mingw-openssl package is retired on branch c10s for BAKERY-412
This commit is contained in:
parent
7259131839
commit
8ab984d8d7
19
.gitignore
vendored
19
.gitignore
vendored
@ -1,19 +0,0 @@
|
|||||||
openssl-1.0.0a-usa.tar.bz2
|
|
||||||
/openssl-1.0.0d-usa.tar.bz2
|
|
||||||
/openssl-1.0.1c-usa.tar.xz
|
|
||||||
/openssl-1.0.1e-usa.tar.xz
|
|
||||||
/openssl-1.0.1e-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1i-hobbled.tar.xz
|
|
||||||
/openssl-1.0.1j-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2a-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2f-hobbled.tar.xz
|
|
||||||
/openssl-1.0.2h-hobbled.tar.xz
|
|
||||||
/openssl-1.1.0h-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1c-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1k-hobbled.tar.xz
|
|
||||||
/openssl-3.0.0-hobbled.tar.xz
|
|
||||||
/openssl-3.0.2-hobbled.tar.gz
|
|
||||||
/openssl-3.0.3-hobbled.tar.gz
|
|
||||||
/openssl-3.0.5-hobbled.tar.xz
|
|
||||||
/openssl-3.0.7-hobbled.tar.xz
|
|
||||||
/openssl-3.0.9.tar.gz
|
|
@ -1,19 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/Configurations/10-main.conf openssl-3.0.9-new/Configurations/10-main.conf
|
|
||||||
--- openssl-3.0.9/Configurations/10-main.conf 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/Configurations/10-main.conf 2023-05-31 16:36:50.335282918 +0200
|
|
||||||
@@ -730,6 +730,7 @@ my %targets = (
|
|
||||||
lib_cppflags => add("-DL_ENDIAN"),
|
|
||||||
asm_arch => 'ppc64',
|
|
||||||
perlasm_scheme => "linux64le",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
|
|
||||||
"linux-armv4" => {
|
|
||||||
@@ -772,6 +773,7 @@ my %targets = (
|
|
||||||
inherit_from => [ "linux-generic64" ],
|
|
||||||
asm_arch => 'aarch64',
|
|
||||||
perlasm_scheme => "linux64",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
|
||||||
inherit_from => [ "linux-generic32" ],
|
|
@ -1,51 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/apps/openssl.cnf openssl-3.0.9-new/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.9/apps/openssl.cnf 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/apps/openssl.cnf 2023-05-31 16:36:50.587282180 +0200
|
|
||||||
@@ -111,7 +111,7 @@ cert_opt = ca_default # Certificate fi
|
|
||||||
|
|
||||||
default_days = 365 # how long to certify for
|
|
||||||
default_crl_days= 30 # how long before next CRL
|
|
||||||
-default_md = default # use public key default MD
|
|
||||||
+default_md = sha256 # use SHA-256 by default
|
|
||||||
preserve = no # keep passed DN ordering
|
|
||||||
|
|
||||||
# A few difference way of specifying how similar the request should look
|
|
||||||
@@ -143,6 +143,7 @@ emailAddress = optional
|
|
||||||
####################################################################
|
|
||||||
[ req ]
|
|
||||||
default_bits = 2048
|
|
||||||
+default_md = sha256
|
|
||||||
default_keyfile = privkey.pem
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
attributes = req_attributes
|
|
||||||
@@ -165,17 +166,18 @@ string_mask = utf8only
|
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
-countryName_default = AU
|
|
||||||
+countryName_default = XX
|
|
||||||
countryName_min = 2
|
|
||||||
countryName_max = 2
|
|
||||||
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
-stateOrProvinceName_default = Some-State
|
|
||||||
+#stateOrProvinceName_default = Default Province
|
|
||||||
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
+localityName_default = Default City
|
|
||||||
|
|
||||||
0.organizationName = Organization Name (eg, company)
|
|
||||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
|
||||||
+0.organizationName_default = Default Company Ltd
|
|
||||||
|
|
||||||
# we can do this but it is not needed normally :-)
|
|
||||||
#1.organizationName = Second Organization Name (eg, company)
|
|
||||||
@@ -184,7 +186,7 @@ localityName = Locality Name (eg, city
|
|
||||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
||||||
#organizationalUnitName_default =
|
|
||||||
|
|
||||||
-commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
||||||
+commonName = Common Name (eg, your name or your server\'s hostname)
|
|
||||||
commonName_max = 64
|
|
||||||
|
|
||||||
emailAddress = Email Address
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/Configurations/unix-Makefile.tmpl openssl-3.0.9-new/Configurations/unix-Makefile.tmpl
|
|
||||||
--- openssl-3.0.9/Configurations/unix-Makefile.tmpl 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/Configurations/unix-Makefile.tmpl 2023-05-31 16:36:50.836281451 +0200
|
|
||||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines
|
|
||||||
|
|
||||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
|
||||||
|
|
||||||
-install_docs: install_man_docs install_html_docs
|
|
||||||
+install_docs: install_man_docs
|
|
||||||
|
|
||||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
|
||||||
$(RM) -r $(DESTDIR)$(DOCDIR)
|
|
@ -1,56 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/apps/CA.pl.in openssl-3.0.9-new/apps/CA.pl.in
|
|
||||||
--- openssl-3.0.9/apps/CA.pl.in 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/apps/CA.pl.in 2023-05-31 16:36:51.078280742 +0200
|
|
||||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
|
||||||
my $PKCS12 = "$openssl pkcs12";
|
|
||||||
|
|
||||||
# Default values for various configuration settings.
|
|
||||||
-my $CATOP = "./demoCA";
|
|
||||||
+my $CATOP = "/etc/pki/CA";
|
|
||||||
my $CAKEY = "cakey.pem";
|
|
||||||
my $CAREQ = "careq.pem";
|
|
||||||
my $CACERT = "cacert.pem";
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/apps/openssl.cnf openssl-3.0.9-new/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.9/apps/openssl.cnf 2023-05-31 16:36:50.830281468 +0200
|
|
||||||
+++ openssl-3.0.9-new/apps/openssl.cnf 2023-05-31 16:36:51.078280742 +0200
|
|
||||||
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
|
||||||
|
|
||||||
[openssl_init]
|
|
||||||
providers = provider_sect
|
|
||||||
+# Load default TLS policy configuration
|
|
||||||
+ssl_conf = ssl_module
|
|
||||||
|
|
||||||
# List of providers to load
|
|
||||||
[provider_sect]
|
|
||||||
@@ -71,6 +73,13 @@ default = default_sect
|
|
||||||
[default_sect]
|
|
||||||
# activate = 1
|
|
||||||
|
|
||||||
+[ ssl_module ]
|
|
||||||
+
|
|
||||||
+system_default = crypto_policy
|
|
||||||
+
|
|
||||||
+[ crypto_policy ]
|
|
||||||
+
|
|
||||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ ca ]
|
|
||||||
@@ -79,7 +88,7 @@ default_ca = CA_default # The default c
|
|
||||||
####################################################################
|
|
||||||
[ CA_default ]
|
|
||||||
|
|
||||||
-dir = ./demoCA # Where everything is kept
|
|
||||||
+dir = /etc/pki/CA # Where everything is kept
|
|
||||||
certs = $dir/certs # Where the issued certs are kept
|
|
||||||
crl_dir = $dir/crl # Where the issued crl are kept
|
|
||||||
database = $dir/index.txt # database index file.
