import UBI openssl-3.2.2-6.el9_5
This commit is contained in:
parent
4dcec3609d
commit
606ecb94d8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/openssl-3.0.7.tar.gz
|
||||
SOURCES/openssl-3.2.2.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
f20736d6aae36bcbfa9aba0d358c71601833bf27 SOURCES/openssl-3.0.7.tar.gz
|
||||
b12311372a0277ca0eb218a68a7fd9f5ce66d162 SOURCES/openssl-3.2.2.tar.gz
|
||||
|
@ -12,15 +12,15 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm
|
||||
index 342e46d24d..9f369edf0e 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
|
||||
+install_docs: install_man_docs ## Install manpages
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r $(DESTDIR)$(DOCDIR)
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
|
||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -6,20 +6,19 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||
(was openssl-1.1.1-system-cipherlist.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 5 ++
|
||||
Configure | 10 +++-
|
||||
Configure | 11 +++-
|
||||
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||
include/openssl/ssl.h.in | 5 ++
|
||||
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
|
||||
ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++----
|
||||
ssl/ssl_lib.c | 4 +-
|
||||
test/cipherlist_test.c | 2 +
|
||||
util/libcrypto.num | 1 +
|
||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||
7 files changed, 109 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 9f369edf0e..c52389f831 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
@ -30,7 +29,7 @@ index 9f369edf0e..c52389f831 100644
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
@ -38,11 +37,54 @@ index 9f369edf0e..c52389f831 100644
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff --git a/Configure b/Configure
|
||||
index cca1ac8d16..2ae1cd0bc2 100755
|
||||
--- a/Configure
|
||||
+++ b/Configure
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -394,6 +398,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -1047,6 +1052,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$banner = $1 . "\n";
|
||||
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
|
||||
index b4ed3e51d5..2122e6bdfd 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod.in
|
||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
@ -78,7 +120,7 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index b1d3f7919e..f7cc7fed48 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -91,7 +133,7 @@ index b1d3f7919e..f7cc7fed48 100644
|
||||
+ const char *ciphers_path;
|
||||
+ unsigned len, slen;
|
||||
+
|
||||
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||
+ fp = fopen(ciphers_path, "r");
|
||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
@ -160,10 +202,10 @@ index b1d3f7919e..f7cc7fed48 100644
|
||||
|
||||
/*
|
||||
* To reduce the work to do we only want to process the compiled
|
||||
@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
if (num_of_ciphers > 0) {
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
if (co_list == NULL)
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
@ -179,12 +221,10 @@ index b1d3f7919e..f7cc7fed48 100644
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
OPENSSL_free(co_list);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
@ -252,7 +292,7 @@ index d14d5819ba..48d491219a 100644
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
goto err;
|
||||
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
|
||||
index 380f0727fc..6922a87c30 100644
|
||||
--- a/test/cipherlist_test.c
|
||||
@ -266,58 +306,7 @@ index 380f0727fc..6922a87c30 100644
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 404a706fab..e81fa9ec3e 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
ADD_TEST(test_stdname_cipherlist);
|
||||
--
|
||||
2.26.2
|
||||
|
||||
diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
|
||||
--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200
|
||||
+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -385,6 +389,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -987,6 +992,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$banner = $1 . "\n";
|
||||
|
@ -1,9 +1,25 @@
|
||||
diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
|
||||
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
||||
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
||||
@@ -12,11 +12,46 @@
|
||||
#include "internal/provider.h"
|
||||
#include "crypto/ctype.h"
|
||||
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
|
||||
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
Patch-id: 9
|
||||
Patch-status: |
|
||||
# Add check to see if fips flag is enabled in kernel
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
include/internal/provider.h | 3 +++
|
||||
2 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index e294ea1512..51002ba79a 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -16,6 +16,41 @@
|
||||
#include "crypto/decoder.h"
|
||||
#include "crypto/context.h"
|
||||
|
||||
+# include <sys/types.h>
|
||||
+# include <sys/stat.h>
|
||||
@ -11,11 +27,6 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
|
||||
+# include <unistd.h>
|
||||
+# include <openssl/evp.h>
|
||||
+
|
||||
struct ossl_lib_ctx_onfree_list_st {
|
||||
ossl_lib_ctx_onfree_fn *fn;
|
||||
struct ossl_lib_ctx_onfree_list_st *next;
|
||||
};
|
||||
|
||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+static int kernel_fips_flag;
|
||||
@ -25,7 +36,7 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
@ -46,20 +57,21 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
|
||||
+
|
||||
+
|
||||
struct ossl_lib_ctx_st {
|
||||
CRYPTO_RWLOCK *lock;
|
||||
CRYPTO_EX_DATA data;
|
||||
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
|
||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
||||
OSSL_EX_DATA_GLOBAL global;
|
||||
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||
{
|
||||
+ read_kernel_fips_flag();
|
||||
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
||||
&& context_init(&default_context_int);
|
||||
}
|
||||
diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
|
||||
--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100
|
||||
+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100
|
||||
@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
||||
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
||||
goto err;
|
||||
|
||||
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
||||
index 18937f84c7..1446bf7afb 100644
|
||||
--- a/include/internal/provider.h
|
||||
+++ b/include/internal/provider.h
|
||||
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
||||
const OSSL_DISPATCH *in);
|
||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||
|
||||
@ -69,3 +81,6 @@ diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/incl
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
@ -1,10 +1,29 @@
|
||||
diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
--- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100
|
||||
+++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100
|
||||
@@ -32,38 +32,6 @@ typedef struct {
|
||||
From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch
|
||||
|
||||
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
|
||||
Patch-id: 10
|
||||
Patch-status: |
|
||||
# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
|
||||
# that new modifications made to these files by upstream are not lost.
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/ec/ec_curve.c | 844 -------------------------------------------
|
||||
test/ectest.c | 174 +--------
|
||||
2 files changed, 8 insertions(+), 1010 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
|
||||
index b5b2f3342d..d32a768fe6 100644
|
||||
--- a/crypto/ec/ec_curve.c
|
||||
+++ b/crypto/ec/ec_curve.c
|
||||
@@ -30,38 +30,6 @@ typedef struct {
|
||||
} EC_CURVE_DATA;
|
||||
|
||||
/* the nist prime curves */
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
- unsigned char data[20 + 24 * 6];
|
||||
-} _EC_NIST_PRIME_192 = {
|
||||
- {
|
||||
@ -35,11 +54,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
- }
|
||||
-};
|
||||
-
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 28 * 6];
|
||||
} _EC_NIST_PRIME_224 = {
|
||||
{
|
||||
@@ -200,187 +168,6 @@ static const struct {
|
||||
}
|
||||
};
|
||||
@ -228,10 +245,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 32 * 6];
|
||||
@@ -423,294 +210,6 @@ static const struct {
|
||||
@@ -421,294 +208,6 @@ static const struct {
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
/* the secg prime curves (minus the nist and x9.62 prime curves) */
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
- unsigned char data[20 + 14 * 6];
|
||||
-} _EC_SECG_PRIME_112R1 = {
|
||||
- {
|
||||
@ -518,11 +537,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
- }
|
||||
-};
|
||||
-
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[0 + 32 * 6];
|
||||
} _EC_SECG_PRIME_256K1 = {
|
||||
{
|
||||
@@ -745,102 +244,6 @@ static const struct {
|
||||
}
|
||||
};
|
||||
@ -626,10 +643,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
@@ -2238,198 +1641,6 @@ static const struct {
|
||||
@@ -2236,198 +1639,6 @@ static const struct {
|
||||
*/
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
- unsigned char data[0 + 20 * 6];
|
||||
-} _EC_brainpoolP160r1 = {
|
||||
- {
|
||||
@ -820,12 +839,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
- }
|
||||
-};
|
||||
-
|
||||
-static const struct {
|
||||
- EC_CURVE_DATA h;
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[0 + 32 * 6];
|
||||
} _EC_brainpoolP256r1 = {
|
||||
{
|
||||
@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[
|
||||
@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = {
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
|
||||
/* X9.62 curves */
|
||||
@ -834,7 +851,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[
|
||||
@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = {
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
@ -860,7 +877,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[
|
||||
@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = {
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
@ -879,7 +896,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[
|
||||
@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = {
|
||||
{NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0,
|
||||
"X9.62 curve over a 163 bit binary field"},
|
||||
# endif
|
||||
@ -902,7 +919,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
/* IPSec curves */
|
||||
{NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0,
|
||||
@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[
|
||||
@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = {
|
||||
"\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
|
||||
# endif
|
||||
/* brainpool curves */
|
||||
@ -921,9 +938,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c
|
||||
{NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0,
|
||||
"RFC 5639 curve over a 256 bit prime field"},
|
||||
{NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0,
|
||||
diff -up ./test/ectest.c.remove-ec ./test/ectest.c
|
||||
--- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100
|
||||
+++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100
|
||||
diff --git a/test/ectest.c b/test/ectest.c
|
||||
index afef85b0e6..4890b0555e 100644
|
||||
--- a/test/ectest.c
|
||||
+++ b/test/ectest.c
|
||||
@@ -175,184 +175,26 @@ static int prime_field_tests(void)
|
||||
|| !TEST_ptr(p = BN_new())
|
||||
|| !TEST_ptr(a = BN_new())
|
||||
@ -1117,11 +1135,14 @@ diff -up ./test/ectest.c.remove-ec ./test/ectest.c
|
||||
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|
||||
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
@@ -3015,7 +2857,7 @@ int setup_tests(void)
|
||||
return 0;
|
||||
|
||||
ADD_TEST(parameter_test);
|
||||
ADD_TEST(ossl_parameter_test);
|
||||
- ADD_TEST(cofactor_range_test);
|
||||
+ /* ADD_TEST(cofactor_range_test); */
|
||||
ADD_ALL_TESTS(cardinality_test, crv_len);
|
||||
ADD_TEST(prime_field_tests);
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
@ -1,7 +1,25 @@
|
||||
diff -up ./apps/speed.c.ec-curves ./apps/speed.c
|
||||
--- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100
|
||||
+++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100
|
||||
@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1];
|
||||
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 11:46:40 +0200
|
||||
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
|
||||
|
||||
Patch-name: 0011-Remove-EC-curves.patch
|
||||
Patch-id: 11
|
||||
Patch-status: |
|
||||
# remove unsupported EC curves
|
||||
---
|
||||
apps/speed.c | 8 +---
|
||||
crypto/evp/ec_support.c | 87 ------------------------------------
|
||||
test/acvp_test.inc | 9 ----
|
||||
test/ecdsatest.h | 17 -------
|
||||
test/recipes/15-test_genec.t | 27 -----------
|
||||
5 files changed, 1 insertion(+), 147 deletions(-)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index cace25eda1..d527f12f18 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
enum ec_curves_t {
|
||||
@ -10,7 +28,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
|
||||
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
|
||||
@@ -376,8 +376,6 @@ enum ec_curves_t {
|
||||
@@ -395,8 +395,6 @@ enum ec_curves_t {
|
||||
};
|
||||
/* list of ecdsa curves */
|
||||
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
||||
@ -19,8 +37,8 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c
|
||||
{"ecdsap224", R_EC_P224},
|
||||
{"ecdsap256", R_EC_P256},
|
||||
{"ecdsap384", R_EC_P384},
|
||||
@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS
|
||||
enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
|
||||
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
||||
};
|
||||
/* list of ecdh curves, extension of |ecdsa_choices| list above */
|
||||
static const OPT_PAIR ecdh_choices[EC_NUM] = {
|
||||
- {"ecdhp160", R_EC_P160},
|
||||
@ -28,7 +46,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c
|
||||
{"ecdhp224", R_EC_P224},
|
||||
{"ecdhp256", R_EC_P256},
|
||||
{"ecdhp384", R_EC_P384},
|
||||
@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv)
|
||||
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
|
||||
*/
|
||||
static const EC_CURVE ec_curves[EC_NUM] = {
|
||||
/* Prime Curves */
|
||||
@ -37,9 +55,10 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c
|
||||
{"nistp224", NID_secp224r1, 224},
|
||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c
|
||||
--- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100
|
||||
+++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100
|
||||
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
|
||||
index 1ec10143d2..82b95294b4 100644
|
||||
--- a/crypto/evp/ec_support.c
|
||||
+++ b/crypto/evp/ec_support.c
|
||||
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
|
||||
static const EC_NAME2NID curve_list[] = {
|
||||
/* prime field curves */
|
||||
@ -130,7 +149,7 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c
|
||||
{"brainpoolP256r1", NID_brainpoolP256r1 },
|
||||
{"brainpoolP256t1", NID_brainpoolP256t1 },
|
||||
{"brainpoolP320r1", NID_brainpoolP320r1 },
|
||||
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] =
|
||||
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
|
||||
{"brainpoolP384t1", NID_brainpoolP384t1 },
|
||||
{"brainpoolP512r1", NID_brainpoolP512r1 },
|
||||
{"brainpoolP512t1", NID_brainpoolP512t1 },
|
||||
@ -139,13 +158,33 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c
|
||||
};
|
||||
|
||||
const char *OSSL_EC_curve_nid2name(int nid)
|
||||
diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc
|
||||
--- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100
|
||||
+++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100
|
||||
@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_
|
||||
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
|
||||
static const EC_NAME2NID nist_curves[] = {
|
||||
- {"B-163", NID_sect163r2},
|
||||
- {"B-233", NID_sect233r1},
|
||||
- {"B-283", NID_sect283r1},
|
||||
- {"B-409", NID_sect409r1},
|
||||
- {"B-571", NID_sect571r1},
|
||||
- {"K-163", NID_sect163k1},
|
||||
- {"K-233", NID_sect233k1},
|
||||
- {"K-283", NID_sect283k1},
|
||||
- {"K-409", NID_sect409k1},
|
||||
- {"K-571", NID_sect571k1},
|
||||
- {"P-192", NID_X9_62_prime192v1},
|
||||
{"P-224", NID_secp224r1},
|
||||
{"P-256", NID_X9_62_prime256v1},
|
||||
{"P-384", NID_secp384r1},
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index ad11d3ae1e..894a0bff9d 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
|
||||
0xB1, 0xAC,
|
||||
};
|
||||
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
|
||||
{
|
||||
- {
|
||||
- "SHA-1",
|
||||
- "P-192",
|
||||
- ITM(ecdsa_sigver_msg0),
|
||||
@ -154,13 +193,13 @@ diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc
|
||||
- ITM(ecdsa_sigver_s0),
|
||||
- PASS,
|
||||
- },
|
||||
- {
|
||||
{
|
||||
"SHA2-512",
|
||||
"P-521",
|
||||
ITM(ecdsa_sigver_msg1),
|
||||
diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h
|
||||
--- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100
|
||||
+++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100
|
||||
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
|
||||
index 63fe319025..06b5c0aac5 100644
|
||||
--- a/test/ecdsatest.h
|
||||
+++ b/test/ecdsatest.h
|
||||
@@ -32,23 +32,6 @@ typedef struct {
|
||||
} ecdsa_cavs_kat_t;
|
||||
|
||||
@ -185,10 +224,11 @@ diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h
|
||||
/* prime KATs from NIST CAVP */
|
||||
{NID_secp224r1, NID_sha224,
|
||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||
diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t
|
||||
--- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100
|
||||
+++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100
|
||||
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport
|
||||
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
|
||||
index 2dfed387ca..c733b68f83 100644
|
||||
--- a/test/recipes/15-test_genec.t
|
||||
+++ b/test/recipes/15-test_genec.t
|
||||
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
|
||||
if disabled("ec");
|
||||
|
||||
my @prime_curves = qw(
|
||||
@ -234,24 +274,6 @@ diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t
|
||||
P-224
|
||||
P-256
|
||||
P-384
|
||||
diff -up openssl-3.0.7/crypto/evp/ec_support.c.ec-remove openssl-3.0.7/crypto/evp/ec_support.c
|
||||
--- openssl-3.0.7/crypto/evp/ec_support.c.ec-remove 2023-07-06 10:30:10.152621369 +0200
|
||||
+++ openssl-3.0.7/crypto/evp/ec_support.c 2023-07-06 10:34:00.557091758 +0200
|
||||
@@ -74,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *n
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
--
|
||||
2.41.0
|
||||
|
||||
static const EC_NAME2NID nist_curves[] = {
|
||||
- {"B-163", NID_sect163r2},
|
||||
- {"B-233", NID_sect233r1},
|
||||
- {"B-283", NID_sect283r1},
|
||||
- {"B-409", NID_sect409r1},
|
||||
- {"B-571", NID_sect571r1},
|
||||
- {"K-163", NID_sect163k1},
|
||||
- {"K-233", NID_sect233k1},
|
||||
- {"K-283", NID_sect283k1},
|
||||
- {"K-409", NID_sect409k1},
|
||||
- {"K-571", NID_sect571k1},
|
||||
- {"P-192", NID_X9_62_prime192v1},
|
||||
{"P-224", NID_secp224r1},
|
||||
{"P-256", NID_X9_62_prime256v1},
|
||||
{"P-384", NID_secp384r1},
|
||||
|
@ -21,11 +21,12 @@ diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_
|
||||
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
||||
|
||||
my @basic_cmd = ("cmp_protect_test",
|
||||
data_file("server.pem"),
|
||||
diff -up ./test/recipes/65-test_cmp_vfy.t.skip-tests ./test/recipes/65-test_cmp_vfy.t
|
||||
--- ./test/recipes/65-test_cmp_vfy.t.skip-tests 2023-03-14 10:13:38.106296042 +0100
|
||||
+++ ./test/recipes/65-test_cmp_vfy.t 2023-03-14 10:16:56.496071178 +0100
|
||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
|
||||
data_file("prot_RSA.pem"),
|
||||
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
|
||||
index f722800e27..26a01786bb 100644
|
||||
--- a/test/recipes/65-test_cmp_vfy.t
|
||||
+++ b/test/recipes/65-test_cmp_vfy.t
|
||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
|
||||
plan skip_all => "This test is not supported in a no-ec build"
|
||||
if disabled("ec");
|
||||
|
||||
|
@ -1,40 +0,0 @@
|
||||
diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t
|
||||
--- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200
|
||||
+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200
|
||||
@@ -40,7 +40,7 @@ unless ($no_fips) {
|
||||
"recipes",
|
||||
"90-test_sslapi_data",
|
||||
"dhparams.pem")])),
|
||||
- "running sslapitest");
|
||||
+ "running sslapitest - FIPS");
|
||||
}
|
||||
|
||||
unlink $tmpfilename;
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index e95d2657f46c..7af0eab3fce0 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Create a session based on SHA-256 */
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(),
|
||||
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Create a session based on SHA-256 */
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(),
|
@ -1,13 +1,21 @@
|
||||
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
|
||||
#(partial) of the function provider_conf_load() under the 'if (activate) section.
