips provider for test run
|
||||||
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
||||||
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
||||||
mv providers/fips.so.mac providers/fips.so
|
mv providers/fips.so.mac providers/fips.so
|
||||||
#run tests itself
|
#run tests itself
|
||||||
@ -340,15 +350,24 @@ make test HARNESS_JOBS=8
|
|||||||
# Add generation of HMAC checksum of the final stripped library
|
# Add generation of HMAC checksum of the final stripped library
|
||||||
# We manually copy standard definition of __spec_install_post
|
# We manually copy standard definition of __spec_install_post
|
||||||
# and add hmac calculation/embedding to fips.so
|
# and add hmac calculation/embedding to fips.so
|
||||||
|
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||||
|
%define __spec_install_post \
|
||||||
|
rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \
|
||||||
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
|
%{__arch_install_post} \
|
||||||
|
%{__os_install_post} \
|
||||||
|
%{nil}
|
||||||
|
%else
|
||||||
%define __spec_install_post \
|
%define __spec_install_post \
|
||||||
%{?__debug_package:%{__debug_install_post}} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||||
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
||||||
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||||
%{nil}
|
%{nil}
|
||||||
|
%endif
|
||||||
|
|
||||||
%define __provides_exclude_from %{_libdir}/openssl
|
%define __provides_exclude_from %{_libdir}/openssl
|
||||||
|
|
||||||
@ -372,6 +391,7 @@ done
|
|||||||
# Install a makefile for generating keys and self-signed certs, and a script
|
# Install a makefile for generating keys and self-signed certs, and a script
|
||||||
# for generating them on the fly.
|
# for generating them on the fly.
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
||||||
|
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d
|
||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
|
||||||
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
||||||
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
||||||
@ -431,6 +451,7 @@ cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
|
|||||||
install -m644 %{SOURCE9} \
|
install -m644 %{SOURCE9} \
|
||||||
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
|
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
|
||||||
%endif
|
%endif
|
||||||
|
ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_local.cnf
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
@ -453,8 +474,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%dir %{_sysconfdir}/pki/tls/certs
|
%dir %{_sysconfdir}/pki/tls/certs
|
||||||
%dir %{_sysconfdir}/pki/tls/misc
|
%dir %{_sysconfdir}/pki/tls/misc
|
||||||
%dir %{_sysconfdir}/pki/tls/private
|
%dir %{_sysconfdir}/pki/tls/private
|
||||||
|
%dir %{_sysconfdir}/pki/tls/openssl.d
|
||||||
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
|
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||||
|
%config %{_sysconfdir}/pki/tls/fips_local.cnf
|
||||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||||
%{_libdir}/libcrypto.so.%{soversion}
|
%{_libdir}/libcrypto.so.%{soversion}
|
||||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||||
@ -484,6 +507,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 03 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-4
|
||||||
|
- Synchronize patches from c9s and Fedora
|
||||||
|
- Resolves: RHEL-31762
|
||||||
|
|
||||||
* Tue Feb 13 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-3
|
* Tue Feb 13 2024 Sahana Prasad <sahana@redhat.com> - 1:3.2.1-3
|
||||||
- Temporarily disable ktls to unblock c10s builds
|
- Temporarily disable ktls to unblock c10s builds
|
||||||
- Resolves: RHEL-25259
|
- Resolves: RHEL-25259
|
||||||
|
Loading…
Reference in New Issue
Block a user