|
|
||||||
@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default
|
|
||||||
[ tsa_config1 ]
|
|
||||||
|
|
||||||
# These are used by the TSA reply generation only.
|
|
||||||
-dir = ./demoCA # TSA root directory
|
|
||||||
+dir = /etc/pki/CA # TSA root directory
|
|
||||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
|
||||||
crypto_device = builtin # OpenSSL engine to use for signing
|
|
||||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/apps/ca.c openssl-3.0.9-new/apps/ca.c
|
|
||||||
--- openssl-3.0.9/apps/ca.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/apps/ca.c 2023-05-31 16:36:51.336279987 +0200
|
|
||||||
@@ -210,7 +210,7 @@ const OPTIONS ca_options[] = {
|
|
||||||
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
|
||||||
|
|
||||||
OPT_SECTION("Signing"),
|
|
||||||
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
|
||||||
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
|
||||||
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
|
||||||
{"keyform", OPT_KEYFORM, 'f',
|
|
||||||
"Private key file format (ENGINE, other values ignored)"},
|
|
@ -1,15 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/crypto/asn1/a_verify.c openssl-3.0.9-new/crypto/asn1/a_verify.c
|
|
||||||
--- openssl-3.0.9/crypto/asn1/a_verify.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/crypto/asn1/a_verify.c 2023-05-31 16:36:51.578279278 +0200
|
|
||||||
@@ -153,6 +153,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM
|
|
||||||
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
|
||||||
if (ret <= 1)
|
|
||||||
goto err;
|
|
||||||
+ } else if ((mdnid == NID_md5
|
|
||||||
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
|
||||||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
|
||||||
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
|
||||||
+ goto err;
|
|
||||||
} else {
|
|
||||||
const EVP_MD *type = NULL;
|
|
||||||
|
|
@ -1,296 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/Configurations/unix-Makefile.tmpl openssl-3.0.9-new/Configurations/unix-Makefile.tmpl
|
|
||||||
--- openssl-3.0.9/Configurations/unix-Makefile.tmpl 2023-05-31 16:36:51.074280754 +0200
|
|
||||||
+++ openssl-3.0.9-new/Configurations/unix-Makefile.tmpl 2023-05-31 16:36:51.814278587 +0200
|
|
||||||
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
|
||||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
|
||||||
HTMLDIR=$(DOCDIR)/html
|
|
||||||
|
|
||||||
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
|
||||||
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
|
||||||
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
|
||||||
+
|
|
||||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
|
||||||
# appended after the manpage file section number. "ssl" is popular,
|
|
||||||
# resulting in files such as config.5ssl rather than config.5.
|
|
||||||
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
|
||||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
|
||||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
|
||||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
|
||||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
|
||||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
|
||||||
@{$config{CPPFLAGS}}) -}
|
|
||||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/Configure openssl-3.0.9-new/Configure
|
|
||||||
--- openssl-3.0.9/Configure 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/Configure 2023-05-31 16:36:51.815278584 +0200
|
|
||||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
|
||||||
my $orig_death_handler = $SIG{__DIE__};
|
|
||||||
$SIG{__DIE__} = \&death_handler;
|
|
||||||
|
|
||||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
|
||||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
|
||||||
|
|
||||||
my $banner = <<"EOF";
|
|
||||||
|
|
||||||
@@ -61,6 +61,10 @@ EOF
|
|
||||||
# given with --prefix.
|
|
||||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
|
||||||
# (Default: PREFIX/ssl)
|
|
||||||
+#
|
|
||||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
|
||||||
+# cipher is specified (default).
|
|
||||||
+#
|
|
||||||
# --banner=".." Output specified text instead of default completion banner
|
|
||||||
#
|
|
||||||
# -w Don't wait after showing a Configure warning
|
|
||||||
@@ -387,6 +391,7 @@ $config{prefix}="";
|
|
||||||
$config{openssldir}="";
|
|
||||||
$config{processor}="";
|
|
||||||
$config{libdir}="";
|
|
||||||
+$config{system_ciphers_file}="";
|
|
||||||
my $auto_threads=1; # enable threads automatically? true by default
|
|
||||||
my $default_ranlib;
|
|
||||||
|
|
||||||
@@ -989,6 +994,10 @@ while (@argvcopy)
|
|
||||||
die "FIPS key too long (64 bytes max)\n"
|
|
||||||
if length $1 > 64;
|
|
||||||
}
|
|
||||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
|
||||||
+ {
|
|
||||||
+ $config{system_ciphers_file}=$1;
|
|
||||||
+ }
|
|
||||||
elsif (/^--banner=(.*)$/)
|
|
||||||
{
|
|
||||||
$banner = $1 . "\n";
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/doc/man1/openssl-ciphers.pod.in openssl-3.0.9-new/doc/man1/openssl-ciphers.pod.in
|
|
||||||
--- openssl-3.0.9/doc/man1/openssl-ciphers.pod.in 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/doc/man1/openssl-ciphers.pod.in 2023-05-31 16:36:51.815278584 +0200
|
|
||||||
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
|
||||||
|
|
||||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
|
||||||
|
|
||||||
+=item B<PROFILE=SYSTEM>
|
|
||||||
+
|
|
||||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
|
||||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
|
||||||
+See also L<update-crypto-policies(8)>.
|
|
||||||
+This is the default behavior unless an application explicitly sets a cipher
|
|
||||||
+list. If used in a cipher list configuration value this string must be at the
|
|
||||||
+beginning of the cipher list, otherwise it will not be recognized.