|
||||
#If there is any change to this section, after deleting it in provider_conf_load()
|
||||
#ensure that you also add those changes to the provider_conf_activate() function.
|
||||
#additionally please add this check for cnf explicitly as shown below.
|
||||
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
|
||||
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
|
||||
--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
|
||||
+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
|
||||
@@ -36,6 +36,8 @@ static int prov_already_activated(const
|
||||
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 11:59:02 +0200
|
||||
Subject: [PATCH 16/48] 0032-Force-fips.patch
|
||||
|
||||
Patch-name: 0032-Force-fips.patch
|
||||
Patch-id: 32
|
||||
Patch-status: |
|
||||
# We load FIPS provider and set FIPS properties implicitly
|
||||
---
|
||||
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
|
||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
|
||||
index 058fb58837..5274265a70 100644
|
||||
--- a/crypto/provider_conf.c
|
||||
+++ b/crypto/provider_conf.c
|
||||
@@ -10,6 +10,8 @@
|
||||
#include <string.h>
|
||||
#include <openssl/trace.h>
|
||||
#include <openssl/err.h>
|
||||
@ -16,143 +24,25 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include <openssl/provider.h>
|
||||
@@ -136,58 +136,18 @@ static int prov_already_activated(const
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||
- const char *value, const CONF *cnf)
|
||||
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
|
||||
+ const char *value, const char *path,
|
||||
+ int soft, const CONF *cnf)
|
||||
{
|
||||
- int i;
|
||||
- STACK_OF(CONF_VALUE) *ecmds;
|
||||
- int soft = 0;
|
||||
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||
- const char *path = NULL;
|
||||
- long activate = 0;
|
||||
int ok = 0;
|
||||
-
|
||||
- name = skip_dot(name);
|
||||
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||
- /* Value is a section containing PROVIDER commands */
|
||||
- ecmds = NCONF_get_section(cnf, value);
|
||||
-
|
||||
- if (!ecmds) {
|
||||
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||
- "section=%s not found", value);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- /* Find the needed data first */
|
||||
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||
- const char *confname = skip_dot(ecmd->name);
|
||||
- const char *confvalue = ecmd->value;
|
||||
-
|
||||
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||
- confname, confvalue);
|
||||
-
|
||||
- /* First handle some special pseudo confs */
|
||||
-
|
||||
- /* Override provider name to use */
|
||||
- if (strcmp(confname, "identity") == 0)
|
||||
- name = confvalue;
|
||||
- else if (strcmp(confname, "soft_load") == 0)
|
||||
- soft = 1;
|
||||
- /* Load a dynamic PROVIDER */
|
||||
- else if (strcmp(confname, "module") == 0)
|
||||
- path = confvalue;
|
||||
- else if (strcmp(confname, "activate") == 0)
|
||||
- activate = 1;
|
||||
- }
|
||||
-
|
||||
- if (activate) {
|
||||
- PROVIDER_CONF_GLOBAL *pcgbl
|
||||
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||
- &provider_conf_ossl_ctx_method);
|
||||
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||
+ &provider_conf_ossl_ctx_method);
|
||||
|
||||
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
||||
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
||||
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
|
||||
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
|
||||
if (path != NULL)
|
||||
ossl_provider_set_module_path(prov, path);
|
||||
|
||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||
|
||||
if (ok) {
|
||||
if (ok == 1) {
|
||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||
@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
|
||||
}
|
||||
if (!ok)
|
||||
@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
|
||||
|
||||
if (ok <= 0)
|
||||
ossl_provider_free(prov);
|
||||
+ } else { /* No reason to activate the provider twice, returning OK */
|
||||
+ } else {
|
||||
+ ok = 1;
|
||||
}
|
||||
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||
+ return ok;
|
||||
+}
|
||||
+
|
||||
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||
+ const char *value, const CONF *cnf)
|
||||
+{
|
||||
+ int i;
|
||||
+ STACK_OF(CONF_VALUE) *ecmds;
|
||||
+ int soft = 0;
|
||||
+ const char *path = NULL;
|
||||
+ long activate = 0;
|
||||
+ int ok = 0;
|
||||
+
|
||||
+ name = skip_dot(name);
|
||||
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||
+ /* Value is a section containing PROVIDER commands */
|
||||
+ ecmds = NCONF_get_section(cnf, value);
|
||||
+
|
||||
+ if (!ecmds) {
|
||||
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||
+ "section=%s not found", value);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Find the needed data first */
|
||||
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||
+ const char *confname = skip_dot(ecmd->name);
|
||||
+ const char *confvalue = ecmd->value;
|
||||
+
|
||||
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||
+ confname, confvalue);
|
||||
+
|
||||
+ /* First handle some special pseudo confs */
|
||||
+
|
||||
+ /* Override provider name to use */
|
||||
+ if (strcmp(confname, "identity") == 0)
|
||||
+ name = confvalue;
|
||||
+ else if (strcmp(confname, "soft_load") == 0)
|
||||
+ soft = 1;
|
||||
+ /* Load a dynamic PROVIDER */
|
||||
+ else if (strcmp(confname, "module") == 0)
|
||||
+ path = confvalue;
|
||||
+ else if (strcmp(confname, "activate") == 0)
|
||||
+ activate = 1;
|
||||
+ }
|
||||
+
|
||||
+ if (activate) {
|
||||
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
|
||||
} else {
|
||||
OSSL_PROVIDER_INFO entry;
|
||||
|
||||
@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU
|
||||
@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -174,7 +64,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
|
||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */
|
||||
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
|
||||
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
|
||||
+ return 0;
|
||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||
@ -186,3 +76,6 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
@ -1,9 +1,34 @@
|
||||
diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
|
||||
--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100
|
||||
+++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100
|
||||
@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
|
||||
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
||||
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
|
||||
|
||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
||||
Patch-id: 33
|
||||
Patch-status: |
|
||||
# # Embed HMAC into the fips.so
|
||||
# Modify fips self test as per
|
||||
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
|
||||
test/fipsmodule.cnf | 2 +
|
||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/03-test_fipsinstall.t | 2 +-
|
||||
test/recipes/30-test_defltfips.t | 2 +-
|
||||
test/recipes/80-test_ssl_new.t | 2 +-
|
||||
test/recipes/90-test_sslapi.t | 2 +-
|
||||
8 files changed, 200 insertions(+), 18 deletions(-)
|
||||
create mode 100644 test/fipsmodule.cnf
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index b8dc9817b2..28f536d13c 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -230,11 +230,133 @@ err:
|
||||
return ok;
|
||||
}
|
||||
#endif
|
||||
|
||||
+#define HMAC_LEN 32
|
||||
+/*
|
||||
@ -17,6 +42,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
* the result matches the expected value.
|
||||
* Return 1 if verified, or 0 if it fails.
|
||||
*/
|
||||
+
|
||||
+#ifndef __USE_GNU
|
||||
+#define __USE_GNU
|
||||
+#include <dlfcn.h>
|
||||
@ -25,11 +51,116 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
+#include <dlfcn.h>
|
||||
+#endif
|
||||
+#include <link.h>
|
||||
+
|
||||
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
||||
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
+ unsigned char *expected, size_t expected_len,
|
||||
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
+ const char *event_type)
|
||||
+{
|
||||
+ int ret = 0, status;
|
||||
+ unsigned char out[MAX_MD_SIZE];
|
||||
+ unsigned char buf[INTEGRITY_BUF_SIZE];
|
||||
+ size_t bytes_read = 0, out_len = 0;
|
||||
+ EVP_MAC *mac = NULL;
|
||||
+ EVP_MAC_CTX *ctx = NULL;
|
||||
+ OSSL_PARAM params[2], *p = params;
|
||||
+ Dl_info info;
|
||||
+ void *extra_info = NULL;
|
||||
+ struct link_map *lm = NULL;
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
+
|
||||
+ if (expected_len != HMAC_LEN)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!integrity_self_test(ev, libctx))
|
||||
+ goto err;
|
||||
+
|
||||
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
+
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||
+ goto err;
|
||||
+ lm = extra_info;
|
||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||
+
|
||||
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
+ if (mac == NULL)
|
||||
+ goto err;
|
||||
+ ctx = EVP_MAC_CTX_new(mac);
|
||||
+ if (ctx == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
|
||||
+ *p = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
+ goto err;
|
||||
+
|
||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ if (off < paddr) {
|
||||
+ int delta = paddr - off;
|
||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ /* read away the buffer */
|
||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+
|
||||
+ /* check that it is the expect bytes, no point in continuing otherwise */
|
||||
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ /* replace in-file HMAC buffer with the original zeros */
|
||||
+ memset(buf, 0, HMAC_LEN);
|
||||
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
|
||||
+ goto err;
|
||||
+ off += HMAC_LEN;
|
||||
+
|
||||
+ while (bytes_read > 0) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
+ goto err;
|
||||
+
|
||||
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
|
||||
+ if (expected_len != out_len
|
||||
+ || memcmp(expected, out, out_len) != 0)
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
|
||||
+ OSSL_SELF_TEST_onend(ev, ret);
|
||||
+ EVP_MAC_CTX_free(ctx);
|
||||
+ EVP_MAC_free(mac);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
unsigned char *expected, size_t expected_len,
|
||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
|
||||
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
EVP_MAC *mac = NULL;
|
||||
EVP_MAC_CTX *ctx = NULL;
|
||||
OSSL_PARAM params[2], *p = params;
|
||||
@ -39,6 +170,9 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
|
||||
if (!integrity_self_test(ev, libctx))
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
@ -50,7 +184,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
if (mac == NULL)
|
||||
goto err;
|
||||
@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
|
||||
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
goto err;
|
||||
|
||||
@ -95,8 +229,16 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
goto err;
|
||||
|
||||
@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
CRYPTO_THREAD_unlock(fips_state_lock);
|
||||
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
+ OPENSSL_cleanse(out, sizeof(out));
|
||||
OSSL_SELF_TEST_onend(ev, ret);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
EVP_MAC_free(mac);
|
||||
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (st == NULL
|
||||
@ -105,30 +247,77 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||
goto end;
|
||||
}
|
||||
@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
- &checksum_len);
|
||||
+ if (st->module_checksum_data == NULL) {
|
||||
+ module_checksum = fips_hmac_container;
|
||||
+ checksum_len = sizeof(fips_hmac_container);
|
||||
+ } else {
|
||||
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
+ &checksum_len);
|
||||
+ }
|
||||
+
|
||||
if (module_checksum == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||
goto end;
|
||||
@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
ok = 1;
|
||||
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
||||
|
||||
/* Always check the integrity of the fips module */
|
||||
- if (bio_module == NULL
|
||||
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
|
||||
- module_checksum, checksum_len, st->libctx,
|
||||
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ if (bio_module == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
goto end;
|
||||
}
|
||||
-
|
||||
+ if (st->module_checksum_data == NULL) {
|
||||
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
|
||||
+ module_checksum, checksum_len,
|
||||
+ st->libctx, ev,
|
||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
|
||||
+ module_checksum, checksum_len,
|
||||
+ st->libctx, ev,
|
||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
/* This will be NULL during installation - so the self test KATS will run */
|
||||
if (st->indicator_data != NULL) {
|
||||
/*
|
||||
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
end:
|
||||
EVP_RAND_free(testrand);
|
||||
OSSL_SELF_TEST_free(ev);
|
||||
- OPENSSL_free(module_checksum);
|
||||
OPENSSL_free(indicator_checksum);
|
||||
|
||||
if (st != NULL) {
|
||||
diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100
|
||||
@@ -20,7 +20,7 @@
|
||||
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
||||
new file mode 100644
|
||||
index 0000000000..f05d0dedbe
|
||||
--- /dev/null
|
||||
+++ b/test/fipsmodule.cnf
|
||||
@@ -0,0 +1,2 @@
|
||||
+[fips_sect]
|
||||
+activate = 1
|
||||
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
index 4e3a6d85e8..e8255ba974 100644
|
||||
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
@ -137,10 +326,11 @@ diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/
|
||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||
if $no_check;
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
|
||||
--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100
|
||||
@@ -23,7 +23,7 @@
|
||||
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
index ce594817d5..00cebacff8 100644
|
||||
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
@ -149,34 +339,37 @@ diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/
|
||||
plan skip_all => "Test only supported in a fips build"
|
||||
if $no_check;
|
||||
plan tests => 1;
|
||||
diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
|
||||
--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100
|
||||
@@ -22,7 +22,7 @@
|
||||
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
||||
index b8b136d110..8242f4ebc3 100644
|
||||
--- a/test/recipes/03-test_fipsinstall.t
|
||||
+++ b/test/recipes/03-test_fipsinstall.t
|
||||
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||
|
||||
plan tests => 29;
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
|
||||
--- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100
|
||||
@@ -21,7 +21,7 @@
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
# Compatible options for pedantic FIPS compliance
|
||||
my @pedantic_okay =
|
||||
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
||||
index c8f145405b..56a2ec5dc4 100644
|
||||
--- a/test/recipes/30-test_defltfips.t
|
||||
+++ b/test/recipes/30-test_defltfips.t
|
||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||
plan skip_all => "Configuration loading is turned off"
|
||||
if disabled("autoload-config");
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 1 : 5);
|
||||
diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
|
||||
--- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100
|
||||
@@ -23,7 +23,7 @@
|
||||
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
||||
index 195b85ea8c..92d48dbf7d 100644
|
||||
--- a/test/recipes/80-test_ssl_new.t
|
||||
+++ b/test/recipes/80-test_ssl_new.t
|
||||
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
@ -185,20 +378,19 @@ diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/re
|
||||
|
||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
|
||||
--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
|
||||
+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100
|
||||
@@ -18,7 +18,7 @@
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
||||
index 18d9f3d204..71780d8caa 100644
|
||||
--- a/test/recipes/90-test_sslapi.t
|
||||
+++ b/test/recipes/90-test_sslapi.t
|
||||
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
||||
setup("test_sslapi");
|
||||
}
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
||||
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
||||
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
|
||||
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
|
||||
--- /dev/null 2021-11-16 15:27:32.915000000 +0100
|
||||
+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+[fips_sect]
|
||||
+activate = 1
|
||||
|
@ -1,7 +1,27 @@
|
||||
diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
|
||||
--- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
|
||||
+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
|
||||
@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
|
||||
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
|
||||
|
||||
Patch-name: 0034.fipsinstall_disable.patch
|
||||
Patch-id: 34
|
||||
Patch-status: |
|
||||
# Comment out fipsinstall command-line utility
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/fipsinstall.c | 3 +
|
||||
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
|
||||
doc/man1/openssl.pod | 4 -
|
||||
doc/man5/config.pod | 1 -
|
||||
doc/man5/fips_config.pod | 104 +----------
|
||||
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
|
||||
6 files changed, 10 insertions(+), 375 deletions(-)
|
||||
|
||||
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
|
||||
index e1ef645b60..db92cb5fb2 100644
|
||||
--- a/apps/fipsinstall.c
|
||||
+++ b/apps/fipsinstall.c
|
||||
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
@ -11,160 +31,11 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
|
||||
--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
|
||||
+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
|
||||
@@ -158,10 +158,6 @@ Engine (loadable module) information and
|
||||
|
||||
Error Number to Error String Conversion.
