From bae47f5e5f5eb4c14a701fe47f4f5bd70cac8107 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 2 Jun 2022 15:09:32 +0200 Subject: [PATCH] Update to 3.0.3 --- .gitignore | 1 + 0001-Aarch64-and-ppc64le-use-lib64.patch | 24 +- ...eneral-default-values-in-openssl.cnf.patch | 31 +- 0003-Do-not-install-html-docs.patch | 22 +- ...ault-paths-for-the-CA-directory-tree.patch | 37 +- 0005-apps-ca-fix-md-option-help-text.patch | 24 +- ...e-verification-with-totally-unsafe-h.patch | 22 +- ...PROFILE-SYSTEM-system-default-cipher.patch | 191 ++- 0008-Add-FIPS_mode-compatibility-macro.patch | 41 +- 0011-Remove-EC-curves.patch | 1192 ++++++++--------- 0012-Disable-explicit-ec.patch | 70 +- 0024-load-legacy-prov.patch | 12 +- ...t-different-R_BITS-lengths-for-KBKDF.patch | 119 +- mingw-openssl.spec | 7 +- openssl_compute_moddir.patch | 16 +- sources | 2 +- 16 files changed, 800 insertions(+), 1011 deletions(-) diff --git a/.gitignore b/.gitignore index e771ee0..f26a0c8 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1k-hobbled.tar.xz /openssl-3.0.0-hobbled.tar.xz /openssl-3.0.2-hobbled.tar.gz +/openssl-3.0.3-hobbled.tar.gz diff --git a/0001-Aarch64-and-ppc64le-use-lib64.patch b/0001-Aarch64-and-ppc64le-use-lib64.patch index e5d23ba..dc58a13 100644 --- a/0001-Aarch64-and-ppc64le-use-lib64.patch +++ b/0001-Aarch64-and-ppc64le-use-lib64.patch @@ -1,18 +1,7 @@ -From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:01:41 +0200 -Subject: Aarch64 and ppc64le use lib64 - -(Was openssl-1.1.1-build.patch) ---- - Configurations/10-main.conf | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index d7580bf3e1..a7dbfd7f40 100644 ---- a/Configurations/10-main.conf -+++ b/Configurations/10-main.conf -@@ -723,6 +723,7 @@ my %targets = ( +diff -rupN --no-dereference openssl-3.0.3/Configurations/10-main.conf openssl-3.0.3-new/Configurations/10-main.conf +--- openssl-3.0.3/Configurations/10-main.conf 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/Configurations/10-main.conf 2022-06-02 14:30:31.646053344 +0200 +@@ -730,6 +730,7 @@ my %targets = ( lib_cppflags => add("-DL_ENDIAN"), asm_arch => 'ppc64', perlasm_scheme => "linux64le", @@ -20,7 +9,7 @@ index d7580bf3e1..a7dbfd7f40 100644 }, "linux-armv4" => { -@@ -765,6 +766,7 @@ my %targets = ( +@@ -772,6 +773,7 @@ my %targets = ( inherit_from => [ "linux-generic64" ], asm_arch => 'aarch64', perlasm_scheme => "linux64", @@ -28,6 +17,3 @@ index d7580bf3e1..a7dbfd7f40 100644 }, "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32" ], --- -2.26.2 - diff --git a/0002-Use-more-general-default-values-in-openssl.cnf.patch b/0002-Use-more-general-default-values-in-openssl.cnf.patch index 83ed599..cf8fda6 100644 --- a/0002-Use-more-general-default-values-in-openssl.cnf.patch +++ b/0002-Use-more-general-default-values-in-openssl.cnf.patch @@ -1,21 +1,7 @@ -From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:03:40 +0200 -Subject: Use more general default values in openssl.cnf - -Also set sha256 as default hash, although that should not be -necessary anymore. - -(was openssl-1.1.1-defaults.patch) ---- - apps/openssl.cnf | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 97567a67be..eb25a0ac48 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options +diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf +--- openssl-3.0.3/apps/openssl.cnf 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:31.876053349 +0200 +@@ -111,7 +111,7 @@ cert_opt = ca_default # Certificate fi default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -24,7 +10,7 @@ index 97567a67be..eb25a0ac48 100644 preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look -@@ -136,6 +136,7 @@ emailAddress = optional +@@ -143,6 +143,7 @@ emailAddress = optional #################################################################### [ req ] default_bits = 2048 @@ -32,7 +18,7 @@ index 97567a67be..eb25a0ac48 100644 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -@@ -158,17 +159,18 @@ string_mask = utf8only +@@ -165,17 +166,18 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -54,7 +40,7 @@ index 97567a67be..eb25a0ac48 100644 # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) -@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city) +@@ -184,7 +186,7 @@ localityName = Locality Name (eg, city organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = @@ -63,6 +49,3 @@ index 97567a67be..eb25a0ac48 100644 commonName_max = 64 emailAddress = Email Address --- -2.26.2 - diff --git a/0003-Do-not-install-html-docs.patch b/0003-Do-not-install-html-docs.patch index 66d62e0..ecd546f 100644 --- a/0003-Do-not-install-html-docs.patch +++ b/0003-Do-not-install-html-docs.patch @@ -1,18 +1,7 @@ -From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:05:55 +0200 -Subject: Do not install html docs - -(was openssl-1.1.1-no-html.patch) ---- - Configurations/unix-Makefile.tmpl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 342e46d24d..9f369edf0e 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime +diff -rupN --no-dereference openssl-3.0.3/Configurations/unix-Makefile.tmpl openssl-3.0.3-new/Configurations/unix-Makefile.tmpl +--- openssl-3.0.3/Configurations/unix-Makefile.tmpl 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.079053354 +0200 +@@ -610,7 +610,7 @@ install_sw: install_dev install_engines uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev @@ -21,6 +10,3 @@ index 342e46d24d..9f369edf0e 100644 uninstall_docs: uninstall_man_docs uninstall_html_docs $(RM) -r $(DESTDIR)$(DOCDIR) --- -2.26.2 - diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch index 7c70c60..b0d5256 100644 --- a/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -1,23 +1,6 @@ -From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:17:26 +0200 -Subject: Override default paths for the CA directory tree - -Also add default section to load crypto-policies configuration -for TLS. - -It needs to be reverted before running tests. - -(was openssl-1.1.1-conf-paths.patch) ---- - apps/CA.pl.in | 2 +- - apps/openssl.cnf | 20 ++++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/apps/CA.pl.in b/apps/CA.pl.in -index c0afb96716..d6a5fabd16 100644 ---- a/apps/CA.pl.in -+++ b/apps/CA.pl.in +diff -rupN --no-dereference openssl-3.0.3/apps/CA.pl.in openssl-3.0.3-new/apps/CA.pl.in +--- openssl-3.0.3/apps/CA.pl.in 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/apps/CA.pl.in 2022-06-02 14:30:32.267053358 +0200 @@ -29,7 +29,7 @@ my $X509 = "$openssl x509"; my $PKCS12 = "$openssl pkcs12"; @@ -27,10 +10,10 @@ index c0afb96716..d6a5fabd16 100644 my $CAKEY = "cakey.pem"; my $CAREQ = "careq.pem"; my $CACERT = "cacert.pem"; -diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf ---- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 -+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 -@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 +diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf +--- openssl-3.0.3/apps/openssl.cnf 2022-06-02 14:30:32.076053354 +0200 ++++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:32.267053358 +0200 +@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] providers = provider_sect @@ -39,7 +22,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1 # List of providers to load [provider_sect] -@@ -64,6 +66,13 @@ default = default_sect +@@ -71,6 +73,13 @@ default = default_sect [default_sect] # activate = 1 @@ -53,7 +36,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1 #################################################################### [ ca ] -@@ -72,7 +81,7 @@ default_ca = CA_default # The default c +@@ -79,7 +88,7 @@ default_ca = CA_default # The default c #################################################################### [ CA_default ] @@ -62,7 +45,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1 certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. -@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default +@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default [ tsa_config1 ] # These are used by the TSA reply generation only. diff --git a/0005-apps-ca-fix-md-option-help-text.patch b/0005-apps-ca-fix-md-option-help-text.patch index 1fed4c4..eb3800b 100644 --- a/0005-apps-ca-fix-md-option-help-text.patch +++ b/0005-apps-ca-fix-md-option-help-text.patch @@ -1,20 +1,7 @@ -From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:27:18 +0200 -Subject: apps/ca: fix md option help text - -upstreamable - -(was openssl-1.1.1-apps-dgst.patch) ---- - apps/ca.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/apps/ca.c b/apps/ca.c -index 0f21b4fa1c..3d4b2c1673 100755 ---- a/apps/ca.c -+++ b/apps/ca.c -@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { +diff -rupN --no-dereference openssl-3.0.3/apps/ca.c openssl-3.0.3-new/apps/ca.c +--- openssl-3.0.3/apps/ca.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/apps/ca.c 2022-06-02 14:30:32.456053362 +0200 +@@ -210,7 +210,7 @@ const OPTIONS ca_options[] = { {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, OPT_SECTION("Signing"), @@ -23,6 +10,3 @@ index 0f21b4fa1c..3d4b2c1673 100755 {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, --- -2.26.2 - diff --git a/0006-Disable-signature-verification-with-totally-unsafe-h.patch b/0006-Disable-signature-verification-with-totally-unsafe-h.patch index f9dd2dd..266ebc9 100644 --- a/0006-Disable-signature-verification-with-totally-unsafe-h.patch +++ b/0006-Disable-signature-verification-with-totally-unsafe-h.patch @@ -1,18 +1,7 @@ -From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:51:34 +0200 -Subject: Disable signature verification with totally unsafe hash algorithms - -(was openssl-1.1.1-no-weak-verify.patch) ---- - crypto/asn1/a_verify.