|
|
||||||
+
|
|
||||||
=item B<HIGH>
|
|
||||||
|
|
||||||
"High" encryption cipher suites. This currently means those with key lengths
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/include/openssl/ssl.h.in openssl-3.0.9-new/include/openssl/ssl.h.in
|
|
||||||
--- openssl-3.0.9/include/openssl/ssl.h.in 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/include/openssl/ssl.h.in 2023-05-31 16:36:51.816278581 +0200
|
|
||||||
@@ -205,6 +205,11 @@ extern "C" {
|
|
||||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
|
||||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
|
||||||
*/
|
|
||||||
+# ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
|
||||||
+# else
|
|
||||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
|
||||||
# define SSL_SENT_SHUTDOWN 1
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/ssl/ssl_ciph.c openssl-3.0.9-new/ssl/ssl_ciph.c
|
|
||||||
--- openssl-3.0.9/ssl/ssl_ciph.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/ssl/ssl_ciph.c 2023-05-31 16:36:51.816278581 +0200
|
|
||||||
@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+static char *load_system_str(const char *suffix)
|
|
||||||
+{
|
|
||||||
+ FILE *fp;
|
|
||||||
+ char buf[1024];
|
|
||||||
+ char *new_rules;
|
|
||||||
+ const char *ciphers_path;
|
|
||||||
+ unsigned len, slen;
|
|
||||||
+
|
|
||||||
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
|
||||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
|
||||||
+ fp = fopen(ciphers_path, "r");
|
|
||||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
|
||||||
+ /* cannot open or file is empty */
|
|
||||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fp)
|
|
||||||
+ fclose(fp);
|
|
||||||
+
|
|
||||||
+ slen = strlen(suffix);
|
|
||||||
+ len = strlen(buf);
|
|
||||||
+
|
|
||||||
+ if (buf[len - 1] == '\n') {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+ if (buf[len - 1] == '\r') {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
|
||||||
+ if (new_rules == 0)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ memcpy(new_rules, buf, len);
|
|
||||||
+ if (slen > 0) {
|
|
||||||
+ memcpy(&new_rules[len], suffix, slen);
|
|
||||||
+ len += slen;
|
|
||||||
+ }
|
|
||||||
+ new_rules[len] = 0;
|
|
||||||
+
|
|
||||||
+ return new_rules;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
|
||||||
@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
|
||||||
const SSL_CIPHER **ca_list = NULL;
|
|
||||||
const SSL_METHOD *ssl_method = ctx->method;
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ char *new_rules = NULL;
|
|
||||||
+
|
|
||||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
|
||||||
+ char *p = rule_str + 14;
|
|
||||||
+
|
|
||||||
+ new_rules = load_system_str(p);
|
|
||||||
+ rule_str = new_rules;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Return with error if nothing to do.
|
|
||||||
*/
|
|
||||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
|
|
||||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* To reduce the work to do we only want to process the compiled
|
|
||||||
@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
|
||||||
if (co_list == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
|
||||||
@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
* in force within each class
|
|
||||||
*/
|
|
||||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
|
||||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
|
||||||
if (ca_list == NULL) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
|
||||||
@@ -1621,8 +1676,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
|
||||||
|
|
||||||
if (!ok) { /* Rule processing failure */
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1630,10 +1684,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
* if we cannot get one.
|
|
||||||
*/
|
|
||||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
|
||||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
|
||||||
@@ -1685,6 +1742,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
*cipher_list = cipherstack;
|
|
||||||
|
|
||||||
return cipherstack;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_free(co_list);
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ OPENSSL_free(new_rules);
|
|
||||||
+#endif
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
}
|
|
||||||
|
|
||||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/ssl/ssl_lib.c openssl-3.0.9-new/ssl/ssl_lib.c
|
|
||||||
--- openssl-3.0.9/ssl/ssl_lib.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/ssl/ssl_lib.c 2023-05-31 16:36:51.817278578 +0200
|
|
||||||
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
|
||||||
ctx->tls13_ciphersuites,
|
|
||||||
&(ctx->cipher_list),
|
|
||||||
&(ctx->cipher_list_by_id),
|
|
||||||
- OSSL_default_cipher_list(), ctx->cert);
|
|
||||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
|
||||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
|
||||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
|
||||||
return 0;
|
|
||||||
@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
|
||||||
if (!ssl_create_cipher_list(ret,
|
|
||||||
ret->tls13_ciphersuites,
|
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
|
||||||
- OSSL_default_cipher_list(), ret->cert)
|
|
||||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
|
||||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
|
||||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
|
||||||
goto err2;
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/test/cipherlist_test.c openssl-3.0.9-new/test/cipherlist_test.c
|
|
||||||
--- openssl-3.0.9/test/cipherlist_test.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/test/cipherlist_test.c 2023-05-31 16:36:51.817278578 +0200
|
|
||||||
@@ -246,7 +246,9 @@ end:
|
|
||||||
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
+#ifndef SYSTEM_CIPHERS_FILE
|
|
||||||
ADD_TEST(test_default_cipherlist_implicit);
|
|
||||||
+#endif
|
|
||||||
ADD_TEST(test_default_cipherlist_explicit);
|
|
||||||
ADD_TEST(test_default_cipherlist_clear);
|
|
||||||
return 1;
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/util/libcrypto.num openssl-3.0.9-new/util/libcrypto.num
|
|
||||||
--- openssl-3.0.9/util/libcrypto.num 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/util/libcrypto.num 2023-05-31 16:36:51.818278575 +0200
|
|
||||||
@@ -5429,3 +5429,4 @@ OPENSSL_strcasecmp
|
|
||||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
|
||||||
OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP
|
|
||||||
OSSL_CMP_MSG_update_recipNonce 5559 3_0_9 EXIST::FUNCTION:CMP
|
|
||||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
|
@ -1,70 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/include/openssl/crypto.h.in openssl-3.0.9-new/include/openssl/crypto.h.in
|
|
||||||
--- openssl-3.0.9/include/openssl/crypto.h.in 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/include/openssl/crypto.h.in 2023-05-31 16:36:52.081277805 +0200
|
|
||||||
@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack
|
|
||||||
# include <openssl/opensslconf.h>
|
|
||||||
# include <openssl/cryptoerr.h>
|
|
||||||
# include <openssl/core.h>
|
|
||||||
+# include <openssl/fips.h>
|
|
||||||
|
|
||||||
# ifdef CHARSET_EBCDIC
|
|
||||||
# include <openssl/ebcdic.h>
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/include/openssl/fips.h openssl-3.0.9-new/include/openssl/fips.h
|
|
||||||
--- openssl-3.0.9/include/openssl/fips.h 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ openssl-3.0.9-new/include/openssl/fips.h 2023-05-31 16:36:52.081277805 +0200
|
|
||||||
@@ -0,0 +1,25 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_FIPS_H
|
|
||||||
+# define OPENSSL_FIPS_H
|
|
||||||
+# pragma once
|
|
||||||
+
|
|
||||||
+# include <openssl/macros.h>
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+extern "C" {
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+}
|
|
||||||
+# endif
|
|
||||||
+#endif
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/test/property_test.c openssl-3.0.9-new/test/property_test.c
|
|
||||||
--- openssl-3.0.9/test/property_test.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/test/property_test.c 2023-05-31 16:36:52.082277802 +0200
|
|
||||||
@@ -648,6 +648,18 @@ static int test_property_list_to_string(
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_downstream_FIPS_mode(void)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
|
||||||
+ && TEST_true(FIPS_mode())
|
|
||||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
|
||||||
+ && TEST_false(FIPS_mode());
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
ADD_TEST(test_property_string);
|
|
||||||
@@ -661,6 +673,7 @@ int setup_tests(void)
|
|
||||||
ADD_TEST(test_property);
|
|
||||||
ADD_TEST(test_query_cache_stochastic);
|
|
||||||