|
||||
|
||||
-=item B<fipsinstall>
|
||||
-
|
||||
-FIPS configuration installation.
|
||||
-
|
||||
=item B<gendsa>
|
||||
|
||||
Generation of DSA Private Key from Parameters. Superseded by
|
||||
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
|
||||
--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
|
||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
|
||||
@@ -573,7 +573,6 @@ configuration files using that syntax wi
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<ASN1_generate_nconf(3)>,
|
||||
L<EVP_set_default_properties(3)>,
|
||||
L<CONF_modules_load(3)>,
|
||||
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
|
||||
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
|
||||
+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
|
||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||
-is used to hold information about the FIPS module. This includes a digest
|
||||
-of the shared library file, and status about the self-testing.
|
||||
-This data is used automatically by the module itself for two
|
||||
-purposes:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||
-
|
||||
-This is normally done once, at installation time, but may also be set up to
|
||||
-run each time the module is used.
|
||||
-
|
||||
-=item - Verify the module's checksum.
|
||||
-
|
||||
-This is done each time the module is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||
-used internally by the FIPS module during its initialization.
|
||||
-
|
||||
-The following options are supported. They should all appear in a section
|
||||
-whose name is identified by the B<fips> option in the B<providers>
|
||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<activate>
|
||||
-
|
||||
-If present, the module is activated. The value assigned to this name is not
|
||||
-significant.
|
||||
-
|
||||
-=item B<install-version>
|
||||
-
|
||||
-A version number for the fips install process. Should be 1.
|
||||
-
|
||||
-=item B<conditional-errors>
|
||||
-
|
||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||
-Once this error mode is active, no services or cryptographic algorithms are
|
||||
-accessible from this point on.
|
||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||
-generation, or the CRNG output test).
|
||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||
-continuous test will return an error code if its continuous test fails. The
|
||||
-operation may then be retried if the error mode has not been triggered.
|
||||
-
|
||||
-=item B<security-checks>
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||
-are not performed and FIPS compliance must be done by procedures documented in
|
||||
-the relevant Security Policy.
|
||||
-
|
||||
-=item B<module-mac>
|
||||
-
|
||||
-The calculated MAC of the FIPS provider file.
|
||||
-
|
||||
-=item B<install-status>
|
||||
-
|
||||
-An indicator that the self-tests were successfully run.
|
||||
-This should only be written after the module has
|
||||
-successfully passed its self tests during installation.
|
||||
-If this field is not present, then the self tests will run when the module
|
||||
-loads.
|
||||
-
|
||||
-=item B<install-mac>
|
||||
-
|
||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||
-changes to that value.
|
||||
-It is written-to at the same time as B<install-status> is updated.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-For example:
|
||||
-
|
||||
- [fips_sect]
|
||||
- activate = 1
|
||||
- install-version = 1
|
||||
- conditional-errors = 1
|
||||
- security-checks = 1
|
||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-When using the FIPS provider, it is recommended that the
|
||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||
-See L<config(5)>.
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>
|
||||
-L<openssl-fipsinstall(1)>
|
||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
+for more information.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
||||
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
|
||||
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<fips_config(5)>,
|
||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||
L<OSSL_SELF_TEST_new(3)>,
|
||||
diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
|
||||
--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
|
||||
+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
|
||||
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
|
||||
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
|
||||
index b1768b7f91..b6b00e27d8 100644
|
||||
--- a/doc/man1/openssl-fipsinstall.pod.in
|
||||
+++ b/doc/man1/openssl-fipsinstall.pod.in
|
||||
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl fipsinstall>
|
||||
@ -179,14 +50,18 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
-[B<-macopt> I<nm>:I<v>]
|
||||
-[B<-noout>]
|
||||
-[B<-quiet>]
|
||||
-[B<-pedantic>]
|
||||
-[B<-no_conditional_errors>]
|
||||
-[B<-no_security_checks>]
|
||||
-[B<-ems_check>]
|
||||
-[B<-no_drbg_truncated_digests>]
|
||||
-[B<-self_test_onload>]
|
||||
-[B<-self_test_oninstall>]
|
||||
-[B<-corrupt_desc> I<selftest_description>]
|
||||
-[B<-corrupt_type> I<selftest_type>]
|
||||
-[B<-config> I<parent_config>]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
-
|
||||
-=head1 DESCRIPTION
|
||||
-
|
||||
-This command is used to generate a FIPS module configuration file.
|
||||
-This configuration file can be used each time a FIPS module is loaded
|
||||
@ -315,6 +190,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
-
|
||||
-Disable logging of the self tests.
|
||||
-
|
||||
-=item B<-pedantic>
|
||||
-
|
||||
-Configure the module so that it is strictly FIPS compliant rather
|
||||
-than being backwards compatible. This enables conditional errors,
|
||||
-security checks etc. Note that any previous configuration options will
|
||||
-be overwritten and any subsequent configuration options that violate
|
||||
-FIPS compliance will result in an error.
|
||||
-
|
||||
-=item B<-no_conditional_errors>
|
||||
-
|
||||
-Configure the module to not enter an error state if a conditional self test
|
||||
@ -324,6 +207,20 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
-
|
||||
-Configure the module to not perform run-time security checks as described above.
|
||||
-
|
||||
-Enabling the configuration option "no-fips-securitychecks" provides another way to
|
||||
-turn off the check at compile time.
|
||||
-
|
||||
-=item B<-ems_check>
|
||||
-
|
||||
-Configure the module to enable a run-time Extended Master Secret (EMS) check
|
||||
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
|
||||
-See RFC 7627 for information related to EMS.
|
||||
-
|
||||
-=item B<-no_drbg_truncated_digests>
|
||||
-
|
||||
-Configure the module to not allow truncated digests to be used with Hash and
|
||||
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
|
||||
-
|
||||
-=item B<-self_test_onload>
|
||||
-
|
||||
-Do not write the two fields related to the "test status indicator" and
|
||||
@ -334,6 +231,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
-could possibly then add the 2 fields into the configuration using some other
|
||||
-mechanism.
|
||||
-
|
||||
-This is the default.
|
||||
-
|
||||
-=item B<-self_test_oninstall>
|
||||
-
|
||||
-The converse of B<-self_test_oninstall>. The two fields related to the
|
||||
-"test status indicator" and "MAC status indicator" are written to the
|
||||
-output configuration file.
|
||||
-
|
||||
-=item B<-quiet>
|
||||
-
|
||||
-Do not output pass/fail messages. Implies B<-noout>.
|
||||
@ -369,6 +274,11 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
-For normal usage the base configuration file should use the default provider
|
||||
-when generating the fips configuration file.
|
||||
-
|
||||
-The B<-self_test_oninstall> option was added and the
|
||||
-B<-self_test_onload> option was made the default in OpenSSL 3.1.
|
||||
-
|
||||
-The command and all remaining options were added in OpenSSL 3.0.
|
||||
-
|
||||
-=head1 EXAMPLES
|
||||
-
|
||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||
@ -404,3 +314,160 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
|
||||
index d9c22a580f..d5ec3b9a6a 100644
|
||||
--- a/doc/man1/openssl.pod
|
||||
+++ b/doc/man1/openssl.pod
|
||||
@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.
|
||||
|
||||
Error Number to Error String Conversion.
|
||||
|
||||
-=item B<fipsinstall>
|
||||
-
|
||||
-FIPS configuration installation.
|
||||
-
|
||||
=item B<gendsa>
|
||||
|
||||
Generation of DSA Private Key from Parameters. Superseded by
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index 714a10437b..bd05736220 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<ASN1_generate_nconf(3)>,
|
||||
L<EVP_set_default_properties(3)>,
|
||||
L<CONF_modules_load(3)>,
|
||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||||
index 2255464304..1c15e32a5c 100644
|
||||
--- a/doc/man5/fips_config.pod
|
||||
+++ b/doc/man5/fips_config.pod
|
||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||
-is used to hold information about the FIPS module. This includes a digest
|
||||
-of the shared library file, and status about the self-testing.
|
||||
-This data is used automatically by the module itself for two
|
||||
-purposes:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||
-
|
||||
-This is normally done once, at installation time, but may also be set up to
|
||||
-run each time the module is used.
|
||||
-
|
||||
-=item - Verify the module's checksum.
|
||||
-
|
||||
-This is done each time the module is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||
-used internally by the FIPS module during its initialization.
|
||||
-
|
||||
-The following options are supported. They should all appear in a section
|
||||
-whose name is identified by the B<fips> option in the B<providers>
|
||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<activate>
|
||||
-
|
||||
-If present, the module is activated. The value assigned to this name is not
|
||||
-significant.
|
||||
-
|
||||
-=item B<install-version>
|
||||
-
|
||||
-A version number for the fips install process. Should be 1.
|
||||
-
|
||||
-=item B<conditional-errors>
|
||||
-
|
||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||
-Once this error mode is active, no services or cryptographic algorithms are
|
||||
-accessible from this point on.
|
||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||
-generation, or the CRNG output test).
|
||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||
-continuous test will return an error code if its continuous test fails. The
|
||||
-operation may then be retried if the error mode has not been triggered.
|
||||
-
|
||||
-=item B<security-checks>
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||
-are not performed and FIPS compliance must be done by procedures documented in
|
||||
-the relevant Security Policy.
|
||||
-
|
||||
-=item B<module-mac>
|
||||
-
|
||||
-The calculated MAC of the FIPS provider file.
|
||||
-
|
||||
-=item B<install-status>
|
||||
-
|
||||
-An indicator that the self-tests were successfully run.
|
||||
-This should only be written after the module has
|
||||
-successfully passed its self tests during installation.
|
||||
-If this field is not present, then the self tests will run when the module
|
||||
-loads.
|
||||
-
|
||||
-=item B<install-mac>
|
||||
-
|
||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||
-changes to that value.
|
||||
-It is written-to at the same time as B<install-status> is updated.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-For example:
|
||||
-
|
||||
- [fips_sect]
|
||||
- activate = 1
|
||||
- install-version = 1
|
||||
- conditional-errors = 1
|
||||
- security-checks = 1
|
||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-When using the FIPS provider, it is recommended that the
|
||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||
-See L<config(5)>.
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>
|
||||
-L<openssl-fipsinstall(1)>
|
||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
+for more information.