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c -index b7eed914b0..af62f0ef08 100644 ---- a/crypto/asn1/a_verify.c -+++ b/crypto/asn1/a_verify.c -@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, +diff -rupN --no-dereference openssl-3.0.3/crypto/asn1/a_verify.c openssl-3.0.3-new/crypto/asn1/a_verify.c +--- openssl-3.0.3/crypto/asn1/a_verify.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/crypto/asn1/a_verify.c 2022-06-02 14:30:32.645053367 +0200 +@@ -153,6 +153,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); if (ret <= 1) goto err; @@ -24,6 +13,3 @@ index b7eed914b0..af62f0ef08 100644 } else { const EVP_MD *type = NULL; --- -2.26.2 - diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 9917fcf..8b7d213 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -1,25 +1,7 @@ -From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 10:16:46 +0200 -Subject: Add support for PROFILE=SYSTEM system default cipherlist - -(was openssl-1.1.1-system-cipherlist.patch) ---- - Configurations/unix-Makefile.tmpl | 5 ++ - Configure | 10 +++- - doc/man1/openssl-ciphers.pod.in | 9 ++++ - include/openssl/ssl.h.in | 5 ++ - ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++---- - ssl/ssl_lib.c | 4 +- - test/cipherlist_test.c | 2 + - util/libcrypto.num | 1 + - 8 files changed, 110 insertions(+), 14 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 9f369edf0e..c52389f831 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man +diff -rupN --no-dereference openssl-3.0.3/Configurations/unix-Makefile.tmpl openssl-3.0.3-new/Configurations/unix-Makefile.tmpl +--- openssl-3.0.3/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.263053358 +0200 ++++ openssl-3.0.3-new/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.842053371 +0200 +@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -30,7 +12,7 @@ index 9f369edf0e..c52389f831 100644 # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -38,11 +20,52 @@ index 9f369edf0e..c52389f831 100644 (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in -index b4ed3e51d5..2122e6bdfd 100644 ---- a/doc/man1/openssl-ciphers.pod.in -+++ b/doc/man1/openssl-ciphers.pod.in -@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. +diff -rupN --no-dereference openssl-3.0.3/Configure openssl-3.0.3-new/Configure +--- openssl-3.0.3/Configure 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/Configure 2022-06-02 14:30:32.847053371 +0200 +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -387,6 +391,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -989,6 +994,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; +diff -rupN --no-dereference openssl-3.0.3/doc/man1/openssl-ciphers.pod.in openssl-3.0.3-new/doc/man1/openssl-ciphers.pod.in +--- openssl-3.0.3/doc/man1/openssl-ciphers.pod.in 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/doc/man1/openssl-ciphers.pod.in 2022-06-02 14:30:32.843053371 +0200 +@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -58,11 +81,10 @@ index b4ed3e51d5..2122e6bdfd 100644 =item B "High" encryption cipher suites. This currently means those with key lengths -diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index f9a61609e4..c6f95fed3f 100644 ---- a/include/openssl/ssl.h.in -+++ b/include/openssl/ssl.h.in -@@ -209,6 +209,11 @@ extern "C" { +diff -rupN --no-dereference openssl-3.0.3/include/openssl/ssl.h.in openssl-3.0.3-new/include/openssl/ssl.h.in +--- openssl-3.0.3/include/openssl/ssl.h.in 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/include/openssl/ssl.h.in 2022-06-02 14:30:32.843053371 +0200 +@@ -205,6 +205,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ @@ -74,11 +96,10 @@ index f9a61609e4..c6f95fed3f 100644 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index b1d3f7919e..f7cc7fed48 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +diff -rupN --no-dereference openssl-3.0.3/ssl/ssl_ciph.c openssl-3.0.3-new/ssl/ssl_ciph.c +--- openssl-3.0.3/ssl/ssl_ciph.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/ssl/ssl_ciph.c 2022-06-02 14:30:32.844053371 +0200 +@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -132,7 +153,7 @@ index b1d3f7919e..f7cc7fed48 100644 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -153,14 +174,14 @@ index b1d3f7919e..f7cc7fed48 100644 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) - return NULL; + goto err; - + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) - return NULL; + goto err; /* * To reduce the work to do we only want to process the compiled -@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); @@ -169,7 +190,7 @@ index b1d3f7919e..f7cc7fed48 100644 } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -179,7 +200,7 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -190,7 +211,7 @@ index b1d3f7919e..f7cc7fed48 100644 } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1619,8 +1674,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -200,7 +221,7 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1628,10 +1682,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -216,7 +237,7 @@ index b1d3f7919e..f7cc7fed48 100644 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1683,6 +1740,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -231,11 +252,10 @@ index b1d3f7919e..f7cc7fed48 100644 } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index d14d5819ba..48d491219a 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) +diff -rupN --no-dereference openssl-3.0.3/ssl/ssl_lib.c openssl-3.0.3-new/ssl/ssl_lib.c +--- openssl-3.0.3/ssl/ssl_lib.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/ssl/ssl_lib.c 2022-06-02 14:30:32.845053371 +0200 +@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -244,7 +264,7 @@ index d14d5819ba..48d491219a 100644 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, +@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -253,11 +273,10 @@ index d14d5819ba..48d491219a 100644 || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; -diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c -index 380f0727fc..6922a87c30 100644 ---- a/test/cipherlist_test.c -+++ b/test/cipherlist_test.c -@@ -244,7 +244,9 @@ end: +diff -rupN --no-dereference openssl-3.0.3/test/cipherlist_test.c openssl-3.0.3-new/test/cipherlist_test.c +--- openssl-3.0.3/test/cipherlist_test.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/cipherlist_test.c 2022-06-02 14:30:32.845053371 +0200 +@@ -246,7 +246,9 @@ end: int setup_tests(void) { @@ -267,57 +286,11 @@ index 380f0727fc..6922a87c30 100644 ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); return 1; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 404a706fab..e81fa9ec3e 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: - ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: +diff -rupN --no-dereference openssl-3.0.3/util/libcrypto.num openssl-3.0.3-new/util/libcrypto.num +--- openssl-3.0.3/util/libcrypto.num 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/util/libcrypto.num 2022-06-02 14:30:32.846053371 +0200 +@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: --- -2.26.2 - -diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure ---- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200 -+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200 -@@ -27,7 +27,7 @@ use OpenSSL::config; - my $orig_death_handler = $SIG{__DIE__}; - $SIG{__DIE__} = \&death_handler; - --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - - my $banner = <<"EOF"; - -@@ -61,6 +61,10 @@ EOF - # given with --prefix. - # This becomes the value of OPENSSLDIR in Makefile and in C. - # (Default: PREFIX/ssl) -+# -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --banner=".." Output specified text instead of default completion banner - # - # -w Don't wait after showing a Configure warning -@@ -385,6 +389,7 @@ $config{prefix}=""; - $config{openssldir}=""; - $config{processor}=""; - $config{libdir}=""; -+$config{system_ciphers_file}=""; - my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - -@@ -987,6 +992,10 @@ while (@argvcopy) - die "FIPS key too long (64 bytes max)\n" - if length $1 > 64; - } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } - elsif (/^--banner=(.