ADD_TEST(test_fips_mode);
|
|
||||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
|
||||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,79 +0,0 @@
|
|||||||
diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
|
|
||||||
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
|
||||||
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
|
||||||
@@ -12,11 +12,54 @@
|
|
||||||
#include "internal/bio.h"
|
|
||||||
#include "internal/provider.h"
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+# include <sys/types.h>
|
|
||||||
+# include <sys/stat.h>
|
|
||||||
+# include <fcntl.h>
|
|
||||||
+# include <unistd.h>
|
|
||||||
+# include <openssl/evp.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct ossl_lib_ctx_onfree_list_st {
|
|
||||||
ossl_lib_ctx_onfree_fn *fn;
|
|
||||||
struct ossl_lib_ctx_onfree_list_st *next;
|
|
||||||
};
|
|
||||||
|
|
||||||
+# ifndef FIPS_MODULE
|
|
||||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
||||||
+
|
|
||||||
+static int kernel_fips_flag;
|
|
||||||
+
|
|
||||||
+static void read_kernel_fips_flag(void)
|
|
||||||
+{
|
|
||||||
+ char buf[2] = "0";
|
|
||||||
+ int fd;
|
|
||||||
+
|
|
||||||
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
|
||||||
+ buf[0] = '1';
|
|
||||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
|
||||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (buf[0] == '1') {
|
|
||||||
+ kernel_fips_flag = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int apply_kernel_fips_flag(OSSL_LIB_CTX *ctx)
|
|
||||||
+{
|
|
||||||
+ if (kernel_fips_flag) {
|
|
||||||
+ return EVP_default_properties_enable_fips(ctx, 1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+
|
|
||||||
struct ossl_lib_ctx_st {
|
|
||||||
CRYPTO_RWLOCK *lock;
|
|
||||||
CRYPTO_EX_DATA data;
|
|
||||||
@@ -74,6 +117,12 @@ static int context_init(OSSL_LIB_CTX *ct
|
|
||||||
if (!ossl_property_parse_init(ctx))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+# ifndef FIPS_MODULE
|
|
||||||
+ /* Preset the fips=yes default property with kernel FIPS mode */
|
|
||||||
+ if (!apply_kernel_fips_flag(ctx))
|
|
||||||
+ goto err;
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
err:
|
|
||||||
if (exdata_done)
|
|
||||||
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
|
|
||||||
|
|
||||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
|
||||||
{
|
|
||||||
+ read_kernel_fips_flag();
|
|
||||||
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
|
||||||
&& context_init(&default_context_int);
|
|
||||||
}
|
|
File diff suppressed because it is too large
Load Diff
@ -1,122 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/crypto/ec/ec_asn1.c openssl-3.0.9-new/crypto/ec/ec_asn1.c
|
|
||||||
--- openssl-3.0.9/crypto/ec/ec_asn1.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/crypto/ec/ec_asn1.c 2023-05-31 16:36:52.583276335 +0200
|
|
||||||
@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
|
|
||||||
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
|
||||||
group->decoded_from_explicit_params = 1;
|
|
||||||
|
|
||||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
|
||||||
+ EC_GROUP_free(group);
|
|
||||||
+ ECPKPARAMETERS_free(params);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (a) {
|
|
||||||
EC_GROUP_free(*a);
|
|
||||||
*a = group;
|
|
||||||
@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
|
|
||||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret->version = priv_key->version;
|
|
||||||
|
|
||||||
if (priv_key->privateKey) {
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/test/endecode_test.c openssl-3.0.9-new/test/endecode_test.c
|
|
||||||
--- openssl-3.0.9/test/endecode_test.c 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/test/endecode_test.c 2023-05-31 16:36:52.583276335 +0200
|
|
||||||
@@ -58,7 +58,7 @@ static BN_CTX *bnctx = NULL;
|
|
||||||
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
|
|
||||||
static OSSL_PARAM_BLD *bld_prime = NULL;
|
|
||||||
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
|
|
||||||
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
|
|
||||||
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
|
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
|
|
||||||
@@ -1005,9 +1005,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
|
|
||||||
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
|
||||||
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
|
|
||||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
|
|
||||||
-DOMAIN_KEYS(ECExplicitPrime2G);
|
|
||||||
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
|
|
||||||
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
|
|
||||||
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
|
|
||||||
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
|
|
||||||
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
|
||||||
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
|
|
||||||
@@ -1338,7 +1338,7 @@ int setup_tests(void)
|
|
||||||
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|
|
||||||
|| !create_ec_explicit_prime_params(bld_prime)
|
|
||||||
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
|
|
||||||
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
|
|
||||||
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|
|
||||||
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
|
|
||||||
@@ -1366,7 +1366,7 @@ int setup_tests(void)
|
|
||||||
TEST_info("Generating EC keys...");
|
|
||||||
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
|
|
||||||
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
|
|
||||||
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
|
|
||||||
@@ -1409,8 +1409,8 @@ int setup_tests(void)
|
|
||||||
ADD_TEST_SUITE_LEGACY(EC);
|
|
||||||
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
|
|
||||||
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
|
|
||||||
- ADD_TEST_SUITE(ECExplicitPrime2G);
|
|
||||||
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
|
|
||||||
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
|
|
||||||
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
|
|
||||||
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
|
|
||||||
@@ -1447,7 +1447,7 @@ void cleanup_tests(void)
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
OSSL_PARAM_free(ec_explicit_prime_params_nc);
|
|
||||||
- OSSL_PARAM_free(ec_explicit_prime_params_explicit);
|
|
||||||
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
|
|
||||||
OSSL_PARAM_BLD_free(bld_prime_nc);
|
|
||||||
OSSL_PARAM_BLD_free(bld_prime);
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
@@ -1469,7 +1469,7 @@ void cleanup_tests(void)
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
FREE_DOMAIN_KEYS(EC);
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
|
||||||
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
|
|
||||||
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitTri2G);
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/test/recipes/30-test_evp_data/evppkey_ecdsa.txt openssl-3.0.9-new/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
|
||||||
--- openssl-3.0.9/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2023-05-31 16:36:52.583276335 +0200
|
|
||||||
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
|
|
||||||
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
-PrivateKey = EC_EXPLICIT
|
|
||||||
------BEGIN PRIVATE KEY-----
|
|
||||||
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
|
||||||
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
|
||||||
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
|
||||||
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
|
|
||||||
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
|
|
||||||
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
|
|
||||||
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
|
|
||||||
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
|
|
||||||
------END PRIVATE KEY-----
|
|
||||||
-
|
|
||||||
PrivateKey = B-163
|
|
||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
|
|
@ -1,75 +0,0 @@
|
|||||||
diff -rupN --no-dereference openssl-3.0.9/apps/openssl.cnf openssl-3.0.9-new/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.9/apps/openssl.cnf 2023-05-31 16:36:51.330280004 +0200
|
|
||||||
+++ openssl-3.0.9-new/apps/openssl.cnf 2023-05-31 16:36:52.828275617 +0200
|
|
||||||
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
|
|
||||||
tsa_policy2 = 1.2.3.4.5.6
|
|
||||||
tsa_policy3 = 1.2.3.4.5.7
|
|
||||||
|
|
||||||
-# For FIPS
|
|
||||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
|
||||||
-# application. This file contains configuration data required by the OpenSSL
|
|
||||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
|
||||||
-# referenced from the [provider_sect] below.