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
index 4f908888ba..ef00247770 100644
|
||||
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are:
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<fips_config(5)>,
|
||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||
L<OSSL_SELF_TEST_new(3)>,
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
@ -1,7 +1,26 @@
|
||||
diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
|
||||
--- openssl-3.0.1/crypto/dh/dh_key.c.fips3 2022-07-18 16:01:41.159543735 +0200
|
||||
+++ openssl-3.0.1/crypto/dh/dh_key.c 2022-07-18 16:24:30.251388248 +0200
|
||||
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k
|
||||
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 12:05:23 +0200
|
||||
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
|
||||
|
||||
Patch-name: 0044-FIPS-140-3-keychecks.patch
|
||||
Patch-id: 44
|
||||
Patch-status: |
|
||||
# Extra public/private key checks required by FIPS-140-3
|
||||
---
|
||||
crypto/dh/dh_key.c | 26 ++++++++++
|
||||
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
|
||||
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
|
||||
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
|
||||
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
|
||||
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
|
||||
6 files changed, 162 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 4e9705beef..83773cceea 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
BN_MONT_CTX *mont = NULL;
|
||||
BIGNUM *z = NULL, *pminus1;
|
||||
int ret = -1;
|
||||
@ -11,7 +30,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
|
||||
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *k
|
||||
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -57,25 +76,11 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
|
||||
dh->dirty_cnt++;
|
||||
ok = 1;
|
||||
err:
|
||||
diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
|
||||
--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100
|
||||
+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100
|
||||
@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
|
||||
eckey->dirty_cnt++;
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
pairwise_test = 1;
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
|
||||
--- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200
|
||||
@@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
|
||||
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
|
||||
index 43caedb6df..73873f9758 100644
|
||||
--- a/providers/implementations/exchange/ecdh_exch.c
|
||||
+++ b/providers/implementations/exchange/ecdh_exch.c
|
||||
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
|
||||
}
|
||||
|
||||
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
|
||||
@ -101,13 +106,14 @@ diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 open
|
||||
|
||||
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
|
||||
|
||||
diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100
|
||||
@@ -982,8 +982,17 @@ struct ec_gen_ctx {
|
||||
int selection;
|
||||
int ecdh_mode;
|
||||
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
index a37cbbdba8..bca3f3c674 100644
|
||||
--- a/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
|
||||
EC_GROUP *gen_group;
|
||||
unsigned char *dhkem_ikm;
|
||||
size_t dhkem_ikmlen;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ void *ecdsa_sig_ctx;
|
||||
+#endif
|
||||
@ -122,10 +128,10 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope
|
||||
static void *ec_gen_init(void *provctx, int selection,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx,
|
||||
OPENSSL_free(gctx);
|
||||
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
|
||||
gctx = NULL;
|
||||
}
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
|
||||
@ -133,7 +139,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope
|
||||
return gctx;
|
||||
}
|
||||
|
||||
@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C
|
||||
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
|
||||
if (gctx->ecdh_mode != -1)
|
||||
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
|
||||
@ -145,8 +151,8 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope
|
||||
+#endif
|
||||
|
||||
if (gctx->group_check != NULL)
|
||||
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
|
||||
@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx)
|
||||
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
|
||||
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
|
||||
|
||||
if (gctx == NULL)
|
||||
return;
|
||||
@ -155,12 +161,70 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope
|
||||
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
|
||||
+ gctx->ecdsa_sig_ctx = NULL;
|
||||
+#endif
|
||||
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
|
||||
EC_GROUP_free(gctx->gen_group);
|
||||
BN_free(gctx->p);
|
||||
BN_free(gctx->a);
|
||||
diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c
|
||||
--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100
|
||||
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
index 3ba12c4889..ff49f8fcd8 100644
|
||||
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
/* ACVP test parameters */
|
||||
OSSL_PARAM *acvp_test_params;
|
||||
+ void *prov_rsa_ctx;
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
|
||||
return gctx->cb(params, gctx->cbarg);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *rsa_newctx(void *provctx, const char *propq);
|
||||
+void rsa_freectx(void *vctx);
|
||||
+int do_rsa_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
|
||||
if (!rsa_gen_set_params(gctx, params))
|
||||
goto err;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
|
||||
err:
|
||||
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
|
||||
rsa = rsa_tmp;
|
||||
rsa_tmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
err:
|
||||
BN_GENCB_free(gencb);
|
||||
RSA_free(rsa_tmp);
|
||||
@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
|
||||
gctx->acvp_test_params = NULL;
|
||||
+ rsa_freectx(gctx->prov_rsa_ctx);
|
||||
+ gctx->prov_rsa_ctx = NULL;
|
||||
#endif
|
||||
BN_clear_free(gctx->pub_exp);
|
||||
OPENSSL_free(gctx);
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 865d49d100..ebeb30e002 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -32,7 +32,7 @@
|
||||
#include "crypto/ec.h"
|
||||
#include "prov/der_ec.h"
|
||||
@ -170,7 +234,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise
|
||||
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
|
||||
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
|
||||
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f
|
||||
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
|
||||
@ -180,7 +244,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
|
||||
@@ -104,7 +104,7 @@ typedef struct {
|
||||
#endif
|
||||
unsigned int nonce_type;
|
||||
} PROV_ECDSA_CTX;
|
||||
|
||||
-static void *ecdsa_newctx(void *provctx, const char *propq)
|
||||
@ -188,7 +252,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx;
|
||||
|
||||
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx
|
||||
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
|
||||
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
@ -197,7 +261,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
|
||||
|
||||
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_
|
||||
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
|
||||
return EVP_MD_settable_ctx_params(ctx->md);
|
||||
}
|
||||
|
||||
@ -233,66 +297,11 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise
|
||||
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
|
||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
|
||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
|
||||
diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100
|
||||
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
/* ACVP test parameters */
|
||||
OSSL_PARAM *acvp_test_params;
|
||||
+ void *prov_rsa_ctx;
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE
|
||||
return gctx->cb(params, gctx->cbarg);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *rsa_newctx(void *provctx, const char *propq);
|
||||
+void rsa_freectx(void *vctx);
|
||||
+int do_rsa_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int
|
||||
|
||||
if (!rsa_gen_set_params(gctx, params))
|
||||
goto err;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
|
||||
err:
|
||||
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_
|
||||
|
||||
rsa = rsa_tmp;
|
||||
rsa_tmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
err:
|
||||
BN_GENCB_free(gencb);
|
||||
RSA_free(rsa_tmp);
|
||||
@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
|
||||
gctx->acvp_test_params = NULL;
|
||||
+ rsa_freectx(gctx->prov_rsa_ctx);
|
||||
+ gctx->prov_rsa_ctx = NULL;
|
||||
#endif
|
||||
BN_clear_free(gctx->pub_exp);
|
||||
OPENSSL_free(gctx);
|
||||
diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c
|
||||
--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100
|
||||
@@ -36,7 +36,7 @@
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index cd5de6bd51..d4261e8f7d 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -34,7 +34,7 @@
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
|
||||
@ -301,7 +310,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
|
||||
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
|
||||
@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f
|
||||
@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
|
||||
@ -310,7 +319,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
||||
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
|
||||
@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA
|
||||
@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -319,7 +328,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = NULL;
|
||||
char *propq_copy = NULL;
|
||||
@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac
|
||||
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
|
||||
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
@ -328,7 +337,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
|
||||
@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct
|
||||
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
|
||||
return EVP_MD_settable_ctx_params(prsactx->md);
|
||||
}
|
||||
|
||||
@ -388,3 +397,6 @@ index e0d139d..35f23b2 100644
|
||||
}
|
||||
}
|
||||
return ok;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,22 @@
|
||||
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
|
||||
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
|
||||
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
|
||||
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
||||
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
|
||||
|
||||
Patch-name: 0047-FIPS-early-KATS.patch
|
||||
Patch-id: 47
|
||||
Patch-status: |
|
||||
# # Execute KATS before HMAC verification
|
||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
||||
---
|
||||
providers/fips/self_test.c | 22 ++++++++++------------
|
||||
1 file changed, 10 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index e3a629018a..3c09bd8638 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
@ -15,14 +30,13 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (st->module_checksum_data == NULL) {
|
||||
module_checksum = fips_hmac_container;
|
||||
checksum_len = sizeof(fips_hmac_container);
|
||||
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
kats_already_passed = 1;
|
||||
}
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Only runs the KAT's during installation OR on_demand().
|
||||
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||
@ -34,6 +48,10 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid
|
||||
- goto end;
|
||||
- }
|
||||
- }
|
||||
ok = 1;
|
||||
end:
|
||||
OSSL_SELF_TEST_free(ev);
|
||||
-
|
||||
/* Verify that the RNG has been restored properly */
|
||||
rng = ossl_rand_get0_private_noncreating(st->libctx);
|
||||
if (rng != NULL)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
@ -1,45 +1,20 @@
|
||||
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 21 Feb 2022 17:24:44 +0100
|
||||
Subject: Selectively disallow SHA1 signatures
|
||||
From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
||||
Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch
|
||||
|
||||
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
||||
disabling SHA1 signatures. Introduce a new configuration option in the
|
||||
alg_section named 'rh-allow-sha1-signatures'. This option defaults to
|
||||
false. If set to false (or unset), any signature creation or
|
||||
verification operations that involve SHA1 as digest will fail.
|
||||
|
||||
This also affects TLS, where the signature_algorithms extension of any
|
||||
ClientHello message sent by OpenSSL will no longer include signatures
|
||||
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
|
||||
that request a client certificate, the same also applies for
|
||||
CertificateRequest messages sent by them.
|
||||
|
||||
For signatures created using the EVP_PKEY API, this is a best-effort
|
||||
check that will deny signatures in cases where the digest algorithm is
|
||||
known. This means, for example, that that following steps will still
|
||||
work:
|
||||
|
||||
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||
$> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
|
||||
$> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
|
||||
|
||||
whereas these will not:
|
||||
|
||||
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||
$> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
|
||||
$> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
|
||||
|
||||
This happens because in the first case, OpenSSL's signature
|
||||
implementation does not know that it is signing a SHA1 hash (it could be
|
||||
signing arbitrary data).
|
||||
|
||||
Resolves: rhbz#2031742
|
||||
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
|
||||
Patch-id: 49
|
||||
Patch-status: |
|
||||
# # Selectively disallow SHA1 signatures rhbz#2070977
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
crypto/evp/evp_cnf.c | 13 ++++
|
||||
crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
||||
crypto/context.c | 14 ++++
|
||||
crypto/evp/evp_cnf.c | 13 +++
|
||||
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
|
||||
crypto/evp/pmeth_lib.c | 15 ++++
|
||||
doc/man5/config.pod | 11 +++
|
||||
doc/man5/config.pod | 13 +++
|
||||
include/crypto/context.h | 3 +
|
||||
include/internal/cryptlib.h | 3 +-
|
||||
include/internal/sslconf.h | 4 +
|
||||
providers/common/securitycheck.c | 20 +++++
|
||||
@ -49,8 +24,54 @@ Resolves: rhbz#2031742
|
||||
providers/implementations/signature/rsa_sig.c | 20 ++++-
|
||||
ssl/t1_lib.c | 8 ++
|
||||
util/libcrypto.num | 2 +
|
||||
13 files changed, 188 insertions(+), 9 deletions(-)
|
||||
15 files changed, 209 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index fb4816d89b..c04920fe14 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st {
|
||||
void *fips_prov;
|
||||
#endif
|
||||
|
||||
+ void *legacy_digest_signatures;
|
||||
+
|
||||
unsigned int ischild:1;
|
||||
};
|
||||
|
||||
@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
|
||||
goto err;
|
||||
#endif
|
||||
|
||||
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
|
||||
+ if (ctx->legacy_digest_signatures == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
/* Low priority. */
|
||||
#ifndef FIPS_MODULE
|
||||
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
|
||||
@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if (ctx->legacy_digest_signatures != NULL) {
|
||||
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
|
||||
+ ctx->legacy_digest_signatures = NULL;
|
||||
+ }
|
||||
+
|
||||
/* Low priority. */
|
||||
#ifndef FIPS_MODULE
|
||||
if (ctx->child_provider != NULL) {
|
||||
@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
|
||||
return ctx->fips_prov;
|
||||
#endif
|
||||
|
||||
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
|
||||
+ return ctx->legacy_digest_signatures;
|
||||
+
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
||||
index 0e7fe64cf9..b9d3b6d226 100644
|
||||
--- a/crypto/evp/evp_cnf.c
|
||||
@ -83,18 +104,20 @@ index 0e7fe64cf9..b9d3b6d226 100644
|
||||
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
||||
"name=%s, value=%s", oval->name, oval->value);
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index 9188edbc21..db1a1d7bc3 100644
|
||||
index 3a979f4bd4..fd3a4b79df 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -16,6 +16,71 @@
|
||||
@@ -15,6 +15,73 @@
|
||||
#include "internal/provider.h"
|
||||
#include "internal/numbers.h" /* includes SIZE_MAX */
|
||||
#include "evp_local.h"
|
||||
|
||||
+#include "crypto/context.h"
|
||||
+
|
||||
+typedef struct ossl_legacy_digest_signatures_st {
|
||||
+ int allowed;
|
||||
+} OSSL_LEGACY_DIGEST_SIGNATURES;
|
||||
+
|
||||
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
||||
+
|
||||
@ -103,27 +126,25 @@ index 9188edbc21..db1a1d7bc3 100644
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
+{
|
||||
+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
+ ldsigs->allowed = 0;
|
||||
+ return ldsigs;
|
||||
+}
|
||||
+
|
||||
+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
|
||||
+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
|
||||
+ ossl_ctx_legacy_digest_signatures_new,
|
||||
+ ossl_ctx_legacy_digest_signatures_free,
|
||||
+};
|
||||
+
|
||||
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
||||
+ OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
+{
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||
+ return 0;
|
||||
+ return NULL;
|
||||
+#endif
|
||||
+
|
||||
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
|
||||
+ &ossl_ctx_legacy_digest_signatures_method);
|
||||
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
|
||||
+}
|
||||
+
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
@ -137,6 +158,9 @@ index 9188edbc21..db1a1d7bc3 100644
|
||||
+ return 1;
|
||||
+ #endif
|
||||
+
|
||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
+ return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||
+}
|
||||
+
|
||||
@ -154,11 +178,10 @@ index 9188edbc21..db1a1d7bc3 100644
|
||||
+ ldsigs->allowed = allow;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
|
||||
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
}
|
||||
}
|
||||
|
||||
@ -178,7 +201,7 @@ index 9188edbc21..db1a1d7bc3 100644
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index 2b9c6c2351..3c5a1e6f5d 100644
|
||||
index 268b1617e3..248f655d0f 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -33,6 +33,7 @@
|
||||
@ -189,7 +212,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644
|
||||
#include "evp_local.h"
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
||||
@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
||||
return -2;
|
||||
}
|
||||
|
||||
@ -211,7 +234,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644
|
||||
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
||||
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index 77a8055e81..aa1be5ca7f 100644
|
||||
index bd05736220..ed34ff4b9c 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
||||
@ -232,20 +255,31 @@ index 77a8055e81..aa1be5ca7f 100644
|
||||
=item B<fips_mode> (deprecated)
|
||||
|
||||
The value is a boolean that can be B<yes> or B<no>. If the value is
|
||||
diff --git a/include/crypto/context.h b/include/crypto/context.h
|
||||
index 7369a730fb..55b74238c8 100644
|
||||
--- a/include/crypto/context.h
|
||||
+++ b/include/crypto/context.h
|
||||
@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void);
|
||||
#if defined(OPENSSL_THREADS)
|
||||
void ossl_threads_ctx_free(void *);
|
||||
#endif
|
||||
+
|
||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
|
||||
+void ossl_ctx_legacy_digest_signatures_free(void *);
|
||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||
index 1291299b6e..e234341e6a 100644
|
||||
index 64851fd8ed..8e01a77ddc 100644
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
||||
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
|
||||
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17
|
||||
@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st {
|
||||
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
||||
-# define OSSL_LIB_CTX_MAX_INDEXES 19
|
||||
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19
|
||||
+# define OSSL_LIB_CTX_MAX_INDEXES 20
|
||||
# define OSSL_LIB_CTX_THREAD_INDEX 19
|
||||
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
|
||||
-# define OSSL_LIB_CTX_MAX_INDEXES 20
|
||||
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
|
||||
+# define OSSL_LIB_CTX_MAX_INDEXES 21
|
||||
|
||||
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
||||
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
||||
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
|
||||
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
|
||||
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
||||
index fd7f7e3331..05464b0655 100644
|
||||
--- a/include/internal/sslconf.h
|
||||
@ -260,7 +294,7 @@ index fd7f7e3331..05464b0655 100644
|
||||
+ int loadconfig);
|
||||
#endif
|
||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||
index 699ada7c52..e534ad0a5f 100644
|
||||
index 0d3acdbe56..fe694c4e96 100644
|
||||
--- a/providers/common/securitycheck.c
|
||||