*)$/) - { - $banner = $1 . "\n"; diff --git a/0008-Add-FIPS_mode-compatibility-macro.patch b/0008-Add-FIPS_mode-compatibility-macro.patch index 0fac4eb..11833b2 100644 --- a/0008-Add-FIPS_mode-compatibility-macro.patch +++ b/0008-Add-FIPS_mode-compatibility-macro.patch @@ -1,22 +1,7 @@ -From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 26 Nov 2020 14:00:16 +0100 -Subject: Add FIPS_mode() compatibility macro - -The macro calls EVP_default_properties_is_fips_enabled() on the -default context. ---- - include/openssl/crypto.h.in | 1 + - include/openssl/fips.h | 25 +++++++++++++++++++++++++ - test/property_test.c | 13 +++++++++++++ - 3 files changed, 39 insertions(+) - create mode 100644 include/openssl/fips.h - -diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in -index 1036da9a2b..9d4896fcaf 100644 ---- a/include/openssl/crypto.h.in -+++ b/include/openssl/crypto.h.in -@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); +diff -rupN --no-dereference openssl-3.0.3/include/openssl/crypto.h.in openssl-3.0.3-new/include/openssl/crypto.h.in +--- openssl-3.0.3/include/openssl/crypto.h.in 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/include/openssl/crypto.h.in 2022-06-02 14:30:33.049053376 +0200 +@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack # include # include # include @@ -24,11 +9,9 @@ index 1036da9a2b..9d4896fcaf 100644 # ifdef CHARSET_EBCDIC # include -diff --git a/include/openssl/fips.h b/include/openssl/fips.h -new file mode 100644 -index 0000000000..c64f0f8e8f ---- /dev/null -+++ b/include/openssl/fips.h +diff -rupN --no-dereference openssl-3.0.3/include/openssl/fips.h openssl-3.0.3-new/include/openssl/fips.h +--- openssl-3.0.3/include/openssl/fips.h 1970-01-01 01:00:00.000000000 +0100 ++++ openssl-3.0.3-new/include/openssl/fips.h 2022-06-02 14:30:33.049053376 +0200 @@ -0,0 +1,25 @@ +/* + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. @@ -55,10 +38,10 @@ index 0000000000..c64f0f8e8f +} +# endif +#endif -diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c ---- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 -+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 -@@ -488,6 +488,18 @@ static int test_property_list_to_string( +diff -rupN --no-dereference openssl-3.0.3/test/property_test.c openssl-3.0.3-new/test/property_test.c +--- openssl-3.0.3/test/property_test.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/property_test.c 2022-06-02 14:30:33.050053376 +0200 +@@ -624,6 +624,18 @@ static int test_property_list_to_string( return ret; } @@ -77,7 +60,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1 int setup_tests(void) { ADD_TEST(test_property_string); -@@ -500,6 +512,7 @@ int setup_tests(void) +@@ -637,6 +649,7 @@ int setup_tests(void) ADD_TEST(test_property); ADD_TEST(test_query_cache_stochastic); ADD_TEST(test_fips_mode); diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch index 51c9d23..6434baf 100644 --- a/0011-Remove-EC-curves.patch +++ b/0011-Remove-EC-curves.patch @@ -1,7 +1,7 @@ -diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps/speed.c ---- openssl-3.0.0-alpha13/apps/speed.c.ec-curves 2021-04-10 12:12:00.620129302 +0200 -+++ openssl-3.0.0-alpha13/apps/speed.c 2021-04-10 12:18:11.872369417 +0200 -@@ -364,68 +364,23 @@ static double ffdh_results[FFDH_NUM][1]; +diff -rupN --no-dereference openssl-3.0.3/apps/speed.c openssl-3.0.3-new/apps/speed.c +--- openssl-3.0.3/apps/speed.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/apps/speed.c 2022-06-02 14:30:33.247053380 +0200 +@@ -365,68 +365,23 @@ static double ffdh_results[FFDH_NUM][1]; #endif /* OPENSSL_NO_DH */ enum ec_curves_t { @@ -72,7 +72,7 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"ecdhx25519", R_EC_X25519}, {"ecdhx448", R_EC_X448} }; -@@ -1449,31 +1404,10 @@ int speed_main(int argc, char **argv) +@@ -1418,31 +1373,10 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -104,344 +104,21 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps /* Other and ECDH only ones */ {"X25519", NID_X25519, 253}, {"X448", NID_X448, 448} -diff -up openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves openssl-3.0.0-alpha13/test/ecdsatest.h ---- openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves 2021-04-10 12:07:43.158013028 +0200 -+++ openssl-3.0.0-alpha13/test/ecdsatest.h 2021-04-10 12:11:21.601828737 +0200 -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; +@@ -1470,8 +1404,8 @@ int speed_main(int argc, char **argv) + OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); + OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_genec.t ---- openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves 2021-04-10 11:59:37.453332668 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/15-test_genec.t 2021-04-10 12:03:43.363538976 +0200 -@@ -41,45 +41,11 @@ plan skip_all => "This test is unsupport - if disabled("ec"); +- OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); +- OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); ++ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); ++ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 -- brainpoolP256r1 -- brainpoolP256t1 -- brainpoolP320r1 -- brainpoolP320t1 -- brainpoolP384r1 -- brainpoolP384t1 -- brainpoolP512r1 -- brainpoolP512t1 - ); - - my @binary_curves = qw( -@@ -136,7 +102,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 -diff -up openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t ---- openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves 2021-04-10 12:40:59.871858764 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t 2021-04-10 12:41:41.140455070 +0200 -@@ -33,7 +33,7 @@ my %certs_info = - 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', - 'ee-cert-ec-named-named' => 'ca-cert-ec-named', - # 'server-ed448-cert' => 'root-ed448-cert' -- 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', -+ # 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', - ) - ) - ); -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_ec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_ec.t -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t -diff -up openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t.ec-curves openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 13:21:52.123040226 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 13:28:20.856023985 +0200 -@@ -776,14 +776,12 @@ server = 22-ECDSA with brainpool-server - client = 22-ECDSA with brainpool-client - - [22-ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [22-ECDSA with brainpool-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - MaxProtocol = TLSv1.2 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -@@ -791,9 +789,6 @@ VerifyMode = Peer - - [test-22] - ExpectedResult = Success --ExpectedServerCANames = empty --ExpectedServerCertType = brainpoolP256r1 --ExpectedServerSignType = EC - - - # =========================================================== -@@ -1741,9 +1736,9 @@ server = 53-TLS 1.3 ECDSA with brainpool - client = 53-TLS 1.3 ECDSA with brainpool-client - - [53-TLS 1.3 ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [53-TLS 1.3 ECDSA with brainpool-client] - CipherString = DEFAULT -@@ -1754,7 +1749,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro - VerifyMode = Peer - - [test-53] --ExpectedResult = ServerFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 13:22:06.275221662 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 13:35:18.774623319 +0200 -@@ -428,21 +428,21 @@ my @tests_non_fips = ( - { - name => "ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "MaxProtocol" => "TLSv1.2", - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { -- "ExpectedServerCertType" =>, "brainpoolP256r1", -- "ExpectedServerSignType" =>, "EC", -+ #"ExpectedServerCertType" =>, "brainpoolP256r1", -+ #"ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 -- "ExpectedServerCANames" =>, "empty", -+ #"ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, -@@ -915,8 +915,8 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), - }, - client => { - "RequestCAFile" => test_pem("root-cert.pem"), -@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = ( - "MaxProtocol" => "TLSv1.3" - }, - test => { -- "ExpectedResult" => "ServerFail" -+ "ExpectedResult" => "Success" - }, - }, - ); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:00:22.482782216 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:08:50.769727651 +0200 -@@ -158,60 +158,6 @@ sub tsignverify { - $testtext); - } - --SKIP : { -- skip "FIPS EC tests because of no ec in this build", 1 -- if disabled("ec"); -- -- subtest EC => sub { -- my $testtext_prefix = 'EC'; -- my $a_fips_curve = 'prime256v1'; -- my $fips_key = $testtext_prefix.'.fips.priv.pem'; -- my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; -- my $a_nonfips_curve = 'brainpoolP256r1'; -- my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; -- my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; -- my $testtext = ''; -- my $curvename = ''; -- -- plan tests => 5 + $tsignverify_count; -- -- $ENV{OPENSSL_CONF} = $defaultconf; -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm with the default provider'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $nonfips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); -- -- $ENV{OPENSSL_CONF} = $fipsconf; -- -- $curvename = $a_fips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a FIPS algorithm'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $fips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); -- -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm'. -- ' (should fail)'; -- ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), -- $testtext); -- -- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, -- $nonfips_pub_key); -- }; --} -- - SKIP: { - skip "FIPS RSA tests because of no rsa in this build", 1 - if disabled("rsa"); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:23:09.805468483 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:23:33.002784265 +0200 -@@ -26,7 +26,7 @@ use platform; - my $no_check = disabled("fips") || disabled('fips-securitychecks'); - plan skip_all => "Test