|
|
||||||
-# Refer to the OpenSSL security policy for more information.
|
|
||||||
-# .include fipsmodule.cnf
|
|
||||||
-
|
|
||||||
[openssl_init]
|
|
||||||
providers = provider_sect
|
|
||||||
# Load default TLS policy configuration
|
|
||||||
ssl_conf = ssl_module
|
|
||||||
|
|
||||||
-# List of providers to load
|
|
||||||
-[provider_sect]
|
|
||||||
-default = default_sect
|
|
||||||
-# The fips section name should match the section name inside the
|
|
||||||
-# included fipsmodule.cnf.
|
|
||||||
-# fips = fips_sect
|
|
||||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
|
||||||
+# Loading the legacy provider enables support for the following algorithms:
|
|
||||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
|
||||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
|
||||||
+# Key Derivation Function (KDF): PBKDF1
|
|
||||||
+# In general it is not recommended to use the above mentioned algorithms for
|
|
||||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
|
||||||
+# to side-channel attacks and as such have been deprecated.
|
|
||||||
|
|
||||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
|
||||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
|
||||||
-#
|
|
||||||
-# If you add a section explicitly activating any other provider(s), you most
|
|
||||||
-# probably need to explicitly activate the default provider, otherwise it
|
|
||||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
|
||||||
-# OpenSSL may not work correctly which could lead to significant system
|
|
||||||
-# problems including inability to remotely access the system.
|
|
||||||
-[default_sect]
|
|
||||||
-# activate = 1
|
|
||||||
+[provider_sect]
|
|
||||||
+##default = default_sect
|
|
||||||
+##legacy = legacy_sect
|
|
||||||
+##
|
|
||||||
+##[default_sect]
|
|
||||||
+##activate = 1
|
|
||||||
+##
|
|
||||||
+##[legacy_sect]
|
|
||||||
+##activate = 1
|
|
||||||
|
|
||||||
[ ssl_module ]
|
|
||||||
|
|
||||||
diff -rupN --no-dereference openssl-3.0.9/doc/man5/config.pod openssl-3.0.9-new/doc/man5/config.pod
|
|
||||||
--- openssl-3.0.9/doc/man5/config.pod 2023-05-30 14:31:57.000000000 +0200
|
|
||||||
+++ openssl-3.0.9-new/doc/man5/config.pod 2023-05-31 16:36:52.828275617 +0200
|
|
||||||
@@ -273,6 +273,14 @@ significant.
|
|
||||||
All parameters in the section as well as sub-sections are made
|
|
||||||
available to the provider.
|
|
||||||
|
|
||||||
+=head3 Loading the legacy provider
|
|
||||||
+
|
|
||||||
+Uncomment the sections that start with ## in openssl.cnf
|
|
||||||
+to enable the legacy provider.
|
|
||||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
|
||||||
+security critical operations, as they are cryptographically weak or vulnerable
|
|
||||||
+to side-channel attacks and as such have been deprecated.
|
|
||||||
+
|
|
||||||
=head3 Default provider and its activation
|
|
||||||
|
|
||||||
If no providers are activated explicitly, the default one is activated implicitly.
|
|
File diff suppressed because it is too large
Load Diff
@ -1,82 +0,0 @@
|
|||||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
|
||||||
DAYS=365
|
|
||||||
KEYLEN=2048
|
|
||||||
TYPE=rsa:$(KEYLEN)
|
|
||||||
EXTRA_FLAGS=
|
|
||||||
ifdef SERIAL
|
|
||||||
EXTRA_FLAGS+=-set_serial $(SERIAL)
|
|
||||||
endif
|
|
||||||
|
|
||||||
.PHONY: usage
|
|
||||||
.SUFFIXES: .key .csr .crt .pem
|
|
||||||
.PRECIOUS: %.key %.csr %.crt %.pem
|
|
||||||
|
|
||||||
usage:
|
|
||||||
@echo "This makefile allows you to create:"
|
|
||||||
@echo " o public/private key pairs"
|
|
||||||
@echo " o SSL certificate signing requests (CSRs)"
|
|
||||||
@echo " o self-signed SSL test certificates"
|
|
||||||
@echo
|
|
||||||
@echo "To create a key pair, run \"make SOMETHING.key\"."
|
|
||||||
@echo "To create a CSR, run \"make SOMETHING.csr\"."
|
|
||||||
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
|
|
||||||
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
|
|
||||||
@echo
|
|
||||||
@echo "To create a key for use with Apache, run \"make genkey\"."