+++ b/providers/common/securitycheck.c
|
||||
@@ -19,6 +19,7 @@
|
||||
@ -271,7 +305,7 @@ index 699ada7c52..e534ad0a5f 100644
|
||||
|
||||
/*
|
||||
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
||||
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
mdnid = -1; /* disallowed by security checks */
|
||||
}
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
@ -288,7 +322,7 @@ index 699ada7c52..e534ad0a5f 100644
|
||||
}
|
||||
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index de7f0d3a0a..ce54a94fbc 100644
|
||||
index 246323493e..2ca7a59f39 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
+++ b/providers/common/securitycheck_default.c
|
||||
@@ -15,6 +15,7 @@
|
||||
@ -299,7 +333,7 @@ index de7f0d3a0a..ce54a94fbc 100644
|
||||
|
||||
/* Disable the security checks in the default provider */
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
}
|
||||
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
@ -311,7 +345,7 @@ index de7f0d3a0a..ce54a94fbc 100644
|
||||
|
||||
static const OSSL_ITEM name_to_nid[] = {
|
||||
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
|
||||
@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||
};
|
||||
|
||||
@ -325,10 +359,10 @@ index de7f0d3a0a..ce54a94fbc 100644
|
||||
return mdnid;
|
||||
}
|
||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||
index 28fd7c498e..fa3822f39f 100644
|
||||
index b89a0f6836..e0c26a13e4 100644
|
||||
--- a/providers/implementations/signature/dsa_sig.c
|
||||
+++ b/providers/implementations/signature/dsa_sig.c
|
||||
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
mdprops = ctx->propq;
|
||||
|
||||
if (mdname != NULL) {
|
||||
@ -350,10 +384,10 @@ index 28fd7c498e..fa3822f39f 100644
|
||||
if (md == NULL || md_nid < 0) {
|
||||
if (md == NULL)
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 865d49d100..99b228e82c 100644
|
||||
index f158105e71..62355b89fe 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
@ -366,10 +400,10 @@ index 865d49d100..99b228e82c 100644
|
||||
sha1_allowed);
|
||||
if (md_nid < 0) {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 325e855333..bea397f0c1 100644
|
||||
index c1405f47ea..aeda1a7758 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -26,6 +26,7 @@
|
||||
@@ -25,6 +25,7 @@
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
@ -377,7 +411,7 @@ index 325e855333..bea397f0c1 100644
|
||||
#include "crypto/rsa.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
@@ -34,6 +35,7 @@
|
||||
@@ -33,6 +34,7 @@
|
||||
#include "prov/securitycheck.h"
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
@ -385,7 +419,7 @@ index 325e855333..bea397f0c1 100644
|
||||
|
||||
OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
|
||||
if (mdname != NULL) {
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
@ -403,7 +437,7 @@ index 325e855333..bea397f0c1 100644
|
||||
|
||||
if (md == NULL
|
||||
|| md_nid <= 0
|
||||
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
prsactx->pad_mode = pad_mode;
|
||||
|
||||
if (prsactx->md == NULL && pmdname == NULL
|
||||
@ -421,7 +455,7 @@ index 325e855333..bea397f0c1 100644
|
||||
if (pmgf1mdname != NULL
|
||||
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index fc32bb3556..4b74ee1a34 100644
|
||||
index 631e1fdef9..05dd7c5595 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -20,6 +20,7 @@
|
||||
@ -432,21 +466,23 @@ index fc32bb3556..4b74ee1a34 100644
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
#include "internal/tlsgroups.h"
|
||||
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
||||
@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
uint16_t *tls12_sigalgs_list = NULL;
|
||||
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
||||
int ret = 0;
|
||||
+ int ldsigs_allowed;
|
||||
|
||||
if (cache == NULL || tmpkey == NULL)
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
goto err;
|
||||
|
||||
ERR_set_mark();
|
||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
||||
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
|
||||
for (i = 0, lu = sigalg_lookup_tbl;
|
||||
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
||||
EVP_PKEY_CTX *pctx;
|
||||
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||
@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
cache[i].enabled = 0;
|
||||
continue;
|
||||
}
|
||||
@ -459,15 +495,15 @@ index fc32bb3556..4b74ee1a34 100644
|
||||
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
||||
cache[i].enabled = 0;
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 10b4e57d79..2d3c363bb0 100644
|
||||
index ef97803327..8046454025 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION:
|
||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
--
|
||||
2.35.1
|
||||
2.44.0
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -95,7 +95,7 @@ index 4b74ee1a34..5f089de107 100644
|
||||
- */
|
||||
- sigalgstr[0] = (sig >> 8) & 0xff;
|
||||
- sigalgstr[1] = sig & 0xff;
|
||||
- secbits = sigalg_security_bits(s->ctx, lu);
|
||||
- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
|
||||
- if (secbits == 0 ||
|
||||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
||||
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
||||
@ -104,8 +104,8 @@ index 4b74ee1a34..5f089de107 100644
|
||||
- return 0;
|
||||
+
|
||||
+ if (lu->hash == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(s) < 3) {
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
|
||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility */
|
||||
+ } else {
|
||||
@ -115,7 +115,7 @@ index 4b74ee1a34..5f089de107 100644
|
||||
+ */
|
||||
+ sigalgstr[0] = (sig >> 8) & 0xff;
|
||||
+ sigalgstr[1] = sig & 0xff;
|
||||
+ secbits = sigalg_security_bits(s->ctx, lu);
|
||||
+ secbits = sigalg_security_bits(s->session_ctx, lu);
|
||||
+ if (secbits == 0 ||
|
||||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
||||
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
||||
@ -131,15 +131,15 @@ index 4b74ee1a34..5f089de107 100644
|
||||
}
|
||||
|
||||
+ if (lu->hash == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(s) < 3) {
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
|
||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility */
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
/* Finally see if security callback allows it */
|
||||
secbits = sigalg_security_bits(s->ctx, lu);
|
||||
secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
|
||||
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
||||
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
{
|
||||
@ -147,9 +147,9 @@ index 4b74ee1a34..5f089de107 100644
|
||||
int secbits, nid, pknid;
|
||||
+ OSSL_LIB_CTX *libctx = NULL;
|
||||
+
|
||||
|
||||
/* Don't check signature if self signed */
|
||||
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
||||
return 1;
|
||||
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
/* If digest NID not defined use signature NID */
|
||||
if (nid == NID_undef)
|
||||
@ -159,21 +159,21 @@ index 4b74ee1a34..5f089de107 100644
|
||||
+ libctx = x->libctx;
|
||||
+ else if (ctx && ctx->libctx)
|
||||
+ libctx = ctx->libctx;
|
||||
+ else if (s && s->ctx && s->ctx->libctx)
|
||||
+ libctx = s->ctx->libctx;
|
||||
+ else if (s && s->session_ctx && s->session_ctx->libctx)
|
||||
+ libctx = s->session_ctx->libctx;
|
||||
+ else
|
||||
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
||||
+
|
||||
+ if (nid == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
||||
+ && ((s != NULL && SSL_get_security_level(s) < 3)
|
||||
+ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
|
||||
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
|
||||
+ ))
|
||||
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility. */
|
||||
+ return 1;
|
||||
+
|
||||
if (s)
|
||||
if (s != NULL)
|
||||
return ssl_security(s, op, secbits, nid, x);
|
||||
else
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
@ -184,8 +184,8 @@ index 700bbd849c..2de1d76b5e 100644
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 163;
|
||||
+plan tests => 162;
|
||||
-plan tests => 193;
|
||||
+plan tests => 192;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@ -203,4 +203,3 @@ index 700bbd849c..2de1d76b5e 100644
|
||||
"PSS signature using SHA256 and auth level 2");
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
@ -1,13 +1,12 @@
|
||||
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
|
||||
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
||||
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
||||
@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
|
||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
|
||||
|
@ -1,6 +1,25 @@
|
||||
diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/providers/common/securitycheck.c
|
||||
--- openssl-3.0.1/providers/common/securitycheck.c.rsaenc 2022-06-24 17:14:33.634692729 +0200
|
||||
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-06-24 17:16:08.966540605 +0200
|
||||
From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
||||
Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch
|
||||
|
||||
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
|
||||
Patch-id: 58
|
||||
Patch-status: |
|
||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
providers/common/securitycheck.c | 1 +
|
||||
.../implementations/asymciphers/rsa_enc.c | 35 +++++
|
||||
.../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++-----
|
||||
test/recipes/80-test_cms.t | 5 +-
|
||||
test/recipes/80-test_ssl_old.t | 27 +++-
|
||||
5 files changed, 168 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||
index fe694c4e96..f635b5aec8 100644
|
||||
--- a/providers/common/securitycheck.c
|
||||
+++ b/providers/common/securitycheck.c
|
||||
@@ -27,6 +27,7 @@
|
||||
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
||||
@ -9,10 +28,11 @@ diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/pro
|
||||
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
|
||||
{
|
||||
int protect = 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c
|
||||
--- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200
|
||||
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index 71bfa344d4..d548560f1f 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
|
||||
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
|
||||
}
|
||||
|
||||
@ -30,7 +50,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa
|
||||
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
size_t outsize, const unsigned char *in, size_t inlen)
|
||||
{
|
||||
@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, u
|
||||
@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
@ -49,7 +69,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa
|
||||
if (out == NULL) {
|
||||
size_t len = RSA_size(prsactx->rsa);
|
||||
|
||||
@@ -202,6 +220,18 @@ static int rsa_decrypt(void *vprsactx, u
|
||||
@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
@ -68,75 +88,11 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa
|
||||
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
|
||||
if (out == NULL) {
|
||||
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200
|
||||
@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
||||
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
"-aes256", "-stream", "-out", "{output}.cms",
|
||||
$smrsa1,
|
||||
@@ -865,5 +865,8 @@ sub check_availability {
|
||||
return "$tnam: skipped, DSA disabled\n"
|
||||
if ($no_dsa && $tnam =~ / DSA/);
|
||||
|
||||
+ return "$tnam: skipped, Red Hat FIPS\n"
|
||||
+ if ($tnam =~ /no Red Hat FIPS/);
|
||||
+
|
||||
return "";
|
||||
}
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200
|
||||
@@ -483,6 +483,18 @@ sub testssl {
|
||||
# the default choice if TLSv1.3 enabled
|
||||
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
|
||||
my $ciphersuites = "";
|
||||
+ my %redhat_skip_cipher = map {$_ => 1} qw(
|
||||
+AES256-GCM-SHA384:@SECLEVEL=0
|
||||
+AES256-CCM8:@SECLEVEL=0
|
||||
+AES256-CCM:@SECLEVEL=0
|
||||
+AES128-GCM-SHA256:@SECLEVEL=0
|
||||
+AES128-CCM8:@SECLEVEL=0
|
||||
+AES128-CCM:@SECLEVEL=0
|
||||
+AES256-SHA256:@SECLEVEL=0
|
||||
+AES128-SHA256:@SECLEVEL=0
|
||||
+AES256-SHA:@SECLEVEL=0
|
||||
+AES128-SHA:@SECLEVEL=0
|
||||
+ );
|
||||
foreach my $cipher (@{$ciphersuites{$protocol}}) {
|
||||
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
|
||||
note "*****SKIPPING $protocol $cipher";
|
||||
@@ -494,11 +506,16 @@ sub testssl {
|
||||
} else {
|
||||
$cipher = $cipher.':@SECLEVEL=0';
|
||||
}
|
||||
- ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
- $cipher,
|
||||
- "-ciphersuites", $ciphersuites,
|
||||
- $flag || ()])),
|
||||
- "Testing $cipher");
|
||||
+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
|
||||
+ note "*****SKIPPING $cipher in Red Hat FIPS mode";
|
||||
+ ok(1);
|
||||
+ } else {
|
||||
+ ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
+ $cipher,
|
||||
+ "-ciphersuites", $ciphersuites,
|
||||
+ $flag || ()])),
|
||||
+ "Testing $cipher");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
next if $protocol eq "-tls1_3";
|
||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200
|
||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200
|
||||
@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
index 76ddc1ec60..62d55308b0 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
|
||||
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||
|
||||
# RSA decrypt
|
||||
@ -146,12 +102,394 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
|
||||
Output = "Hello World"
|
||||
|
||||
# Corrupted ciphertext
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Note: disable the Bleichenbacher workaround to see if it passes
|
||||
Decrypt = RSA-2048
|
||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
|
||||
Ctrl = rsa_pkcs1_implicit_rejection:0
|
||||
@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
|
||||
Output = "Hello World"
|
||||
@@ -665,36 +666,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Corrupted ciphertext
|
||||
# Note: output is generated synthethically by the Bleichenbacher workaround
|
||||
Decrypt = RSA-2048
|
||||
@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
|
||||
Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Corrupted ciphertext
|
||||
# Note: disable the Bleichenbacher workaround to see if it fails
|
||||
Decrypt = RSA-2048
|
||||
@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
|
||||
# RSA decrypt
|
||||
|
||||
# a random positive test case
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
|
||||
Output = "lorem ipsum dolor sit amet"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case decrypting to empty
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
|
||||
Output =
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# invalid decrypting to max length message
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
|
||||
Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
# invalid decrypting to message with length specified by second to last value from PRF
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
|
||||
Output = 0f9b
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# invalid decrypting to message with length specified by third to last value from PRF
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
|
||||
Output = 4f02
|
||||
|
||||
# positive test with 11 byte long value
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and zero padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and zero truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and double zero padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and double zero truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive that generates a 0 byte long synthetic message internally
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive that generates a 245 byte long synthetic message internally
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test that generates an 11 byte long message
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
|
||||
Output = af9ac70191c92413cb9f2d
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise correct plaintext, but with wrong first byte
|
||||
# (0x01 instead of 0x00), generates a random 11 byte long plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc
|
||||
Output = a1f8c9255c35cfba403ccc
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise correct plaintext, but with wrong second byte
|
||||
# (0x01 instead of 0x02), generates a random 11 byte long plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d
|
||||
Output = e6d700309ca0ed62452254
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with a zero byte in first byte of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a
|
||||
Output = ba27b1842e7c21c0e7ef6a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with a zero byte removed from first byte of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3
|
||||
Output = ba27b1842e7c21c0e7ef6a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with two zero bytes in first bytes of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f
|
||||
Output = d5cf555b1d6151029a429a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with two zero bytes removed from first bytes of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c
|
||||
Output = d5cf555b1d6151029a429a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
|
||||
# to random 11 byte long synthetic plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802
|
||||
Output = 3d4a054d9358209e9cbbb9
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with otherwise valid padding but a zero byte in first byte
|
||||
# of padding
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94
|
||||
Output = 1f037dd717b07d3e7f7359
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with otherwise valid padding but a zero byte at the eighth
|
||||
# byte of padding
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646
|
||||
Output = 63cb0bf65fc8255dd29e17
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with an otherwise valid plaintext but with missing separator
|
||||
# byte
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
|
||||
# RSA decrypt
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# malformed that generates length specified by 3rd last value from PRF
|
||||
Decrypt = RSA-2049
|
||||
Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
|
||||
Output = 42
|
||||
|
||||
# simple positive test case
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with double null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with double null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates an 11 byte long message
|
||||
Decrypt = RSA-2049
|
||||
Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
|
||||
Output = 1189b6f5498fd6df532b00
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
|
||||
Decrypt = RSA-2049
|
||||
Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
|
||||
Output = f6d0f5b78082fe61c04674
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
|
||||
Decrypt = RSA-2049
|
||||
Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
|
||||
@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
|
||||
PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid ciphertext that generates an empty synthetic one
|
||||
Decrypt = RSA-3072
|
||||
Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
|
||||
Output =
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid that has PRF output with a length one byte too long
|
||||
# in the last value
|
||||
Decrypt = RSA-3072
|
||||
@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa
|
||||
Output = 56a3bea054e01338be9b7d7957539c
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid that generates a synthetic of maximum size
|
||||
Decrypt = RSA-3072
|
||||
Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
|
||||
Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
|
||||
|
||||
# a positive test case that decrypts to 9 byte long value
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with double null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with double null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
||||
Output = "forty two"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates a 9 byte long message
|
||||
Decrypt = RSA-3072
|
||||
Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
|
||||
Output = 257906ca6de8307728
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates a 9 byte long message based on
|
||||
# second to last value from PRF
|
||||
Decrypt = RSA-3072
|
||||
@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0
|
||||
Output = 043383c929060374ed
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test that generates message based on 3rd last value from
|
||||
# PRF
|
||||
Decrypt = RSA-3072
|
||||
@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48
|
||||
Output = 70263fa6050534b9e0
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
|
||||
Decrypt = RSA-3072
|
||||
Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
|
||||
Output = 6d8d3a094ff3afff4c
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
|
||||
Decrypt = RSA-3072
|
||||
Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
|
||||
Output = c6ae80ffa80bc184b0
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with zero byte in first byte of padding
|
||||
Decrypt = RSA-3072
|
||||
Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
|
||||
Output = a8a9301daa01bb25c7
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with zero byte in eight byte of padding