only supported in a fips build with security checks" - if $no_check; --plan tests => 11; -+plan tests => 10; - - my $fipsmodule = bldtop_file('providers', platform->dso('fips')); - my $fipsconf = srctop_file("test", "fips-and-base.cnf"); -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 17:52:46.478721611 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 17:54:11.371688446 +0200 -@@ -1710,20 +1710,18 @@ server = 52-TLS 1.3 ECDSA with brainpool - client = 52-TLS 1.3 ECDSA with brainpool but no suitable groups-client - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - - [test-52] --ExpectedResult = ClientFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 17:53:03.317913390 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 17:55:22.507498606 +0200 -@@ -896,20 +896,20 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool but no suitable groups", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { - #We only configured brainpoolP256r1 on the client side, but TLSv1.3 - #is enabled and this group is not allowed in TLSv1.3. Therefore this - #should fail -- "ExpectedResult" => "ClientFail" -+ "ExpectedResult" => "Success" - }, - }, - { -diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha13/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves 2021-04-11 11:13:14.236891844 +0200 -+++ openssl-3.0.0-alpha13/crypto/evp/ec_support.c 2021-04-11 11:12:05.128098714 +0200 -@@ -20,99 +20,13 @@ typedef struct ec_name2nid_st { + #ifndef OPENSSL_NO_SM2 + OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); +diff -rupN --no-dereference openssl-3.0.3/crypto/evp/ec_support.c openssl-3.0.3-new/crypto/evp/ec_support.c +--- openssl-3.0.3/crypto/evp/ec_support.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/crypto/evp/ec_support.c 2022-06-02 14:30:33.246053380 +0200 +@@ -20,99 +20,12 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ /* secg curves */ @@ -453,7 +130,7 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - {"secp160r1", NID_secp160r1 }, - {"secp160r2", NID_secp160r2 }, - {"secp192k1", NID_secp192k1 }, - {"secp224k1", NID_secp224k1 }, +- {"secp224k1", NID_secp224k1 }, {"secp224r1", NID_secp224r1 }, {"secp256k1", NID_secp256k1 }, {"secp384r1", NID_secp384r1 }, @@ -541,9 +218,9 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a }; const char *OSSL_EC_curve_nid2name(int nid) -diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha13/test/acvp_test.inc ---- openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves 2021-04-11 13:46:57.286828933 +0200 -+++ openssl-3.0.0-alpha13/test/acvp_test.inc 2021-04-11 13:48:01.356704526 +0200 +diff -rupN --no-dereference openssl-3.0.3/test/acvp_test.inc openssl-3.0.3-new/test/acvp_test.inc +--- openssl-3.0.3/test/acvp_test.inc 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/acvp_test.inc 2022-06-02 14:30:33.246053380 +0200 @@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { @@ -560,75 +237,37 @@ diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha1 "SHA2-512", "P-521", ITM(ecdsa_sigver_msg1), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves 2021-04-11 21:45:04.949948725 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t 2021-04-11 21:44:09.585283604 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); +diff -rupN --no-dereference openssl-3.0.3/test/ecdsatest.h openssl-3.0.3-new/test/ecdsatest.h +--- openssl-3.0.3/test/ecdsatest.h 2022-06-01 12:19:09.000000000 +0200 ++++ openssl-3.0.3-new/test/ecdsatest.h 2022-06-02 14:30:33.243053380 +0200 +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves 2021-04-11 21:45:25.414194574 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t 2021-04-11 21:44:40.786658440 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a no-ec build" - if disabled("ec"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_vfy_test", - data_file("server.crt"), data_file("client.crt"), -diff -up openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha15/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves 2021-04-23 18:15:12.571691284 +0200 -+++ openssl-3.0.0-alpha15/crypto/evp/ec_support.c 2021-04-23 18:16:00.803087403 +0200 -@@ -28,7 +28,6 @@ static const EC_NAME2NID curve_list[] = - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, -diff -up openssl-3.0.0-alpha15/apps/speed.c.ec-curves openssl-3.0.0-alpha15/apps/speed.c ---- openssl-3.0.0-alpha15/apps/speed.c.ec-curves 2021-04-26 14:25:44.049991942 +0200 -+++ openssl-3.0.0-alpha15/apps/speed.c 2021-04-26 14:36:10.643570273 +0200 -@@ -1439,8 +1439,8 @@ int speed_main(int argc, char **argv) - OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); - OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); - -- OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); -- OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); -+ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); -+ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); - - #ifndef OPENSSL_NO_SM2 - OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); -diff -up openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves openssl-3.0.0-alpha16/test/evp_extra_test.c ---- openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves 2021-05-10 14:44:28.932751551 +0200 -+++ openssl-3.0.0-alpha16/test/evp_extra_test.c 2021-05-10 14:45:21.537238883 +0200 -@@ -2701,13 +2701,12 @@ err: + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +diff -rupN --no-dereference openssl-3.0.3/test/evp_extra_test.c openssl-3.0.3-new/test/evp_extra_test.c +--- openssl-3.0.3/test/evp_extra_test.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/evp_extra_test.c 2022-06-02 14:30:33.247053380 +0200 +@@ -3269,13 +3269,12 @@ err: #ifndef OPENSSL_NO_EC static int ecpub_nids[] = { @@ -643,47 +282,157 @@ diff -up openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves openssl-3.0.0-alp }; static int test_ecpub(int idx) -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves 2021-05-17 10:45:03.968368782 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2021-05-17 10:45:54.211747865 +0200 -@@ -31,12 +31,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUP - x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== - -----END PUBLIC KEY----- +diff -rupN --no-dereference openssl-3.0.3/test/recipes/06-test_algorithmid.t openssl-3.0.3-new/test/recipes/06-test_algorithmid.t +--- openssl-3.0.3/test/recipes/06-test_algorithmid.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/06-test_algorithmid.t 2022-06-02 14:30:33.243053380 +0200 +@@ -33,7 +33,7 @@ my %certs_info = + 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', + 'ee-cert-ec-named-named' => 'ca-cert-ec-named', + # 'server-ed448-cert' => 'root-ed448-cert' +- 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', ++ # 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', + ) + ) + ); +diff -rupN --no-dereference openssl-3.0.3/test/recipes/15-test_genec.t openssl-3.0.3-new/test/recipes/15-test_genec.t +--- openssl-3.0.3/test/recipes/15-test_genec.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/15-test_genec.t 2022-06-02 14:30:33.243053380 +0200 +@@ -41,45 +41,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); --PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe --53YiHHK4SzR844PzgGe4nD6a -------END PUBLIC KEY----- -- - PrivateKey = RSA-2048 - -----BEGIN PRIVATE KEY----- - MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV -@@ -77,9 +71,3 @@ Result = KEYPAIR_TYPE_MISMATCH + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 +- brainpoolP256r1 +- brainpoolP256t1 +- brainpoolP320r1 +- brainpoolP320t1 +- brainpoolP384r1 +- brainpoolP384t1 +- brainpoolP512r1 +- brainpoolP512t1 + ); - PrivPubKeyPair = RSA-2048:P-256-PUBLIC - Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp.t ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves 2021-05-17 10:49:28.050844977 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp.t 2021-05-17 10:53:53.480444576 +0200 -@@ -111,7 +111,6 @@ my @defltfiles = qw( - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); --push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + my @binary_curves = qw( +@@ -136,7 +102,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); - plan tests => -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-29 16:24:56.863303499 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-29 16:38:04.189996425 +0200 -@@ -11,1949 +11,6 @@ + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 +diff -rupN --no-dereference openssl-3.0.3/test/recipes/20-test_cli_fips.t openssl-3.0.3-new/test/recipes/20-test_cli_fips.t +--- openssl-3.0.3/test/recipes/20-test_cli_fips.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/20-test_cli_fips.t 2022-06-02 14:30:33.244053380 +0200 +@@ -26,7 +26,7 @@ use platform; + my $no_check = disabled("fips") || disabled('fips-securitychecks'); + plan skip_all => "Test only supported in a fips build with security checks" + if $no_check; +-plan tests => 11; ++plan tests => 10; + + my $fipsmodule = bldtop_file('providers', platform->dso('fips')); + my $fipsconf = srctop_file("test", "fips-and-base.cnf"); +@@ -158,60 +158,6 @@ sub tsignverify { + $testtext); + } + +-SKIP : { +- skip "FIPS EC tests because of no ec in this build", 1 +- if disabled("ec"); +- +- subtest EC => sub { +- my $testtext_prefix = 'EC'; +- my $a_fips_curve = 'prime256v1'; +- my $fips_key = $testtext_prefix.'