|
|
||||||
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
|
||||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
|
||||||
@echo
|
|
||||||
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
|
|
||||||
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
|
||||||
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
|
|
||||||
@echo
|
|
||||||
@echo Examples:
|
|
||||||
@echo " make server.key"
|
|
||||||
@echo " make server.csr"
|
|
||||||
@echo " make server.crt"
|
|
||||||
@echo " make stunnel.pem"
|
|
||||||
@echo " make genkey"
|
|
||||||
@echo " make certreq"
|
|
||||||
@echo " make testcert"
|
|
||||||
@echo " make server.crt SERIAL=1"
|
|
||||||
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
|
|
||||||
@echo " make testcert DAYS=600"
|
|
||||||
|
|
||||||
%.pem:
|
|
||||||
umask 77 ; \
|
|
||||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
|
||||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
|
||||||
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
|
|
||||||
cat $$PEM1 > $@ ; \
|
|
||||||
echo "" >> $@ ; \
|
|
||||||
cat $$PEM2 >> $@ ; \
|
|
||||||
$(RM) $$PEM1 $$PEM2
|
|
||||||
|
|
||||||
%.key:
|
|
||||||
umask 77 ; \
|
|
||||||
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
|
||||||
|
|
||||||
%.csr: %.key
|
|
||||||
umask 77 ; \
|
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
|
|
||||||
|
|
||||||
%.crt: %.key
|
|
||||||
umask 77 ; \
|
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
|
|
||||||
|
|
||||||
TLSROOT=/etc/pki/tls
|
|
||||||
KEY=$(TLSROOT)/private/localhost.key
|
|
||||||
CSR=$(TLSROOT)/certs/localhost.csr
|
|
||||||
CRT=$(TLSROOT)/certs/localhost.crt
|
|
||||||
|
|
||||||
genkey: $(KEY)
|
|
||||||
certreq: $(CSR)
|
|
||||||
testcert: $(CRT)
|
|
||||||
|
|
||||||
$(CSR): $(KEY)
|
|
||||||
umask 77 ; \
|
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
|
|
||||||
|
|
||||||
$(CRT): $(KEY)
|
|
||||||
umask 77 ; \
|
|
||||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
|
72
README.FIPS
72
README.FIPS
@ -1,72 +0,0 @@
|
|||||||
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
|
|
||||||
=================================================================
|
|
||||||
|
|
||||||
This package contains libraries which comprise the FIPS 140-2
|
|
||||||
Red Hat Enterprise Linux - OPENSSL Module.
|
|
||||||
|
|
||||||
The module files
|
|
||||||
================
|
|
||||||
/usr/lib[64]/libcrypto.so.1.1.0
|
|
||||||
/usr/lib[64]/libssl.so.1.1.0
|
|
||||||
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
|
|
||||||
/usr/lib[64]/.libssl.so.1.1.0.hmac
|
|
||||||
|
|
||||||
Dependencies
|
|
||||||
============
|
|
||||||
|
|
||||||
The approved mode of operation requires kernel with /dev/urandom RNG running
|
|
||||||
with properties as defined in the security policy of the module. This is
|
|
||||||
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
|
|
||||||
Crytographic Module.
|
|
||||||
|
|
||||||
Installation
|
|
||||||
============
|
|
||||||
|
|
||||||
The RPM package of the module can be installed by standard tools recommended
|
|
||||||
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
|
|
||||||
rpm, RHN remote management tool).
|
|
||||||
|
|
||||||
The RPM package dracut-fips must be installed for the approved mode of
|
|
||||||
operation.
|
|
||||||
|
|
||||||
Usage and API
|
|
||||||
=============
|
|
||||||
|
|
||||||
The module respects kernel command line FIPS setting. If the kernel command
|
|
||||||
line contains option fips=1 the module will initialize in the FIPS approved
|
|
||||||
mode of operation automatically. To allow for the automatic initialization the
|
|
||||||
application using the module has to call one of the following API calls:
|
|
||||||
|
|
||||||
- void OPENSSL_init_library(void) - this will do only a basic initialization
|
|
||||||
of the library and does initialization of the FIPS approved mode without setting
|
|
||||||
up EVP API with supported algorithms.
|
|
||||||
|
|
||||||
- void OPENSSL_add_all_algorithms(void) - this API function calls
|
|
||||||
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
|
|
||||||
in the approved mode
|
|
||||||
|
|
||||||
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
|
|
||||||
adds algorithms which are necessary for TLS protocol support and initializes
|
|
||||||
the SSL library.
|
|
||||||
|
|
||||||
To explicitely put the library to the approved mode the application can call
|
|
||||||
the following function:
|
|
||||||
|
|
||||||
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
|
|
||||||
the library from the non-approved to the approved mode. If any of the selftests
|
|
||||||
and integrity verification tests fail, the library is put into the error state
|
|
||||||
and 0 is returned. If they succeed the return value is 1.
|
|
||||||
|
|
||||||
To query the module whether it is in the approved mode or not:
|
|
||||||
|
|
||||||
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
|
|
||||||
0 otherwise.
|
|
||||||
|
|
||||||
To query whether the module is in the error state:
|
|
||||||
|
|
||||||
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
|
|
||||||
state, 0 otherwise.
|
|
||||||
|
|
||||||
To zeroize the FIPS RNG key and internal state the application calls:
|
|
||||||
|
|
||||||
- void RAND_cleanup(void)
|
|
1
dead.package
Normal file
1
dead.package
Normal file
@ -0,0 +1 @@
|
|||||||
|
mingw-openssl package is retired on branch c10s for BAKERY-412
|
628
ec_curve.c
628
ec_curve.c
@ -1,628 +0,0 @@
|
|||||||
/*
|
|
||||||
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
* in the file LICENSE in the source distribution or at
|
|
||||||
* https://www.openssl.org/source/license.html
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDSA low level APIs are deprecated for public use, but still ok for
|
|
||||||
* internal use.