|
||||
Decrypt = RSA-3072
|
||||
Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
|
||||
Output = 6c716fe01d44398018
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with null separator missing
|
||||
Decrypt = RSA-3072
|
||||
Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
|
||||
@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
|
||||
h90qjKHS9PvY4Q==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -194,7 +532,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -719,36 +726,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64
|
||||
@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
|
||||
eG2e4XlBcKjI6A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -237,7 +575,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -773,36 +786,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W
|
||||
@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
|
||||
Ya4qnqZe1onjY5o=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -280,7 +618,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -827,36 +846,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/
|
||||
@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
|
||||
aD0x7TDrmEvkEro=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -323,7 +661,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -881,36 +906,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/
|
||||
@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
|
||||
MSwGUGLx60i3nRyDyw==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -366,7 +704,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -935,36 +966,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq
|
||||
@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
|
||||
Yejn5Ly8mU2q+jBcRQ==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -409,7 +747,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -989,36 +1026,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4
|
||||
@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
|
||||
FMlxv0gq65dqc3DC
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -452,7 +790,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1043,36 +1086,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E
|
||||
@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
|
||||
2MiPa249Z+lh3Luj0A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -495,7 +833,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1103,36 +1152,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc
|
||||
@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
|
||||
tKo5Eb69iFQvBb4=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
@ -538,3 +876,74 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 4e368c730b..879d5d76eb 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
||||
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
"-aes256", "-stream", "-out", "{output}.cms",
|
||||
$smrsa1,
|
||||
@@ -1118,6 +1118,9 @@ sub check_availability {
|
||||
return "$tnam: skipped, DSA disabled\n"
|
||||
if ($no_dsa && $tnam =~ / DSA/);
|
||||
|
||||
+ return "$tnam: skipped, Red Hat FIPS\n"
|
||||
+ if ($tnam =~ /no Red Hat FIPS/);
|
||||
+
|
||||
return "";
|
||||
}
|
||||
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index e2dcb68fb5..0775112b40 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -493,6 +493,18 @@ sub testssl {
|
||||
# the default choice if TLSv1.3 enabled
|
||||
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
|
||||
my $ciphersuites = "";
|
||||
+ my %redhat_skip_cipher = map {$_ => 1} qw(
|
||||
+AES256-GCM-SHA384:@SECLEVEL=0
|
||||
+AES256-CCM8:@SECLEVEL=0
|
||||
+AES256-CCM:@SECLEVEL=0
|
||||
+AES128-GCM-SHA256:@SECLEVEL=0
|
||||
+AES128-CCM8:@SECLEVEL=0
|
||||
+AES128-CCM:@SECLEVEL=0
|
||||
+AES256-SHA256:@SECLEVEL=0
|
||||
+AES128-SHA256:@SECLEVEL=0
|
||||
+AES256-SHA:@SECLEVEL=0
|
||||
+AES128-SHA:@SECLEVEL=0
|
||||
+ );
|
||||
foreach my $cipher (@{$ciphersuites{$protocol}}) {
|
||||
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
|
||||
note "*****SKIPPING $protocol $cipher";
|
||||
@@ -504,11 +516,16 @@ sub testssl {
|
||||
} else {
|
||||
$cipher = $cipher.':@SECLEVEL=0';
|
||||
}
|
||||
- ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
- $cipher,
|
||||
- "-ciphersuites", $ciphersuites,
|
||||
- $flag || ()])),
|
||||
- "Testing $cipher");
|
||||
+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
|
||||
+ note "*****SKIPPING $cipher in Red Hat FIPS mode";
|
||||
+ ok(1);
|
||||
+ } else {
|
||||
+ ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
+ $cipher,
|
||||
+ "-ciphersuites", $ciphersuites,
|
||||
+ $flag || ()])),
|
||||
+ "Testing $cipher");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
next if $protocol eq "-tls1_3";
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
@ -1,420 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200
|
||||
@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *priv_key = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ const OSSL_PARAM *param_sign_kat_k = NULL;
|
||||
+ BIGNUM *sign_kat_k = NULL;
|
||||
+#endif
|
||||
unsigned char *pub_key = NULL;
|
||||
size_t pub_key_len;
|
||||
const EC_GROUP *ecg = NULL;
|
||||
@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
if (include_private)
|
||||
param_priv_key =
|
||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ param_sign_kat_k =
|
||||
+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K);
|
||||
+#endif
|
||||
ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
&& !EC_KEY_set_public_key(ec, pub_point))
|
||||
goto err;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (param_sign_kat_k) {
|
||||
+ if ((sign_kat_k = BN_secure_new()) == NULL)
|
||||
+ goto err;
|
||||
+ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME);
|
||||
+
|
||||
+ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k))
|
||||
+ goto err;
|
||||
+ ec->sign_kat_k = sign_kat_k;
|
||||
+ }
|
||||
+#endif
|
||||
ok = 1;
|
||||
|
||||
err:
|
||||
diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c
|
||||
--- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200
|
||||
@@ -20,6 +20,10 @@
|
||||
#include "crypto/bn.h"
|
||||
#include "ec_local.h"
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_signature_st;
|
||||
+#endif
|
||||
+
|
||||
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
||||
BIGNUM **rp)
|
||||
{
|
||||
@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
||||
goto err;
|
||||
|
||||
do {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
||||
+ BN_copy(k, eckey->sign_kat_k);
|
||||
+ } else {
|
||||
+#endif
|
||||
/* get random k */
|
||||
do {
|
||||
if (dgst != NULL) {
|
||||
@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
||||
}
|
||||
}
|
||||
} while (BN_is_zero(k));
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ }
|
||||
+#endif
|
||||
/* compute r the x-coordinate of generator * k */
|
||||
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200
|
||||
@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r)
|
||||
EC_GROUP_free(r->group);
|
||||
EC_POINT_free(r->pub_key);
|
||||
BN_clear_free(r->priv_key);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ BN_clear_free(r->sign_kat_k);
|
||||
+#endif
|
||||
OPENSSL_free(r->propq);
|
||||
|
||||
OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h
|
||||
--- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200
|
||||
@@ -298,6 +298,9 @@ struct ec_key_st {
|
||||
#ifndef FIPS_MODULE
|
||||
CRYPTO_EX_DATA ex_data;
|
||||
#endif
|
||||
+#ifdef FIPS_MODULE
|
||||
+ BIGNUM *sign_kat_k;
|
||||
+#endif
|
||||
CRYPTO_RWLOCK *lock;
|
||||
OSSL_LIB_CTX *libctx;
|
||||
char *propq;
|
||||
diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h
|
||||
--- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200
|
||||
+++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200
|
||||
@@ -293,6 +293,7 @@ extern "C" {
|
||||
#define OSSL_PKEY_PARAM_DIST_ID "distid"
|
||||
#define OSSL_PKEY_PARAM_PUB_KEY "pub"
|
||||
#define OSSL_PKEY_PARAM_PRIV_KEY "priv"
|
||||
+#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k"
|
||||
|
||||
/* Diffie-Hellman/DSA Parameters */
|
||||
#define OSSL_PKEY_PARAM_FFC_P "p"
|
||||
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200
|
||||
@@ -530,7 +530,8 @@ end:
|
||||
# define EC_IMEXPORTABLE_PUBLIC_KEY \
|
||||
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
|
||||
# define EC_IMEXPORTABLE_PRIVATE_KEY \
|
||||
- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0)
|
||||
# define EC_IMEXPORTABLE_OTHER_PARAMETERS \
|
||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \
|
||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL)
|
||||
diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c
|
||||
--- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200
|
||||
+++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200
|
||||
@@ -17,6 +17,8 @@
|
||||
#include "self_test.h"
|
||||
#include "self_test_data.inc"
|
||||
|
||||
+int REDHAT_FIPS_signature_st = 0;
|
||||
+
|
||||
static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
|
||||
OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S
|
||||
EVP_PKEY *pkey = NULL;
|
||||
unsigned char sig[256];
|
||||
BN_CTX *bnctx = NULL;
|
||||
+ BIGNUM *K = NULL;
|
||||
size_t siglen = sizeof(sig);
|
||||
static const unsigned char dgst[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S
|
||||
bnctx = BN_CTX_new_ex(libctx);
|
||||
if (bnctx == NULL)
|
||||
goto err;
|
||||
+ K = BN_CTX_get(bnctx);
|
||||
+ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL)
|
||||
+ goto err;
|
||||
|
||||
bld = OSSL_PARAM_BLD_new();
|
||||
if (bld == NULL)
|
||||
@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S
|
||||
|
||||
if (!add_params(bld, t->key, bnctx))
|
||||
goto err;
|
||||
+ /* set K for ECDSA KAT tests */
|
||||
+ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K))
|
||||
+ goto err;
|
||||
params = OSSL_PARAM_BLD_to_param(bld);
|
||||
|
||||
/* Create a EVP_PKEY_CTX to load the DSA key into */
|
||||
@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST
|
||||
static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
int i, ret = 1;
|
||||
+ REDHAT_FIPS_signature_st = 1;
|
||||
|
||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
|
||||
if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
|
||||
ret = 0;
|
||||
}
|
||||
+ REDHAT_FIPS_signature_st = 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc
|
||||
--- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200
|
||||
+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200
|
||||
@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke
|
||||
ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv),
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
+static const unsigned char ec224r1_kat_sig[] = {
|
||||
+0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0,
|
||||
+0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce,
|
||||
+0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22,
|
||||
+0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c
|
||||
+};
|
||||
|
||||
+static const char ecd_prime_curve_name384[] = "secp384r1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34:
|
||||
+ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a:
|
||||
+ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87:
|
||||
+ 4c:91:87
|
||||
+pub:
|
||||
+ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92:
|
||||
+ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23:
|
||||
+ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43:
|
||||
+ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7:
|
||||
+ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3:
|
||||
+ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f:
|
||||
+ 11:f2:a3:bf:e8:0e:88
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv384[] = {
|
||||
+ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34,
|
||||
+ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a,
|
||||
+ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87,
|
||||
+ 0x4c, 0x91, 0x87
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub384[] = {
|
||||
+ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92,
|
||||
+ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23,
|
||||
+ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43,
|
||||
+ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7,
|
||||
+ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3,
|
||||
+ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f,
|
||||
+ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key384[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec384r1_kat_sig[] = {
|
||||
+0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98,
|
||||
+0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b,
|
||||
+0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79,
|
||||
+0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7,
|
||||
+0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33,
|
||||
+0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30,
|
||||
+0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f
|
||||
+};
|
||||
+static const char ecd_prime_curve_name521[] = "secp521r1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae:
|
||||
+ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20:
|
||||
+ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69:
|
||||
+ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2:
|
||||
+ af:fe:6d:cb:c2:3b
|
||||
+pub:
|
||||
+ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3:
|
||||
+ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5:
|
||||
+ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5:
|
||||
+ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c:
|
||||
+ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2:
|
||||
+ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7:
|
||||
+ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de:
|
||||
+ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f:
|
||||
+ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv521[] = {
|
||||
+ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae,
|
||||
+ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20,
|
||||
+ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69,
|
||||
+ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2,
|
||||
+ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub521[] = {
|
||||
+ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3,
|
||||
+ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5,
|
||||
+ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5,
|
||||
+ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c,
|
||||
+ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2,
|
||||
+ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7,
|
||||
+ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde,
|
||||
+ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f,
|
||||
+ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key521[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec521r1_kat_sig[] = {
|
||||
+0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e,
|
||||
+0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65,
|
||||
+0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8,
|
||||
+0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89,
|
||||
+0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2,
|
||||
+0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f,
|
||||
+0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a,
|
||||
+0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9,
|
||||
+0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e
|
||||
+};
|
||||
+static const char ecd_prime_curve_name256[] = "prime256v1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88:
|
||||
+ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7:
|
||||
+ 30:fa
|
||||
+pub:
|
||||
+ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73:
|
||||
+ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34:
|
||||
+ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6:
|
||||
+ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74:
|
||||
+ 98:66:c4:63:a6
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv256[] = {
|
||||
+ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88,
|
||||
+ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7,
|
||||
+ 0x30, 0xfa
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub256[] = {
|
||||
+ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73,
|
||||
+ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34,
|
||||
+ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6,
|
||||
+ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74,
|
||||
+ 0x98, 0x66, 0xc4, 0x63, 0xa6
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key256[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec256v1_kat_sig[] = {
|
||||
+0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6,
|
||||
+0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f,
|
||||
+0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21,
|
||||
+0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b,
|
||||
+0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66
|
||||
+};
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
static const char ecd_bin_curve_name[] = "sect233r1";
|
||||
static const unsigned char ecd_bin_priv[] = {
|
||||
@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
||||
ecdsa_prime_key,
|
||||
/*
|
||||
* The ECDSA signature changes each time due to it using a random k.
|
||||
- * So there is no expected KAT for this case.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec224r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key384,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec384r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key521,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec521r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key256,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
*/
|
||||
+ ITM(ec256v1_kat_sig)
|
||||
},
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
{
|
||||
diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c
|
||||
--- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200
|
||||
@@ -44,6 +44,10 @@
|
||||
#define S390X_OFF_RN(n) (4 * n)
|
||||
#define S390X_OFF_Y(n) (4 * n)
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_signature_st;
|
||||
+#endif
|
||||
+
|
||||
static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
const BIGNUM *scalar,
|
||||
size_t num, const EC_POINT *points[],
|
||||
@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign
|
||||
* because kdsa instruction constructs an in-range, invertible nonce
|
||||
* internally implementing counter-measures for RNG weakness.
|
||||
*/
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
||||
+ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len);
|
||||
+ /* Turns KDSA internal nonce-generation off. */
|
||||
+ fc |= S390X_KDSA_D;
|
||||
+ } else {
|
||||
+#endif
|
||||
if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len),
|
||||
(size_t)len, 0) != 1) {
|
||||
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
||||
goto ret;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ }
|
||||
+#endif
|
||||
} else {
|
||||
/* Reconstruct k = (k^-1)^-1. */
|
||||
if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
|
@ -248,8 +248,8 @@ index de391ce067..1cfd71c5cf 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "prov/seeding.h"
|
||||
#include "self_test.h"
|
||||
#include "crypto/context.h"
|
||||
#include "internal/core.h"
|
||||
+#include "indicator.h"
|
||||
|
||||
|
@ -1,703 +0,0 @@
|
||||
From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Mon, 27 Jun 2022 12:14:55 +1000
|
||||
Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC
|
||||
Montgomery Multiplication""
|
||||
|
||||
This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e.
|
||||
---
|
||||
crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++
|
||||
crypto/bn/bn_ppc.c | 15 +
|
||||
crypto/bn/build.info | 3 +-
|
||||
3 files changed, 598 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
index e69de29bb2d1..0fb397bc5f12 100755
|
||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
@@ -0,0 +1,581 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+# ====================================================================
|
||||
+# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
|
||||
+# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
|
||||
+# the OpenSSL project.
|
||||
+# ====================================================================
|
||||
+
|
||||
+#
|
||||
+# Fixed length (n=6), unrolled PPC Montgomery Multiplication
|
||||
+#
|
||||
+
|
||||
+# 2021
|
||||
+#
|
||||
+# Although this is a generic implementation for unrolling Montgomery
|
||||
+# Multiplication for arbitrary values of n, this is currently only
|
||||
+# used for n = 6 to improve the performance of ECC p384.
|
||||
+#
|
||||
+# Unrolling allows intermediate results to be stored in registers,
|
||||
+# rather than on the stack, improving performance by ~7% compared to
|
||||
+# the existing PPC assembly code.
|
||||
+#
|
||||
+# The ISA 3.0 implementation uses combination multiply/add
|
||||
+# instructions (maddld, maddhdu) to improve performance by an
|
||||
+# additional ~10% on Power 9.
|
||||
+#
|
||||
+# Finally, saving non-volatile registers into volatile vector
|
||||
+# registers instead of onto the stack saves a little more.
|
||||
+#
|
||||
+# On a Power 9 machine we see an overall improvement of ~18%.