.fips.priv.pem'; +- my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; +- my $a_nonfips_curve = 'brainpoolP256r1'; +- my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; +- my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; +- my $testtext = ''; +- my $curvename = ''; +- +- plan tests => 5 + $tsignverify_count; +- +- $ENV{OPENSSL_CONF} = $defaultconf; +- $curvename = $a_nonfips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a non-FIPS algorithm with the default provider'; +- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $nonfips_key])), +- $testtext); +- +- pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); +- +- $ENV{OPENSSL_CONF} = $fipsconf; +- +- $curvename = $a_fips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a FIPS algorithm'; +- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $fips_key])), +- $testtext); +- +- pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); +- +- $curvename = $a_nonfips_curve; +- $testtext = $testtext_prefix.': '. +- 'Generate a key with a non-FIPS algorithm'. +- ' (should fail)'; +- ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', +- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, +- '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), +- $testtext); +- +- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, +- $nonfips_pub_key); +- }; +-} +- + SKIP: { + skip "FIPS RSA tests because of no rsa in this build", 1 + if disabled("rsa"); +diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp_data/evppkey_ecc.txt openssl-3.0.3-new/test/recipes/30-test_evp_data/evppkey_ecc.txt +--- openssl-3.0.3/test/recipes/30-test_evp_data/evppkey_ecc.txt 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/30-test_evp_data/evppkey_ecc.txt 2022-06-02 14:30:33.249053380 +0200 +@@ -1,3 +1,4 @@ ++ + # + # Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + # +@@ -11,1949 +12,6 @@ # PrivPubKeyPair Sign Verify VerifyRecover # and continue until a blank line. Lines starting with a pound sign are ignored. @@ -2633,7 +2382,7 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov Title=secp256k1 curve tests PrivateKey=ALICE_cf_secp256k1 -@@ -1998,1323 +55,6 @@ Derive=BOB_cf_secp256k1 +@@ -1998,1604 +56,6 @@ Derive=BOB_cf_secp256k1 PeerKey=ALICE_cf_secp256k1_PUB SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 @@ -3954,13 +3703,113 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov -SharedSecret=baaffd49a8399d2ad52cbbe24d47b67afb4b3cf436f1cd65 - -PrivateKey=ALICE_zero_prime192v2 - -----BEGIN PRIVATE KEY----- - MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to - 41k= -@@ -3422,72 +162,6 @@ Derive=ALICE_zero_prime256v1 - PeerKey=BOB_zero_prime256v1_PUB - SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c - +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to +-41k= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime192v2_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4Gj7Qqt +-2wx/jwFlKgvE4rnd50LspdMk +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime192v2 +-PeerKey=BOB_zero_prime192v2_PUB +-SharedSecret=b8f200a4b87064f2e8600685ca3e69b8e661a117aabc770b +- +-PrivateKey=ALICE_zero_prime192v3 +------BEGIN PRIVATE KEY----- +-MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBh/maLQMSlea9BfLqGy5NPuK0YAH/cz +-GqI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime192v3_PUB +------BEGIN PUBLIC KEY----- +-MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZEzb63e2 +-3MKatRLR9Y1M5JEdI9jwMocI +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime192v3 +-PeerKey=BOB_zero_prime192v3_PUB +-SharedSecret=b5de857d355bc5b9e270a4c290ea9728d764d8b243ff5d8d +- +-PrivateKey=ALICE_zero_prime239v1 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5pYWzRYI+c6O7NXCt0H2kw8XRL3rhe +-4MrJT8j++CI= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v1_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-Ox02uwNNLFuvDRn5ip8TxvW0W22R7UzJa9Av6/nh +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v1 +-PeerKey=BOB_zero_prime239v1_PUB +-SharedSecret=6b6206408bd05d42daa2cd224c401a1230b44e184f17b82f385f22dac215 +- +-PrivateKey=ALICE_zero_prime239v2 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5l8bB7Cpmr7vyx9FiOT2wEF3YOFbDG +-bmRr3Vi/xr4= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v2_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-IOg3VJGQ89d1GWg4Igxcj5xpDmJiP8tv+e4mxt5U +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v2 +-PeerKey=BOB_zero_prime239v2_PUB +-SharedSecret=772c2819c960c78f28f21f6542b7409294fad1f84567c44c4b7678dc0e42 +- +-PrivateKey=ALICE_zero_prime239v3 +------BEGIN PRIVATE KEY----- +-MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5HF5FABzUOTYMZg9UdZTx/oRERm/fU +-M/+otKzpLjA= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime239v3_PUB +------BEGIN PUBLIC KEY----- +-MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AsZ4u6r3qQI78EYBpiSgWjqNpoeShjr5piecMBWj +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime239v3 +-PeerKey=BOB_zero_prime239v3_PUB +-SharedSecret=56a71f5dd1611e8032c3e2d8224d86e5e8c2fc6480d74c0e282282decd43 +- +-PrivateKey=ALICE_zero_prime256v1 +------BEGIN PRIVATE KEY----- +-MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDXhMb6aR4JR2+l2tmgYqP0r8S4jtym +-yH++awvF2nGhhg== +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_prime256v1_PUB +------BEGIN PUBLIC KEY----- +-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AABmSFx4Di+D1yQzvV2EoGu2VBwq8x2uhxcov4VqF0+T9A== +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_prime256v1 +-PeerKey=BOB_zero_prime256v1_PUB +-SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c +- -PrivateKey=ALICE_zero_secp112r2 ------BEGIN PRIVATE KEY----- -MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4hh3tRkG3tnA0496ffMw== @@ -4027,13 +3876,44 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov -PeerKey=BOB_zero_secp160r2_PUB -SharedSecret=303e0a282ac86f463fe834cb51b0057be42ed5ab - - PrivateKey=ALICE_zero_secp384r1 - -----BEGIN PRIVATE KEY----- - ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi -@@ -3526,76 +200,6 @@ Derive=ALICE_zero_secp521r1 - PeerKey=BOB_zero_secp521r1_PUB - SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 - +-PrivateKey=ALICE_zero_secp384r1 +------BEGIN PRIVATE KEY----- +-ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi +-VVHJeYRSnNpFOiFLaOsGOmwoeZzj6jc= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp384r1_PUB +------BEGIN PUBLIC KEY----- +-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAPPme8E9RpepjC6P5+WDdWToUyb45/SvSFdO0sIqq+Gu/kn8sRuUqsG+3 +-QriFDlIe +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp384r1 +-PeerKey=BOB_zero_secp384r1_PUB +-SharedSecret=b1cfeaeef51dfd487d3a8b2849f1592e04d63f2d2c88b310a6290ebfe5399f5ffe954eabd0619231393e56c35b242986 +- +-PrivateKey=ALICE_zero_secp521r1 +------BEGIN PRIVATE KEY----- +-MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIAbddDLMUWbAsY7l3vbNDmntXuAUcDYPg5 +-w/cgUwSCIvrV9MBeSG8AWqT16riHmHlsn+XI5PAJM6eij3JDahnu9Mo= +------END PRIVATE KEY----- +- +-PublicKey=BOB_zero_secp521r1_PUB +------BEGIN PUBLIC KEY----- +-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0g7J/qa1d8ENJsobtEb0CymeZIsa +-1Qiq0GiJb+4/jmFLxjBU1Xcr8Bpl1BLgvKqOll0vXTMtfzn4RtRArgAfT4c= +------END PUBLIC KEY----- +- +-# ECDH Alice with Bob peer +-Availablein = default +-Derive=ALICE_zero_secp521r1 +-PeerKey=BOB_zero_secp521r1_PUB +-SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 +- -PrivateKey=ALICE_zero_wap-wsg-idm-ecid-wtls7 ------BEGIN PRIVATE KEY----- -MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAoGng7WzYr4P9vtdc3BS/UiNWmc0= @@ -4107,7 +3987,7 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov Title=prime256v1 curve tests PrivateKey=ALICE_cf_prime256v1 -@@ -3759,743 +363,3 @@ SharedSecret=01dd4aa9037bb4ad298b420998d +@@ -3759,743 +219,3 @@ SharedSecret=01dd4aa9037bb4ad298b420998d Derive=BOB_cf_secp521r1 PeerKey=ALICE_cf_secp521r1_PUB SharedSecret=01dd4aa9037bb4ad298b420998dcd32b3a9af1cda8b7919e372aeb4e54ccfb4d2409a340ed896bfbc5dd462f8d96b8784bc17b29db3ca04700e6ec752f9bec777695 @@ -4851,163 +4731,231 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov -Ctrl=ecdh_cofactor_mode:1 -Result=DERIVE_ERROR -Reason=point at infinity -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-30 10:51:23.258816802 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-30 11:25:33.504721672 +0200 -@@ -1,3 +1,4 @@ -+ - # - # Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. - # -@@ -55,151 +56,6 @@ Derive=BOB_cf_secp256k1 - PeerKey=ALICE_cf_secp256k1_PUB - SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 +diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp_data/evppkey_mismatch.txt openssl-3.0.3-new/test/recipes/30-test_evp_data/evppkey_mismatch.txt +--- openssl-3.0.3/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2022-06-02 14:30:33.247053380 +0200 +@@ -31,12 +31,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUP + x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== + -----END PUBLIC KEY----- -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to --41k= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v2_PUB +-PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC ------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4Gj7Qqt --2wx/jwFlKgvE4rnd50LspdMk +-MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe +-53YiHHK4SzR844PzgGe4nD6a ------END PUBLIC KEY----- - --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v2 --PeerKey=BOB_zero_prime192v2_PUB --SharedSecret=b8f200a4b87064f2e8600685ca3e69b8e661a117aabc770b -- --PrivateKey=ALICE_zero_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBh/maLQMSlea9BfLqGy5NPuK0YAH/cz --GqI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZEzb63e2 --3MKatRLR9Y1M5JEdI9jwMocI -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v3 --PeerKey=BOB_zero_prime192v3_PUB --SharedSecret=b5de857d355bc5b9e270a4c290ea9728d764d8b243ff5d8d -- --PrivateKey=ALICE_zero_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5pYWzRYI+c6O7NXCt0H2kw8XRL3rhe --4MrJT8j++CI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --Ox02uwNNLFuvDRn5ip8TxvW0W22R7UzJa9Av6/nh -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v1 --PeerKey=BOB_zero_prime239v1_PUB --SharedSecret=6b6206408bd05d42daa2cd224c401a1230b44e184f17b82f385f22dac215 -- --PrivateKey=ALICE_zero_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5l8bB7Cpmr7vyx9FiOT2wEF3YOFbDG --bmRr3Vi/xr4= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --IOg3VJGQ89d1GWg4Igxcj5xpDmJiP8tv+e4mxt5U -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v2 --PeerKey=BOB_zero_prime239v2_PUB --SharedSecret=772c2819c960c78f28f21f6542b7409294fad1f84567c44c4b7678dc0e42 -- --PrivateKey=ALICE_zero_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5HF5FABzUOTYMZg9UdZTx/oRERm/fU --M/+otKzpLjA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AsZ4u6r3qQI78EYBpiSgWjqNpoeShjr5piecMBWj -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v3 --PeerKey=BOB_zero_prime239v3_PUB --SharedSecret=56a71f5dd1611e8032c3e2d8224d86e5e8c2fc6480d74c0e282282decd43 -- --PrivateKey=ALICE_zero_prime256v1 -------BEGIN PRIVATE KEY----- --MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDXhMb6aR4JR2+l2tmgYqP0r8S4jtym --yH++awvF2nGhhg== -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime256v1_PUB -------BEGIN PUBLIC KEY----- --MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AABmSFx4Di+D1yQzvV2EoGu2VBwq8x2uhxcov4VqF0+T9A== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime256v1 --PeerKey=BOB_zero_prime256v1_PUB --SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c -- --PrivateKey=ALICE_zero_secp384r1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi --VVHJeYRSnNpFOiFLaOsGOmwoeZzj6jc= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp384r1_PUB -------BEGIN PUBLIC KEY----- --MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAPPme8E9RpepjC6P5+WDdWToUyb45/SvSFdO0sIqq+Gu/kn8sRuUqsG+3 --QriFDlIe -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp384r1 --PeerKey=BOB_zero_secp384r1_PUB --SharedSecret=b1cfeaeef51dfd487d3a8b2849f1592e04d63f2d2c88b310a6290ebfe5399f5ffe954eabd0619231393e56c35b242986 -- --PrivateKey=ALICE_zero_secp521r1 -------BEGIN PRIVATE KEY----- --MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIAbddDLMUWbAsY7l3vbNDmntXuAUcDYPg5 --w/cgUwSCIvrV9MBeSG8AWqT16riHmHlsn+XI5PAJM6eij3JDahnu9Mo= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp521r1_PUB -------BEGIN PUBLIC KEY----- --MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0g7J/qa1d8ENJsobtEb0CymeZIsa --1Qiq0GiJb+4/jmFLxjBU1Xcr8Bpl1BLgvKqOll0vXTMtfzn4RtRArgAfT4c= -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp521r1 --PeerKey=BOB_zero_secp521r1_PUB --SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 -- - Title=prime256v1 curve tests + PrivateKey = RSA-2048 + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV +@@ -77,9 +71,3 @@ Result = KEYPAIR_TYPE_MISMATCH - PrivateKey=ALICE_cf_prime256v1 + PrivPubKeyPair = RSA-2048:P-256-PUBLIC + Result = KEYPAIR_TYPE_MISMATCH +- +-PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC +-Result = KEYPAIR_TYPE_MISMATCH +- +-PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC +-Result = KEYPAIR_TYPE_MISMATCH +diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp.t openssl-3.0.3-new/test/recipes/30-test_evp.t +--- openssl-3.0.3/test/recipes/30-test_evp.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/30-test_evp.t 2022-06-02 14:30:33.248053380 +0200 +@@ -116,7 +116,6 @@ my @defltfiles = qw( + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); +-push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + + plan tests => +diff -rupN --no-dereference openssl-3.0.3/test/recipes/65-test_cmp_protect.t openssl-3.0.3-new/test/recipes/65-test_cmp_protect.t +--- openssl-3.0.3/test/recipes/65-test_cmp_protect.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/65-test_cmp_protect.t 2022-06-02 14:30:33.246053380 +0200 +@@ -7,7 +7,6 @@ + # this file except in compliance with the License. You can obtain a copy + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html +- + use strict; + use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; + use OpenSSL::Test::Utils; +@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("server.pem"), +diff -rupN --no-dereference openssl-3.0.3/test/recipes/65-test_cmp_vfy.t openssl-3.0.3-new/test/recipes/65-test_cmp_vfy.t +--- openssl-3.0.3/test/recipes/65-test_cmp_vfy.t 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/recipes/65-test_cmp_vfy.t 2022-06-02 14:30:33.246053380 +0200 +@@ -7,7 +7,6 @@ + # this file except in compliance with the License. You can obtain a copy + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html +- + use strict; + use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; + use OpenSSL::Test::Utils; +@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), +diff -rupN --no-dereference openssl-3.0.3/test/ssl-tests/20-cert-select.cnf openssl-3.0.3-new/test/ssl-tests/20-cert-select.cnf +--- openssl-3.0.3/test/ssl-tests/20-cert-select.cnf 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/ssl-tests/20-cert-select.cnf 2022-06-02 14:30:33.245053380 +0200 +@@ -776,14 +776,12 @@ server = 22-ECDSA with brainpool-server + client = 22-ECDSA with brainpool-client + + [22-ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [22-ECDSA with brainpool-client] + CipherString = aECDSA +-Groups = brainpoolP256r1 + MaxProtocol = TLSv1.2 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +@@ -791,9 +789,6 @@ VerifyMode = Peer + + [test-22] + ExpectedResult = Success +-ExpectedServerCANames = empty +-ExpectedServerCertType = brainpoolP256r1 +-ExpectedServerSignType = EC + + + # =========================================================== +@@ -1715,20 +1710,18 @@ server = 52-TLS 1.3 ECDSA with brainpool + client = 52-TLS 1.3 ECDSA with brainpool but no suitable groups-client + + [52-TLS 1.3 ECDSA with brainpool but no suitable groups-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-Groups = brainpoolP256r1 +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [52-TLS 1.3 ECDSA with brainpool but no suitable groups-client] + CipherString = aECDSA +-Groups = brainpoolP256r1 + RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + + [test-52] +-ExpectedResult = ClientFail ++ExpectedResult = Success + + + # =========================================================== +@@ -1741,9 +1734,9 @@ server = 53-TLS 1.3 ECDSA with brainpool + client = 53-TLS 1.3 ECDSA with brainpool-client + + [53-TLS 1.3 ECDSA with brainpool-server] +-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT +-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem + + [53-TLS 1.3 ECDSA with brainpool-client] + CipherString = DEFAULT +@@ -1754,7 +1747,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro + VerifyMode = Peer + + [test-53] +-ExpectedResult = ServerFail ++ExpectedResult = Success + + + # =========================================================== +diff -rupN --no-dereference openssl-3.0.3/test/ssl-tests/20-cert-select.cnf.in openssl-3.0.3-new/test/ssl-tests/20-cert-select.cnf.in +--- openssl-3.0.3/test/ssl-tests/20-cert-select.cnf.in 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/ssl-tests/20-cert-select.cnf.in 2022-06-02 14:30:33.245053380 +0200 +@@ -428,21 +428,21 @@ my @tests_non_fips = ( + { + name => "ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), ++ #"Groups" => "brainpoolP256r1", + }, + client => { + "MaxProtocol" => "TLSv1.2", + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++ #"Groups" => "brainpoolP256r1", + }, + test => { +- "ExpectedServerCertType" =>, "brainpoolP256r1", +- "ExpectedServerSignType" =>, "EC", ++ #"ExpectedServerCertType" =>, "brainpoolP256r1", ++ #"ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 +- "ExpectedServerCANames" =>, "empty", ++ #"ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, +@@ -896,27 +896,27 @@ my @tests_tls_1_3_non_fips = ( + { + name => "TLS 1.3 ECDSA with brainpool but no suitable groups", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), +- "Groups" => "brainpoolP256r1", ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), ++ #"Groups" => "brainpoolP256r1", + }, + client => { + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), +- "Groups" => "brainpoolP256r1", ++ #"Groups" => "brainpoolP256r1", + }, + test => { + #We only configured brainpoolP256r1 on the client side, but TLSv1.3 + #is enabled and this group is not allowed in TLSv1.3. Therefore this + #should fail +- "ExpectedResult" => "ClientFail" ++ "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 ECDSA with brainpool", + server => { +- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), +- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), + }, + client => { + "RequestCAFile" => test_pem("root-cert.pem"), +@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = ( + "MaxProtocol" => "TLSv1.3" + }, + test => { +- "ExpectedResult" => "ServerFail" ++ "ExpectedResult" => "Success" + }, + }, + ); diff --git a/0012-Disable-explicit-ec.patch b/0012-Disable-explicit-ec.patch index a1df020..6160f53 100644 --- a/0012-Disable-explicit-ec.patch +++ b/0012-Disable-explicit-ec.patch @@ -1,6 +1,6 @@ -diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c ---- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100 -+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100 +diff -rupN --no-dereference openssl-3.0.3/crypto/ec/ec_lib.c openssl-3.0.3-new/crypto/ec/ec_lib.c +--- openssl-3.0.3/crypto/ec/ec_lib.