|
|
||||||
*/
|
|
||||||
#include "internal/deprecated.h"
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
#include "ec_local.h"
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include <openssl/objects.h>
|
|
||||||
#include <openssl/opensslconf.h>
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
int field_type, /* either NID_X9_62_prime_field or
|
|
||||||
* NID_X9_62_characteristic_two_field */
|
|
||||||
seed_len, param_len;
|
|
||||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
|
||||||
} EC_CURVE_DATA;
|
|
||||||
|
|
||||||
/* the nist prime curves */
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 28 * 6];
|
|
||||||
} _EC_NIST_PRIME_224 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 28, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
|
||||||
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x01,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE,
|
|
||||||
/* b */
|
|
||||||
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
|
||||||
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
|
||||||
0x23, 0x55, 0xFF, 0xB4,
|
|
||||||
/* x */
|
|
||||||
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
|
||||||
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
|
||||||
0x11, 0x5C, 0x1D, 0x21,
|
|
||||||
/* y */
|
|
||||||
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
|
||||||
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
|
||||||
0x85, 0x00, 0x7e, 0x34,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
|
||||||
0x5C, 0x5C, 0x2A, 0x3D
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 48 * 6];
|
|
||||||
} _EC_NIST_PRIME_384 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 48, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
|
||||||
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
|
||||||
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
|
||||||
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
|
||||||
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
|
||||||
/* x */
|
|
||||||
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
|
||||||
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
|
||||||
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
|
||||||
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
|
||||||
/* y */
|
|
||||||
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
|
||||||
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
|
||||||
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
|
||||||
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
|
||||||
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 66 * 6];
|
|
||||||
} _EC_NIST_PRIME_521 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 66, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
|
||||||
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
|
||||||
/* p */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
|
||||||
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
|
||||||
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
|
||||||
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
|
||||||
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
|
||||||
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
|
||||||
/* x */
|
|
||||||
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
|
||||||
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
|
||||||
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
|
||||||
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
|
||||||
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
|
||||||
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
|
||||||
/* y */
|
|
||||||
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
|
||||||
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
|
||||||
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
|
||||||
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
|
||||||
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
|
||||||
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
|
||||||
/* order */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
|
||||||
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
|
||||||
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
|
||||||
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 32 * 6];
|
|
||||||
} _EC_X9_62_PRIME_256V1 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 32, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
|
||||||
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
|
||||||
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
|
||||||
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
|
||||||
/* x */
|
|
||||||
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
|
||||||
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
|
||||||
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
|
||||||
/* y */
|
|
||||||
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
|
||||||
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
|
||||||
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
|
||||||
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[0 + 32 * 6];
|
|
||||||
} _EC_SECG_PRIME_256K1 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 0, 32, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* no seed */
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
|
||||||
/* a */
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
/* b */
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
|
||||||
/* x */
|
|
||||||
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
|
||||||
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
|
||||||
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
|
||||||
/* y */
|
|
||||||
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
|
||||||
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
|
||||||
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
|
||||||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
typedef struct _ec_list_element_st {
|
|
||||||
int nid;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_METHOD *(*meth) (void);
|
|
||||||
const char *comment;
|
|
||||||
} ec_list_element;
|
|
||||||
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
static const ec_list_element curve_list[] = {
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h,
|
|
||||||
# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp224_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
||||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp384_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 384 bit prime field"},
|
|
||||||
|
|
||||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp521_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp521_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 521 bit prime field"},
|
|
||||||
|
|
||||||
/* X9.62 curves */
|
|
||||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
# if defined(ECP_NISTZ256_ASM)
|
|
||||||
EC_GFp_nistz256_method,
|
|
||||||
# elif defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp256_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp256_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"X9.62/SECG curve over a 256 bit prime field"},
|
|
||||||
};
|
|
||||||
|
|
||||||
#else
|
|
||||||
|
|
||||||
static const ec_list_element curve_list[] = {
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
# else
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
# endif
|
|
||||||
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
|
||||||
"SECG curve over a 256 bit prime field"},
|
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
||||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp384_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 384 bit prime field"},
|
|
||||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp521_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp521_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 521 bit prime field"},
|
|
||||||
/* X9.62 curves */
|
|
||||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
# if defined(ECP_NISTZ256_ASM)
|
|
||||||
EC_GFp_nistz256_method,
|
|
||||||
# elif defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp256_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp256_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"X9.62/SECG curve over a 256 bit prime field"},
|
|
||||||
};
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
#define curve_list_length OSSL_NELEM(curve_list)
|
|
||||||
|
|
||||||
static const ec_list_element *ec_curve_nid2curve(int nid)
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
if (nid <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++) {
|
|
||||||
if (curve_list[i].nid == nid)
|
|
||||||
return &curve_list[i];
|
|
||||||
}
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx,
|
|
||||||
const char *propq,
|
|
||||||
const ec_list_element curve)
|
|
||||||
{
|
|
||||||
EC_GROUP *group = NULL;
|
|
||||||
EC_POINT *P = NULL;
|
|
||||||
BN_CTX *ctx = NULL;
|
|
||||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
|
||||||
NULL;
|
|
||||||
int ok = 0;
|
|
||||||
int seed_len, param_len;
|
|
||||||
const EC_METHOD *meth;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const unsigned char *params;
|
|
||||||
|
|
||||||
/* If no curve data curve method must handle everything */
|
|
||||||
if (curve.data == NULL)
|
|
||||||
return ossl_ec_group_new_ex(libctx, propq,
|
|
||||||
curve.meth != NULL ? curve.meth() : NULL);
|
|
||||||
|
|
||||||
if ((ctx = BN_CTX_new_ex(libctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
data = curve.data;
|
|
||||||
seed_len = data->seed_len;
|
|
||||||
param_len = data->param_len;
|
|
||||||
params = (const unsigned char *)(data + 1); /* skip header */
|
|
||||||
params += seed_len; /* skip seed */
|
|
||||||
|
|
||||||
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (curve.meth != 0) {
|
|
||||||
meth = curve.meth();
|
|
||||||
if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) ||
|
|
||||||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
} else if (data->field_type == NID_X9_62_prime_field) {
|
|
||||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#ifndef OPENSSL_NO_EC2M
|
|
||||||
else { /* field_type ==
|
|
||||||
* NID_X9_62_characteristic_two_field */
|
|
||||||
|
|
||||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
EC_GROUP_set_curve_name(group, curve.nid);
|
|
||||||
|
|
||||||
if ((P = EC_POINT_new(group)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (seed_len) {
|
|
||||||
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ok = 1;
|
|
||||||
err:
|
|
||||||
if (!ok) {
|
|
||||||
EC_GROUP_free(group);
|
|
||||||
group = NULL;
|
|
||||||
}
|
|
||||||
EC_POINT_free(P);
|
|
||||||
BN_CTX_free(ctx);
|
|
||||||
BN_free(p);
|
|
||||||
BN_free(a);
|
|
||||||
BN_free(b);
|
|
||||||
BN_free(order);
|
|
||||||
BN_free(x);
|
|
||||||
BN_free(y);
|
|
||||||
return group;
|
|
||||||
}
|
|
||||||
|
|
||||||
EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
|
||||||
int nid)
|
|
||||||
{
|
|
||||||
EC_GROUP *ret = NULL;
|
|
||||||
const ec_list_element *curve;
|
|
||||||
|
|
||||||
if ((curve = ec_curve_nid2curve(nid)) == NULL
|
|
||||||
|| (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) {
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP,
|
|
||||||
"name=%s", OBJ_nid2sn(nid));
|
|
||||||
#else
|
|
||||||
ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
|
||||||
#endif
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
|
||||||
{
|
|
||||||
return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
|
||||||
{
|
|
||||||
size_t i, min;
|
|
||||||
|
|
||||||
if (r == NULL || nitems == 0)
|
|
||||||
return curve_list_length;
|
|
||||||
|
|
||||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
|
||||||
|
|
||||||
for (i = 0; i < min; i++) {
|
|
||||||
r[i].nid = curve_list[i].nid;
|
|
||||||
r[i].comment = curve_list[i].comment;
|
|
||||||
}
|
|
||||||
|
|
||||||
return curve_list_length;
|
|
||||||
}
|
|
||||||
|
|
||||||
const char *EC_curve_nid2nist(int nid)
|
|
||||||
{
|
|
||||||
return ossl_ec_curve_nid2nist_int(nid);
|
|
||||||
}
|
|
||||||
|
|
||||||
int EC_curve_nist2nid(const char *name)
|
|
||||||
{
|
|
||||||
return ossl_ec_curve_nist2nid_int(name);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define NUM_BN_FIELDS 6
|
|
||||||
/*
|
|
||||||
* Validates EC domain parameter data for known named curves.