|
||||
+#
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+my ($flavour, $output, $dir, $xlate);
|
||||
+
|
||||
+# $output is the last argument if it looks like a file (it has an extension)
|
||||
+# $flavour is the first argument if it doesn't look like a file
|
||||
+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
|
||||
+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
|
||||
+
|
||||
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
||||
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
|
||||
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
|
||||
+die "can't locate ppc-xlate.pl";
|
||||
+
|
||||
+open STDOUT,"| $^X $xlate $flavour \"$output\""
|
||||
+ or die "can't call $xlate: $!";
|
||||
+
|
||||
+if ($flavour !~ /64/) {
|
||||
+ die "bad flavour ($flavour) - only ppc64 permitted";
|
||||
+}
|
||||
+
|
||||
+my $SIZE_T= 8;
|
||||
+
|
||||
+# Registers are global so the code is remotely readable
|
||||
+
|
||||
+# Parameters for Montgomery multiplication
|
||||
+my $sp = "r1";
|
||||
+my $toc = "r2";
|
||||
+my $rp = "r3";
|
||||
+my $ap = "r4";
|
||||
+my $bp = "r5";
|
||||
+my $np = "r6";
|
||||
+my $n0 = "r7";
|
||||
+my $num = "r8";
|
||||
+
|
||||
+my $i = "r9";
|
||||
+my $c0 = "r10";
|
||||
+my $bp0 = "r11";
|
||||
+my $bpi = "r11";
|
||||
+my $bpj = "r11";
|
||||
+my $tj = "r12";
|
||||
+my $apj = "r12";
|
||||
+my $npj = "r12";
|
||||
+my $lo = "r14";
|
||||
+my $c1 = "r14";
|
||||
+
|
||||
+# Non-volatile registers used for tp[i]
|
||||
+#
|
||||
+# 12 registers are available but the limit on unrolling is 10,
|
||||
+# since registers from $tp[0] to $tp[$n+1] are used.
|
||||
+my @tp = ("r20" .. "r31");
|
||||
+
|
||||
+# volatile VSRs for saving non-volatile GPRs - faster than stack
|
||||
+my @vsrs = ("v32" .. "v46");
|
||||
+
|
||||
+package Mont;
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ if ($n > 10) {
|
||||
+ die "Can't unroll for BN length ${n} (maximum 10)"
|
||||
+ }
|
||||
+
|
||||
+ my $self = {
|
||||
+ code => "",
|
||||
+ n => $n,
|
||||
+ };
|
||||
+ bless $self, $class;
|
||||
+
|
||||
+ return $self;
|
||||
+}
|
||||
+
|
||||
+sub add_code($$)
|
||||
+{
|
||||
+ my ($self, $c) = @_;
|
||||
+
|
||||
+ $self->{code} .= $c;
|
||||
+}
|
||||
+
|
||||
+sub get_code($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return $self->{code};
|
||||
+}
|
||||
+
|
||||
+sub get_function_name($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return "bn_mul_mont_fixed_n" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_label($$)
|
||||
+{
|
||||
+ my ($self, $l) = @_;
|
||||
+
|
||||
+ return "L" . $l . "_" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_labels($@)
|
||||
+{
|
||||
+ my ($self, @labels) = @_;
|
||||
+
|
||||
+ my %out = ();
|
||||
+
|
||||
+ foreach my $l (@labels) {
|
||||
+ $out{"$l"} = $self->get_label("$l");
|
||||
+ }
|
||||
+
|
||||
+ return \%out;
|
||||
+}
|
||||
+
|
||||
+sub nl($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ $self->add_code("\n");
|
||||
+}
|
||||
+
|
||||
+sub copy_result($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my ($n) = $self->{n};
|
||||
+
|
||||
+ for (my $j = 0; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ std $tp[$j],`$j*$SIZE_T`($rp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+}
|
||||
+
|
||||
+sub mul_mont_fixed($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my ($n) = $self->{n};
|
||||
+ my $fname = $self->get_function_name();
|
||||
+ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+.globl .${fname}
|
||||
+.align 5
|
||||
+.${fname}:
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->save_registers();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $n0,0($n0)
|
||||
+
|
||||
+ ld $bp0,0($bp)
|
||||
+
|
||||
+ ld $apj,0($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_c_0($tp[0], $apj, $bp0, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
||||
+___
|
||||
+ $self->mul($tp[$j], $apj, $bp0, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`($n-1)*$SIZE_T`($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li $tp[$n+1],0
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li $i,0
|
||||
+ mtctr $num
|
||||
+ b $label->{"enter"}
|
||||
+
|
||||
+.align 4
|
||||
+$label->{"outer"}:
|
||||
+ ldx $bpi,$bp,$i
|
||||
+
|
||||
+ ld $apj,0($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
||||
+___
|
||||
+ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addc $tp[$n],$tp[$n],$c0
|
||||
+ addze $tp[$n+1],$tp[$n+1]
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+.align 4
|
||||
+$label->{"enter"}:
|
||||
+ mulld $bpi,$tp[0],$n0
|
||||
+
|
||||
+ ld $npj,0($np)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $npj,`$j*$SIZE_T`($np)
|
||||
+___
|
||||
+ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addc $tp[$n-1],$tp[$n],$c0
|
||||
+ addze $tp[$n],$tp[$n+1]
|
||||
+
|
||||
+ addi $i,$i,$SIZE_T
|
||||
+ bdnz $label->{"outer"}
|
||||
+
|
||||
+ and. $tp[$n],$tp[$n],$tp[$n]
|
||||
+ bne $label->{"sub"}
|
||||
+
|
||||
+ cmpld $tp[$n-1],$npj
|
||||
+ blt $label->{"copy"}
|
||||
+
|
||||
+$label->{"sub"}:
|
||||
+___
|
||||
+
|
||||
+ #
|
||||
+ # Reduction
|
||||
+ #
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $bpj,`0*$SIZE_T`($np)
|
||||
+ subfc $c1,$bpj,$tp[0]
|
||||
+ std $c1,`0*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $bpj,`$j*$SIZE_T`($np)
|
||||
+ subfe $c1,$bpj,$tp[$j]
|
||||
+ std $c1,`$j*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ subfe $c1,$npj,$tp[$n-1]
|
||||
+ std $c1,`($n-1)*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addme. $tp[$n],$tp[$n]
|
||||
+ beq $label->{"end"}
|
||||
+
|
||||
+$label->{"copy"}:
|
||||
+___
|
||||
+
|
||||
+ $self->copy_result();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+$label->{"end"}:
|
||||
+___
|
||||
+
|
||||
+ $self->restore_registers();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li r3,1
|
||||
+ blr
|
||||
+.size .${fname},.-.${fname}
|
||||
+___
|
||||
+
|
||||
+}
|
||||
+
|
||||
+package Mont::GPR;
|
||||
+
|
||||
+our @ISA = ('Mont');
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ return $class->SUPER::new($n);
|
||||
+}
|
||||
+
|
||||
+sub save_registers($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my $n = $self->{n};
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ std $lo,-8($sp)
|
||||
+___
|
||||
+
|
||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
||||
+ $self->{code}.=<<___;
|
||||
+ std $tp[$j],-`($j+2)*8`($sp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub restore_registers($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my $n = $self->{n};
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $lo,-8($sp)
|
||||
+___
|
||||
+
|
||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
||||
+ $self->{code}.=<<___;
|
||||
+ ld $tp[$j],-`($j+2)*8`($sp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->{code} .=<<___;
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Direct translation of C mul()
|
||||
+sub mul($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_c_0($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $r,$a,$w
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but does not to the final addition of CA into $c - an
|
||||
+# optimisation to save an instruction
|
||||
+sub mul_last($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r1,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+ addze $r2,$c
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
||||
+sub mul_add($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $lo,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_add_c_0($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+package Mont::GPR_300;
|
||||
+
|
||||
+our @ISA = ('Mont::GPR');
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ my $mont = $class->SUPER::new($n);
|
||||
+
|
||||
+ return $mont;
|
||||
+}
|
||||
+
|
||||
+sub get_function_name($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return "bn_mul_mont_300_fixed_n" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_label($$)
|
||||
+{
|
||||
+ my ($self, $l) = @_;
|
||||
+
|
||||
+ return "L" . $l . "_300_" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+# Direct translation of C mul()
|
||||
+sub mul($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c, $last) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $r,$a,$w,$c
|
||||
+ maddhdu $c,$a,$w,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Save the last carry as the final entry
|
||||
+sub mul_last($$$$$)
|
||||
+{
|
||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $r1,$a,$w,$c
|
||||
+ maddhdu $r2,$a,$w,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_c_0($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $r,$a,$w
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
||||
+sub mul_add($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $lo,$a,$w,$c
|
||||
+ maddhdu $c,$a,$w,$c
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_add_c_0($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $lo,$a,$w,$r_in
|
||||
+ maddhdu $c,$a,$w,$r_in
|
||||
+___
|
||||
+
|
||||
+ if ($r_out ne $lo) {
|
||||
+ $self->add_code(<<___);
|
||||
+ mr $r_out,$lo
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->nl();
|
||||
+}
|
||||
+
|
||||
+
|
||||
+package main;
|
||||
+
|
||||
+my $code;
|
||||
+
|
||||
+$code.=<<___;
|
||||
+.machine "any"
|
||||
+.text
|
||||
+___
|
||||
+
|
||||
+my $mont;
|
||||
+
|
||||
+$mont = new Mont::GPR(6);
|
||||
+$mont->mul_mont_fixed();
|
||||
+$code .= $mont->get_code();
|
||||
+
|
||||
+$mont = new Mont::GPR_300(6);
|
||||
+$mont->mul_mont_fixed();
|
||||
+$code .= $mont->get_code();
|
||||
+
|
||||
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
|
||||
+
|
||||
+$code.=<<___;
|
||||
+.asciz "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
|
||||
+___
|
||||
+
|
||||
+print $code;
|
||||
+close STDOUT or die "error closing STDOUT: $!";
|
||||
diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
|
||||
index 3ee76ea96574..1e9421bee213 100644
|
||||
--- a/crypto/bn/bn_ppc.c
|
||||
+++ b/crypto/bn/bn_ppc.c
|
||||
@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
||||
int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
||||
+ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
||||
+ const BN_ULONG *n0, int num);
|
||||
+ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
||||
+ const BN_ULONG *n0, int num);
|
||||
|
||||
if (num < 4)
|
||||
return 0;
|
||||
@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
* no opportunity to figure it out...
|
||||
*/
|
||||
|
||||
+#if defined(_ARCH_PPC64) && !defined(__ILP32__)
|
||||
+ if (num == 6) {
|
||||
+ if (OPENSSL_ppccap_P & PPC_MADD300)
|
||||
+ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
|
||||
+ else
|
||||
+ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return bn_mul_mont_int(rp, ap, bp, np, n0, num);
|
||||
}
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index 4f8d0689b5ea..987a70ae263b 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}]
|
||||
|
||||
$BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s
|
||||
$BNDEF_ppc32=OPENSSL_BN_ASM_MONT
|
||||
- $BNASM_ppc64=$BNASM_ppc32
|
||||
+ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s
|
||||
$BNDEF_ppc64=$BNDEF_ppc32
|
||||
|
||||
$BNASM_c64xplus=asm/bn-c64xplus.asm
|
||||
@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl
|
||||
GENERATE[bn-ppc.s]=asm/ppc.pl
|
||||
GENERATE[ppc-mont.s]=asm/ppc-mont.pl
|
||||
GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl
|
||||
+GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl
|
||||
|
||||
GENERATE[alpha-mont.S]=asm/alpha-mont.pl
|
||||
|
||||
|
||||
From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Thu, 30 Jun 2022 16:21:06 +1000
|
||||
Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9
|
||||
|
||||
In the reference C implementation in bn_asm.c, tp[num + 1] contains the
|
||||
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
|
||||
assigned, never itself incremented.
|
||||
---
|
||||
crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
index 0fb397bc5f12..e27d0ad93d85 100755
|
||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
@@ -63,6 +63,7 @@
|
||||
# Registers are global so the code is remotely readable
|
||||
|
||||
# Parameters for Montgomery multiplication
|
||||
+my $ze = "r0";
|
||||
my $sp = "r1";
|
||||
my $toc = "r2";
|
||||
my $rp = "r3";
|
||||
@@ -192,6 +193,7 @@ ($)
|
||||
$self->save_registers();
|
||||
|
||||
$self->add_code(<<___);
|
||||
+ li $ze,0
|
||||
ld $n0,0($n0)
|
||||
|
||||
ld $bp0,0($bp)
|
||||
@@ -242,7 +244,7 @@ ($)
|
||||
|
||||
$self->add_code(<<___);
|
||||
addc $tp[$n],$tp[$n],$c0
|
||||
- addze $tp[$n+1],$tp[$n+1]
|
||||
+ addze $tp[$n+1],$ze
|
||||
___
|
||||
|
||||
$self->add_code(<<___);
|
||||
@@ -272,7 +274,7 @@ ($)
|
||||
and. $tp[$n],$tp[$n],$tp[$n]
|
||||
bne $label->{"sub"}
|
||||
|
||||
- cmpld $tp[$n-1],$npj
|
||||
+ cmpld $tp[$n-1],$npj
|
||||
blt $label->{"copy"}
|
||||
|
||||
$label->{"sub"}:
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -29,11 +29,11 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/rsa/rsa_local.h | 8 ++
|
||||
crypto/rsa/rsa_oaep.c | 34 ++++++--
|
||||
include/openssl/core_names.h | 3 +
|
||||
providers/fips/self_test_data.inc | 83 +++++++++++--------
|
||||
providers/fips/self_test_kats.c | 7 ++
|
||||
.../implementations/asymciphers/rsa_enc.c | 41 ++++++++-
|
||||
6 files changed, 133 insertions(+), 43 deletions(-)
|
||||
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
|
||||
util/perl/OpenSSL/paramnames.pm | 1 +
|
||||
6 files changed, 126 insertions(+), 44 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
|
||||
index ea70da05ad..dde57a1a0e 100644
|
||||
@ -118,20 +118,6 @@ index d9be1a4f98..b2f7f7dc4b 100644
|
||||
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
const unsigned char *from, int flen,
|
||||
const unsigned char *param, int plen,
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 59a6e79566..11216fb8f8 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -469,6 +469,9 @@ extern "C" {
|
||||
#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
|
||||
#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
|
||||
#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
|
||||
+#ifdef FIPS_MODULE
|
||||
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Encoder / decoder parameters
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 4e30ec56dd..0103c87528 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
@ -291,11 +277,11 @@ index 00cf65fcd6..83be3d8ede 100644
|
||||
+#ifdef FIPS_MODULE
|
||||
+ char *redhat_st_oaep_seed;
|
||||
+#endif /* FIPS_MODULE */
|
||||
/* PKCS#1 v1.5 decryption mode */
|
||||
unsigned int implicit_rejection;
|
||||
} PROV_RSA_CTX;
|
||||
|
||||
static void *rsa_newctx(void *provctx)
|
||||
@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
ret =
|
||||
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
|
||||
@ -335,9 +321,9 @@ index 00cf65fcd6..83be3d8ede 100644
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
@ -368,6 +354,18 @@ index 00cf65fcd6..83be3d8ede 100644
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
|
||||
if (p != NULL) {
|
||||
unsigned int client_version;
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index c37ed7815f..70f7c50fe4 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -401,6 +401,7 @@ my %params = (
|
||||
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
|
||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||
+ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
||||
|
||||
# Encoder / decoder parameters
|
||||
|
||||
--
|
||||
2.37.1
|
||||
|
||||
|
@ -1,32 +1,25 @@
|
||||
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 15 Jul 2022 17:45:40 +0200
|
||||
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
|
||||
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:16 +0100
|
||||
Subject: [PATCH 28/49]
|
||||
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||
|
||||
In review for FIPS 140-3, the lack of a self-test for the digest_sign
|
||||
and digest_verify provider functions was highlighted as a problem. NIST
|
||||
no longer provides ACVP tests for the RSA SigVer primitive (see
|
||||
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
|
||||
recommends the use of functions that compute the digest and signature
|
||||
within the module, we have been advised in our module review that the
|
||||
self tests should also use the combined digest and signature APIs, i.e.
|
||||
the digest_sign and digest_verify provider functions.