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/crypto/ec/ec_lib.c 2022-06-02 14:30:33.453053385 +0200 @@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na goto err; } @@ -10,38 +10,10 @@ diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/cryp } EC_GROUP_free(dup); return ret_group; -diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c ---- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100 -+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100 -@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int - if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { - int flags = EC_KEY_get_flags(eck); - -- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0) -- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck), -- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx); -- else -- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); -+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck), -+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx); - } - - if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { -@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e - ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET); - return 0; - } -+ if (EC_GROUP_get_curve_name(group) == NID_undef) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); -+ return 0; -+ } - return EC_KEY_set_group(ec, group) > 0; - } - -diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c ---- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100 -+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100 -@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx +diff -rupN --no-dereference openssl-3.0.3/providers/common/securitycheck.c openssl-3.0.3-new/providers/common/securitycheck.c +--- openssl-3.0.3/providers/common/securitycheck.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/providers/common/securitycheck.c 2022-06-02 14:30:33.454053385 +0200 +@@ -92,22 +92,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) @@ -78,3 +50,31 @@ diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec open curve_name = EC_curve_nid2nist(nid); if (curve_name == NULL) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, +diff -rupN --no-dereference openssl-3.0.3/providers/implementations/keymgmt/ec_kmgmt.c openssl-3.0.3-new/providers/implementations/keymgmt/ec_kmgmt.c +--- openssl-3.0.3/providers/implementations/keymgmt/ec_kmgmt.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/providers/implementations/keymgmt/ec_kmgmt.c 2022-06-02 14:30:33.454053385 +0200 +@@ -932,11 +932,8 @@ int ec_validate(const void *keydata, int + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + int flags = EC_KEY_get_flags(eck); + +- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0) +- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck), +- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx); +- else +- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); ++ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck), ++ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx); + } + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { +@@ -1213,6 +1210,10 @@ static int ec_gen_assign_group(EC_KEY *e + ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET); + return 0; + } ++ if (EC_GROUP_get_curve_name(group) == NID_undef) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE); ++ return 0; ++ } + return EC_KEY_set_group(ec, group) > 0; + } + diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch index 0c182e7..6592f35 100644 --- a/0024-load-legacy-prov.patch +++ b/0024-load-legacy-prov.patch @@ -1,6 +1,6 @@ -diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf ---- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 -+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 +diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf +--- openssl-3.0.3/apps/openssl.cnf 2022-06-02 14:30:32.453053362 +0200 ++++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:33.645053389 +0200 @@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -55,9 +55,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c [ ssl_module ] -diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 -+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 +diff -rupN --no-dereference openssl-3.0.3/doc/man5/config.pod openssl-3.0.3-new/doc/man5/config.pod +--- openssl-3.0.3/doc/man5/config.pod 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/doc/man5/config.pod 2022-06-02 14:30:33.646053389 +0200 @@ -273,6 +273,14 @@ significant. All parameters in the section as well as sub-sections are made available to the provider. diff --git a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch index eb8b5e3..2579135 100644 --- a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch +++ b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch @@ -1,27 +1,7 @@ -From 0e9a265e42890699dfce82f1ff6905de6aafbd41 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 18 Nov 2021 10:47:14 +0100 -Subject: [PATCH] Support different R_BITS lengths for KBKDF - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17063) ---- - doc/man7/EVP_KDF-KB.pod | 7 + - include/openssl/core_names.h | 1 + - providers/implementations/kdfs/kbkdf.c | 30 +- - test/evp_kdf_test.c | 47 +- - test/evp_test.c | 6 + - test/recipes/30-test_evp.t | 1 + - .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 1843 +++++++++++++++++ - 7 files changed, 1924 insertions(+), 11 deletions(-) - create mode 100644 test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt - -diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod -index d4fad66f7654..a67268afa7d5 100644 ---- a/doc/man7/EVP_KDF-KB.pod -+++ b/doc/man7/EVP_KDF-KB.pod -@@ -58,6 +58,13 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator' +diff -rupN --no-dereference openssl-3.0.3/doc/man7/EVP_KDF-KB.pod openssl-3.0.3-new/doc/man7/EVP_KDF-KB.pod +--- openssl-3.0.3/doc/man7/EVP_KDF-KB.pod 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/doc/man7/EVP_KDF-KB.pod 2022-06-02 14:30:33.841053393 +0200 +@@ -58,6 +58,13 @@ Set to B<0> to disable use of the option (see SP800-108) that is placed between the Label and Context. The default value of B<1> will be used if unspecified. @@ -35,10 +15,9 @@ index d4fad66f7654..a67268afa7d5 100644 =back Depending on whether mac is CMAC or HMAC, either digest or cipher is required -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index b549dae9167c..78418dc6e0a2 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h +diff -rupN --no-dereference openssl-3.0.3/include/openssl/core_names.h openssl-3.0.3-new/include/openssl/core_names.h +--- openssl-3.0.3/include/openssl/core_names.h 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/include/openssl/core_names.h 2022-06-02 14:30:33.842053393 +0200 @@ -217,6 +217,7 @@ extern "C" { #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ @@ -47,10 +26,9 @@ index b549dae9167c..78418dc6e0a2 100644 #define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index 01f7f0d4fd2e..a81cc6e0c0d6 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c +diff -rupN --no-dereference openssl-3.0.3/providers/implementations/kdfs/kbkdf.c openssl-3.0.3-new/providers/implementations/kdfs/kbkdf.c +--- openssl-3.0.3/providers/implementations/kdfs/kbkdf.