|
|
||||||
* This can be used when a curve is loaded explicitly (without a curve
|
|
||||||
* name) or to validate that domain parameters have not been modified.
|
|
||||||
*
|
|
||||||
* Returns: The nid associated with the found named curve, or NID_undef
|
|
||||||
* if not found. If there was an error it returns -1.
|
|
||||||
*/
|
|
||||||
int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
|
||||||
{
|
|
||||||
int ret = -1, nid, len, field_type, param_len;
|
|
||||||
size_t i, seed_len;
|
|
||||||
const unsigned char *seed, *params_seed, *params;
|
|
||||||
unsigned char *param_bytes = NULL;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_POINT *generator = NULL;
|
|
||||||
const BIGNUM *cofactor = NULL;
|
|
||||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
|
||||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
|
||||||
|
|
||||||
/* Use the optional named curve nid as a search field */
|
|
||||||
nid = EC_GROUP_get_curve_name(group);
|
|
||||||
field_type = EC_GROUP_get_field_type(group);
|
|
||||||
seed_len = EC_GROUP_get_seed_len(group);
|
|
||||||
seed = EC_GROUP_get0_seed(group);
|
|
||||||
cofactor = EC_GROUP_get0_cofactor(group);
|
|
||||||
|
|
||||||
BN_CTX_start(ctx);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
|
||||||
* all zero-padded to be the same size. The size of the padding is
|
|
||||||
* determined by either the number of bytes in the field modulus (p) or the
|
|
||||||
* EC group order, whichever is larger.
|
|
||||||
*/
|
|
||||||
param_len = BN_num_bytes(group->order);
|
|
||||||
len = BN_num_bytes(group->field);
|
|
||||||
if (len > param_len)
|
|
||||||
param_len = len;
|
|
||||||
|
|
||||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
|
||||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
|
||||||
if (param_bytes == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/* Create the bignums */
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Fill in the bn array with the same values as the internal curves
|
|
||||||
* i.e. the values are p, a, b, x, y, order.
|
|
||||||
*/
|
|
||||||
/* Get p, a & b */
|
|
||||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
|
||||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
|
||||||
/* Get x & y */
|
|
||||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
|
||||||
/* Get order */
|
|
||||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Convert the bignum array to bytes that are joined together to form
|
|
||||||
* a single buffer that contains data for all fields.
|
|
||||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
|
||||||
*/
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++) {
|
|
||||||
const ec_list_element curve = curve_list[i];
|
|
||||||
|
|
||||||
data = curve.data;
|
|
||||||
/* Get the raw order byte data */
|
|
||||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
|
||||||
params = params_seed + data->seed_len;
|
|
||||||
|
|
||||||
/* Look for unique fields in the fixed curve data */
|
|
||||||
if (data->field_type == field_type
|
|
||||||
&& param_len == data->param_len
|
|
||||||
&& (nid <= 0 || nid == curve.nid)
|
|
||||||
/* check the optional cofactor (ignore if its zero) */
|
|
||||||
&& (BN_is_zero(cofactor)
|
|
||||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
|
||||||
/* Check the optional seed (ignore if its not set) */
|
|
||||||
&& (data->seed_len == 0 || seed_len == 0
|
|
||||||
|| ((size_t)data->seed_len == seed_len
|
|
||||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
|
||||||
/* Check that the groups params match the built-in curve params */
|
|
||||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
|
||||||
== 0) {
|
|
||||||
ret = curve.nid;
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* Gets here if the group was not found */
|
|
||||||
ret = NID_undef;
|
|
||||||
end:
|
|
||||||
OPENSSL_free(param_bytes);
|
|
||||||
BN_CTX_end(ctx);
|
|
||||||
return ret;
|
|
||||||
}
|
|
15
fixpatch
15
fixpatch
@ -1,15 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# Fixes patch from upstream tracker view
|
|
||||||
gawk '
|
|
||||||
BEGIN {
|
|
||||||
dir=""
|
|
||||||
}
|
|
||||||
/^Index: openssl\// {
|
|
||||||
dir = $2
|
|
||||||
}
|
|
||||||
/^(---|\+\+\+)/ {
|
|
||||||
$2 = dir
|
|
||||||
}
|
|
||||||
{
|
|
||||||
print
|
|
||||||
}'
|
|
26
genpatches
26
genpatches
@ -1,26 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
if [ $# -ne 2 ] ; then
|
|
||||||
echo "Usage:"
|
|
||||||
echo " $0 <git-dir> <base-tag>"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
git_dir="$1"
|
|
||||||
base_tag="$2"
|
|
||||||
|
|
||||||
target_dir="$(pwd)"
|
|
||||||
|
|
||||||
pushd "$git_dir" >/dev/null
|
|
||||||
git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
|
|
||||||
popd >/dev/null
|
|
||||||
|
|
||||||
echo "# Patches exported from source git"
|
|
||||||
|
|
||||||
i=1
|
|
||||||
for p in *.patch ; do
|
|
||||||
printf "# "
|
|
||||||
sed '/^Subject:/{s/^Subject: //;p};d' "$p"
|
|
||||||
printf "Patch%s: %s\n" $i "$p"
|
|
||||||
i=$(($i + 1))
|
|
||||||
done
|
|
Loading…
Reference in New Issue
Block a user