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/providers/implementations/kdfs/kbkdf.c 2022-06-02 14:30:33.842053393 +0200 @@ -60,6 +60,7 @@ typedef struct { EVP_MAC_CTX *ctx_init; @@ -67,7 +45,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 ctx->use_l = 1; ctx->use_separator = 1; } -@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, +@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, size_t iv_len, unsigned char *label, size_t label_len, unsigned char *context, size_t context_len, unsigned char *k_i, size_t h, uint32_t l, int has_separator, @@ -76,7 +54,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 { int ret = 0; EVP_MAC_CTX *ctx = NULL; -@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, +@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) goto done; @@ -85,7 +63,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 || !EVP_MAC_update(ctx, label, label_len) || (has_separator && !EVP_MAC_update(ctx, &zero, 1)) || !EVP_MAC_update(ctx, context, context_len) -@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsi unsigned char *k_i = NULL; uint32_t l = 0; size_t h = 0; @@ -93,7 +71,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) return 0; -@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsi goto done; } @@ -109,7 +87,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 if (ctx->use_l != 0) l = be32(keylen * 8); -@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, +@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsi ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, @@ -118,7 +96,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 done: if (ret != 1) OPENSSL_cleanse(key, keylen); -@@ -328,6 +340,17 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +@@ -329,6 +341,17 @@ static int kbkdf_set_ctx_params(void *vc if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l)) return 0; @@ -136,7 +114,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR); if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator)) return 0; -@@ -354,6 +377,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, +@@ -355,6 +378,7 @@ static const OSSL_PARAM *kbkdf_settable_ OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL), OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL), @@ -144,10 +122,9 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644 OSSL_PARAM_END, }; return known_settable_ctx_params; -diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c -index 7fde5ea4111c..173d8cb8b87b 100644 ---- a/test/evp_kdf_test.c -+++ b/test/evp_kdf_test.c +diff -rupN --no-dereference openssl-3.0.3/test/evp_kdf_test.c openssl-3.0.3-new/test/evp_kdf_test.c +--- openssl-3.0.3/test/evp_kdf_test.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/evp_kdf_test.c 2022-06-02 14:30:33.842053393 +0200 @@ -1068,9 +1068,9 @@ static int test_kdf_kbkdf_6803_256(void) #endif @@ -160,7 +137,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 OSSL_PARAM *p = params; if (params == NULL) -@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char +@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_param OSSL_KDF_PARAM_SALT, salt, strlen(salt)); *p++ = OSSL_PARAM_construct_octet_string( OSSL_KDF_PARAM_INFO, info, strlen(info)); @@ -169,7 +146,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 *p = OSSL_PARAM_construct_end(); return params; -@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest(void) +@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest OSSL_PARAM *params; static unsigned char key[] = {0x01}; @@ -180,7 +157,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 if (!TEST_ptr(params)) return 0; -@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(void) +@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(vo OSSL_PARAM *params; static unsigned char key[] = {0x01}; @@ -191,7 +168,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 if (!TEST_ptr(params)) return 0; -@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(void) +@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(vo return ret; } @@ -222,7 +199,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 static int test_kdf_kbkdf_empty_key(void) { int ret; -@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void) +@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void static unsigned char key[] = {0x01}; unsigned char result[32] = { 0 }; @@ -233,7 +210,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 if (!TEST_ptr(params)) return 0; -@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void) +@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void static unsigned char key[] = {0x01}; unsigned char result[32] = { 0 }; @@ -244,7 +221,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 if (!TEST_ptr(params)) return 0; -@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_size(void) +@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_si static unsigned char key[] = {0x01}; unsigned char result[32] = { 0 }; @@ -255,7 +232,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644 if (!TEST_ptr(params)) return 0; -@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void) +@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void * Test vector taken from * https://csrc.nist.gov/CSRC/media/Projects/ * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip @@ -271,11 +248,10 @@ index 7fde5ea4111c..173d8cb8b87b 100644 ADD_TEST(test_kdf_kbkdf_zero_output_size); ADD_TEST(test_kdf_kbkdf_empty_key); ADD_TEST(test_kdf_kbkdf_1byte_key); -diff --git a/test/evp_test.c b/test/evp_test.c -index 70996195f0cb..6ae862b04403 100644 ---- a/test/evp_test.c -+++ b/test/evp_test.c -@@ -2639,6 +2639,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, +diff -rupN --no-dereference openssl-3.0.3/test/evp_test.c openssl-3.0.3-new/test/evp_test.c +--- openssl-3.0.3/test/evp_test.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/test/evp_test.c 2022-06-02 14:30:33.843053393 +0200 +@@ -2742,6 +2742,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EV TEST_info("skipping, '%s' is disabled", p); t->skip = 1; } @@ -288,23 +264,9 @@ index 70996195f0cb..6ae862b04403 100644 OPENSSL_free(name); return 1; } -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index 7ae546e1d70c..7b976c0a1b5e 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -45,6 +45,7 @@ my @files = qw( - evpciph_aes_stitched.txt - evpciph_des3_common.txt - evpkdf_hkdf.txt -+ evpkdf_kbkdf_counter.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt - evpkdf_ss.txt -diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt -new file mode 100644 -index 000000000000..04ab8ff0fad7 ---- /dev/null -+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt openssl-3.0.3-new/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +--- openssl-3.0.3/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt 1970-01-01 01:00:00.000000000 +0100 ++++ openssl-3.0.3-new/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt 2022-06-02 14:30:33.847053394 +0200 @@ -0,0 +1,1843 @@ +# +# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved. @@ -2149,3 +2111,14 @@ index 000000000000..04ab8ff0fad7 +Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f +Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81 + +diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp.t openssl-3.0.3-new/test/recipes/30-test_evp.t +--- openssl-3.0.3/test/recipes/30-test_evp.t 2022-06-02 14:30:33.449053385 +0200 ++++ openssl-3.0.3-new/test/recipes/30-test_evp.t 2022-06-02 14:30:33.843053393 +0200 +@@ -45,6 +45,7 @@ my @files = qw( + evpciph_aes_stitched.txt + evpciph_des3_common.txt + evpkdf_hkdf.txt ++ evpkdf_kbkdf_counter.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt diff --git a/mingw-openssl.spec b/mingw-openssl.spec index 1616bac..3f96849 100644 --- a/mingw-openssl.spec +++ b/mingw-openssl.spec @@ -14,8 +14,8 @@ %global run_tests 0 Name: mingw-openssl -Version: 3.0.2 -Release: 2%{?dist} +Version: 3.0.3 +Release: 1%{?dist} Summary: MinGW port of the OpenSSL toolkit License: OpenSSL @@ -376,6 +376,9 @@ mkdir -m700 %{buildroot}%{mingw64_sysconfdir}/pki/CA/private %changelog +* Thu Jun 02 2022 Sandro Mani - 3.0.3-1 +- Update to 3.0.3 + * Fri Mar 25 2022 Sandro Mani - 3.0.2-2 - Rebuild with mingw-gcc-12 diff --git a/openssl_compute_moddir.patch b/openssl_compute_moddir.patch index 6bef68e..c8adeb8 100644 --- a/openssl_compute_moddir.patch +++ b/openssl_compute_moddir.patch @@ -1,7 +1,7 @@ -diff -rupN openssl-3.0.0/Configurations/10-main.conf openssl-3.0.0-new/Configurations/10-main.conf ---- openssl-3.0.0/Configurations/10-main.conf 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-new/Configurations/10-main.conf 2022-02-21 20:18:52.135333228 +0100 -@@ -1469,7 +1469,7 @@ my %targets = ( +diff -rupN --no-dereference openssl-3.0.3/Configurations/10-main.conf openssl-3.0.3-new/Configurations/10-main.conf +--- openssl-3.0.3/Configurations/10-main.conf 2022-06-02 14:30:31.872053349 +0200 ++++ openssl-3.0.3-new/Configurations/10-main.conf 2022-06-02 14:30:34.045053398 +0200 +@@ -1479,7 +1479,7 @@ my %targets = ( cppflags => combine("-DUNICODE -D_UNICODE -DWIN32_LEAN_AND_MEAN", threads("-D_MT")), lib_cppflags => "-DL_ENDIAN", @@ -10,9 +10,9 @@ diff -rupN openssl-3.0.0/Configurations/10-main.conf openssl-3.0.0-new/Configura thread_scheme => "winthreads", dso_scheme => "win32", shared_target => "mingw-shared", -diff -rupN openssl-3.0.0/crypto/provider_core.c openssl-3.0.0-new/crypto/provider_core.c ---- openssl-3.0.0/crypto/provider_core.c 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-new/crypto/provider_core.c 2022-02-21 20:02:05.674653366 +0100 +diff -rupN --no-dereference openssl-3.0.3/crypto/provider_core.c openssl-3.0.3-new/crypto/provider_core.c +--- openssl-3.0.3/crypto/provider_core.c 2022-05-03 15:32:01.000000000 +0200 ++++ openssl-3.0.3-new/crypto/provider_core.c 2022-06-02 14:30:34.045053398 +0200 @@ -27,6 +27,10 @@ #ifndef FIPS_MODULE # include @@ -24,7 +24,7 @@ diff -rupN openssl-3.0.0/crypto/provider_core.c openssl-3.0.0-new/crypto/provide /* * This file defines and uses a number of different structures: -@@ -865,6 +869,27 @@ static int provider_init(OSSL_PROVIDER * +@@ -872,6 +876,27 @@ static int provider_init(OSSL_PROVIDER * if (load_dir == NULL) { load_dir = ossl_safe_getenv("OPENSSL_MODULES"); diff --git a/sources b/sources index 3437431..134d27a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5 +SHA512 (openssl-3.0.3-hobbled.tar.gz) = 474a6309e0457ad33ec4b5f98606ba7ee6fa15dd0abb26a1da80fa37e3fc0ec535b858e03aceb4ce675dcce6a26796c802d8bf8ebb4adc350e6b3ea95810a61b