|
||||
|
||||
Modify the signature self-test to use these instead by switching to
|
||||
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
|
||||
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||
Patch-id: 74
|
||||
Patch-status: |
|
||||
# [PATCH 29/46]
|
||||
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
|
||||
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
|
||||
2 files changed, 56 insertions(+), 24 deletions(-)
|
||||
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
|
||||
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
|
||||
2 files changed, 73 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index db1a1d7bc3..c94c3c53bd 100644
|
||||
index fd3a4b79df..3e9f33c26c 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
||||
return 0;
|
||||
}
|
||||
@ -34,7 +27,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
|
||||
/*
|
||||
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
||||
@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
reinit = 0;
|
||||
if (e == NULL)
|
||||
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
||||
@ -45,7 +38,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
}
|
||||
if (ctx->pctx == NULL)
|
||||
return 0;
|
||||
@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
locpctx = ctx->pctx;
|
||||
ERR_set_mark();
|
||||
|
||||
@ -56,7 +49,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
|
||||
/* do not reinitialize if pkey is set or operation is different */
|
||||
if (reinit
|
||||
@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
signature =
|
||||
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
||||
supported_sig, locpctx->propquery);
|
||||
@ -67,7 +60,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
break;
|
||||
}
|
||||
if (signature == NULL)
|
||||
@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
||||
if (ctx->fetched_digest != NULL) {
|
||||
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
||||
@ -75,7 +68,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
} else {
|
||||
/* legacy engine support : remove the mark when this is deleted */
|
||||
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
||||
@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
@ -89,7 +82,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
if (ctx->reqdigest != NULL
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||
@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
@ -97,7 +90,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
|
||||
if (ver) {
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
EVP_KEYMGMT_free(tmp_keymgmt);
|
||||
return 0;
|
||||
|
||||
@ -105,7 +98,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
legacy:
|
||||
/*
|
||||
* If we don't have the full support we need with provided methods,
|
||||
@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->pctx->flag_call_digest_custom = 1;
|
||||
|
||||
ret = 1;
|
||||
@ -113,7 +106,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
|
||||
end:
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
||||
NULL);
|
||||
}
|
||||
@ -121,7 +114,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
|
||||
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
{
|
||||
@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
return EVP_DigestUpdate(ctx, data, dsize);
|
||||
}
|
||||
|
||||
@ -130,13 +123,19 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
size_t *siglen)
|
||||
{
|
||||
- int sctx = 0, r = 0;
|
||||
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
||||
+ int r = 0;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ int sctx = 0;
|
||||
+ EVP_PKEY_CTX *dctx;
|
||||
+ EVP_PKEY_CTX *dctx = NULL;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
+
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
@ -146,26 +145,26 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
||||
return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
||||
sigret, siglen,
|
||||
sigret == NULL ? 0 : *siglen);
|
||||
+#ifndef FIPS_MODULE
|
||||
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx == NULL)
|
||||
return 0;
|
||||
@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
sigret, siglen,
|
||||
*siglen);
|
||||
@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
return r;
|
||||
+#else
|
||||
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
||||
+ sigret, siglen,
|
||||
+ sigret == NULL ? 0 : *siglen);
|
||||
+ return r;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
@ -173,7 +172,7 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
}
|
||||
|
||||
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
size_t siglen)
|
||||
{
|
||||
@ -183,10 +182,16 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
+ unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned int mdlen = 0;
|
||||
int vctx = 0;
|
||||
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
||||
+ EVP_PKEY_CTX *dctx;
|
||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
||||
+ EVP_PKEY_CTX *dctx = NULL;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
+
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
@ -196,25 +201,25 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
||||
return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
||||
sig, siglen);
|
||||
+#ifndef FIPS_MODULE
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx == NULL)
|
||||
return 0;
|
||||
@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
|
||||
sig, siglen);
|
||||
@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
return r;
|
||||
+#else
|
||||
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
||||
+ sig, siglen);
|
||||
+ return r;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
if (vctx || !r)
|
||||
return r;
|
||||
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
||||
@ -222,16 +227,16 @@ index db1a1d7bc3..c94c3c53bd 100644
|
||||
}
|
||||
|
||||
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
return -1;
|
||||
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
||||
}
|
||||
-#endif /* FIPS_MODULE */
|
||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
||||
index b6d5e8e134..77eec075e6 100644
|
||||
index 4ea10670c0..5eb27c8ed2 100644
|
||||
--- a/providers/fips/self_test_kats.c
|
||||
+++ b/providers/fips/self_test_kats.c
|
||||
@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
int ret = 0;
|
||||
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
@ -241,13 +246,12 @@ index b6d5e8e134..77eec075e6 100644
|
||||
EVP_PKEY *pkey = NULL;
|
||||
- unsigned char sig[256];
|
||||
BN_CTX *bnctx = NULL;
|
||||
BIGNUM *K = NULL;
|
||||
+ const char *msg = "Hello World!";
|
||||
+ unsigned char sig[256];
|
||||
size_t siglen = sizeof(sig);
|
||||
static const unsigned char dgst[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
||||
goto err;
|
||||
|
||||
@ -288,7 +292,7 @@ index b6d5e8e134..77eec075e6 100644
|
||||
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
||||
goto err;
|
||||
|
||||
@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
||||
@ -309,5 +313,5 @@ index b6d5e8e134..77eec075e6 100644
|
||||
OSSL_PARAM_free(params_sig);
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
--
|
||||
2.37.1
|
||||
2.44.0
|
||||
|
||||
|
@ -1,3 +1,79 @@
|
||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||
size_t entropy_available;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
- bytes_needed = (entropy + 7) / 8;
|
||||
+ /*
|
||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
||||
+ * + 128 bits during initial seeding
|
||||
+ */
|
||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ prediction_resistance = 1;
|
||||
+#endif
|
||||
/* Reseed using our sources in addition */
|
||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen, drbg->max_entropylen,
|
||||
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->parent != NULL
|
||||
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
|
||||
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
|
||||
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
|
||||
+#else
|
||||
reseed_required = 1;
|
||||
+#endif
|
||||
+ }
|
||||
|
||||
if (reseed_required || prediction_resistance) {
|
||||
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
|
||||
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
||||
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
||||
@@ -38,7 +38,7 @@
|
||||
*
|
||||
* The value is in bytes.
|
||||
*/
|
||||
-#define CRNGT_BUFSIZ 16
|
||||
+#define CRNGT_BUFSIZ 32
|
||||
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
||||
@ -9,8 +85,8 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr
|
||||
+# include <openssl/evp.h>
|
||||
|
||||
static uint64_t get_time_stamp(void);
|
||||
static uint64_t get_timer_bits(void);
|
||||
@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
|
||||
|
||||
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||
* between size_t and ssize_t is safe even without a range check.
|
||||
*/
|
||||
@ -70,49 +146,40 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr
|
||||
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
|
||||
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
|
||||
- return getrandom(buf, buflen, 0);
|
||||
-# elif defined(__wasi__)
|
||||
- if (getentropy(buf, buflen) == 0)
|
||||
- return (ssize_t)buflen;
|
||||
- return -1;
|
||||
-# else
|
||||
- errno = ENOSYS;
|
||||
- return -1;
|
||||
-# endif
|
||||
+ /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||
+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||
}
|
||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||
#endif
|
||||
diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
|
||||
--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
|
||||
+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
|
||||
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ prediction_resistance = 1;
|
||||
+#endif
|
||||
/* Reseed using our sources in addition */
|
||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen, drbg->max_entropylen,
|
||||
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->parent != NULL
|
||||
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
|
||||
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
|
||||
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
|
||||
+#else
|
||||
reseed_required = 1;
|
||||
+#endif
|
||||
+ }
|
||||
|
||||
if (reseed_required || prediction_resistance) {
|
||||
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
|
||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||
size_t entropy_available;
|
||||
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
|
||||
size_t i;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
@ -125,33 +192,107 @@ diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/ran
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
- bytes_needed = (entropy + 7) / 8;
|
||||
+ /*
|
||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
||||
+ * + 128 bits during initial seeding
|
||||
+ */
|
||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
||||
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
||||
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
||||
@@ -38,7 +38,7 @@
|
||||
*
|
||||
* The value is in bytes.
|
||||
*/
|
||||
-#define CRNGT_BUFSIZ 16
|
||||
+#define CRNGT_BUFSIZ 32
|
||||
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
||||
index 14999540ab..b05b84717b 100644
|
||||
--- a/crypto/rand/rand_lib.c
|
||||
+++ b/crypto/rand/rand_lib.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include "internal/cryptlib.h"
|
||||
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#ifndef FIPS_MODULE
|
||||
- if (dgbl->seed == NULL) {
|
||||
- ERR_set_mark();
|
||||
- dgbl->seed = rand_new_seed(ctx);
|
||||
- ERR_pop_to_mark();
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
|
||||
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
|
||||
PRIMARY_RESEED_INTERVAL,
|
||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
|
||||
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
|
||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||
return NULL;
|
||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||
CRYPTO_THREAD_set_local(&dgbl->public, rand);
|
||||
}
|
||||
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
|
||||
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
|
||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||
return NULL;
|
||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||
CRYPTO_THREAD_set_local(&dgbl->private, rand);
|
||||
}
|
||||
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
|
||||
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
|
||||
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
|
||||
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
|
||||
reseed_when = time(NULL);
|
||||
|
||||
/* Generate random output from the public and private DRBG */
|
||||
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
|
||||
+ before_reseed = 0;
|
||||
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
|
||||
RANDOM_SIZE), expect_success)
|
||||
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
|
||||
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
|
||||
*/
|
||||
|
||||
/* Test whether reseeding succeeded as expected */
|
||||
- if (!TEST_int_eq(state(primary), expected_state)
|
||||
- || !TEST_int_eq(state(public), expected_state)
|
||||
+ if (/*!TEST_int_eq(state(primary), expected_state)
|
||||
+ ||*/ !TEST_int_eq(state(public), expected_state)
|
||||
|| !TEST_int_eq(state(private), expected_state))
|
||||
return 0;
|
||||
|
||||
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
|
||||
if (expect_public_reseed >= 0) {
|
||||
/* Test whether public DRBG was reseeded as expected */
|
||||
if (!TEST_int_ge(reseed_counter(public), public_reseed)
|
||||
- || !TEST_uint_ge(reseed_counter(public),
|
||||
- reseed_counter(primary)))
|
||||
+ /*|| !TEST_uint_ge(reseed_counter(public),
|
||||
+ reseed_counter(primary))*/)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (expect_private_reseed >= 0) {
|
||||
/* Test whether public DRBG was reseeded as expected */
|
||||
if (!TEST_int_ge(reseed_counter(private), private_reseed)
|
||||
- || !TEST_uint_ge(reseed_counter(private),
|
||||
- reseed_counter(primary)))
|
||||
+ /*|| !TEST_uint_ge(reseed_counter(private),
|
||||
+ reseed_counter(primary))*/)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
|
||||
if (!TEST_ptr_ne(public, private)
|
||||
|| !TEST_ptr_ne(public, primary)
|
||||
|| !TEST_ptr_ne(private, primary)
|
||||
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
|
||||
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
|
||||
return 0;
|
||||
|
||||
/* Disable CRNG testing for the primary DRBG */
|
||||
|
@ -20,8 +20,8 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rs
|
||||
--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200
|
||||
+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200
|
||||
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
|
||||
|
||||
CRYPTO_THREAD_lock_free(r->lock);
|
||||
CRYPTO_FREE_REF(&r->references);
|
||||
|
||||
- BN_free(r->n);
|
||||
- BN_free(r->e);
|
||||
|
@ -42,15 +42,15 @@ Resolves: rhbz#2160733 rhbz#2164763
|
||||
Related: rhbz#2114772 rhbz#2141695
|
||||
---
|
||||
include/crypto/evp.h | 7 ++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/kdf.h | 4 +
|
||||
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
||||
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||
providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++-
|
||||
9 files changed, 488 insertions(+), 22 deletions(-)
|
||||
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
||||
util/perl/OpenSSL/paramnames.pm | 1 +
|
||||
9 files changed, 487 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index e70d8e9e84..76fb990de4 100644
|
||||
@ -70,18 +70,6 @@ index e70d8e9e84..76fb990de4 100644
|
||||
struct evp_kdf_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 6bed5a8a67..680bfbc7cc 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -223,6 +223,7 @@ extern "C" {
|
||||
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
|
||||
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
|
||||
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
|
||||
+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Known KDF names */
|
||||
#define OSSL_KDF_NAME_HKDF "HKDF"
|
||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
||||
index 0983230a48..86171635ea 100644
|
||||
--- a/include/openssl/kdf.h
|
||||
@ -111,7 +99,7 @@ index dfa7786bde..f01e40ff5a 100644
|
||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
||||
@@ -85,6 +86,10 @@ typedef struct {
|
||||
size_t data_len;
|
||||
unsigned char info[HKDF_MAXBUF];
|
||||
unsigned char *info;
|
||||
size_t info_len;
|
||||
+ int is_tls13;
|
||||
+#ifdef FIPS_MODULE
|
||||
@ -132,7 +120,7 @@ index dfa7786bde..f01e40ff5a 100644
|
||||
switch (ctx->mode) {
|
||||
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
||||
default:
|
||||
@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
|
||||
{
|
||||
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
@ -141,15 +129,20 @@ index dfa7786bde..f01e40ff5a 100644
|
||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
size_t sz = kdf_hkdf_size(ctx);
|
||||
|
||||
- if (sz == 0)
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
|
||||
if (sz == 0)
|
||||
return 0;
|
||||
- return OSSL_PARAM_set_size_t(p, sz);
|
||||
return OSSL_PARAM_set_size_t(p, sz);
|
||||
}
|
||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
if (ctx->info == NULL || ctx->info_len == 0) {
|
||||
p->return_size = 0;
|
||||
return 1;
|
||||
}
|
||||
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
|
||||
}
|
||||
- return -2;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
@ -215,9 +208,9 @@ index dfa7786bde..f01e40ff5a 100644
|
||||
|
||||
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
@ -260,9 +253,9 @@ index dfa7786bde..f01e40ff5a 100644
|
||||
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
||||
{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive },
|
||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
||||
index a542f84dfa..6b6dfb94ac 100644
|
||||
--- a/providers/implementations/kdfs/kbkdf.c
|
||||
@ -277,9 +270,9 @@ index a542f84dfa..6b6dfb94ac 100644
|
||||
/* Names are lowercased versions of those found in SP800-108. */
|
||||
int r;
|
||||
unsigned char *ki;
|
||||
@@ -70,6 +73,9 @@ typedef struct {
|
||||
size_t iv_len;
|
||||
@@ -73,6 +76,9 @@ typedef struct {
|
||||
int use_l;
|
||||
int is_kmac;
|
||||
int use_separator;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
@ -296,7 +289,7 @@ index a542f84dfa..6b6dfb94ac 100644
|
||||
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
||||
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
||||
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
goto done;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
@ -308,7 +301,7 @@ index a542f84dfa..6b6dfb94ac 100644
|
||||
if (h == 0)
|
||||
goto done;
|
||||
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||
@ -512,10 +505,10 @@ diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/
|
||||
index eb54972e1c..23865cd70f 100644
|
||||
--- a/providers/implementations/kdfs/sskdf.c
|
||||
+++ b/providers/implementations/kdfs/sskdf.c
|
||||
@@ -62,6 +62,10 @@ typedef struct {
|
||||
unsigned char *salt;
|
||||
@@ -64,6 +64,10 @@ typedef struct {
|
||||
size_t salt_len;
|
||||
size_t out_len; /* optional KMAC parameter */
|
||||
int is_kmac;
|
||||
+ int is_x963kdf;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
@ -528,9 +521,9 @@ index eb54972e1c..23865cd70f 100644
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
||||
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
||||
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
||||
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
||||
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
||||
static OSSL_FUNC_kdf_derive_fn sskdf_derive;
|
||||
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
||||
return ctx;
|
||||
}
|
||||
@ -666,9 +659,9 @@ index eb54972e1c..23865cd70f 100644
|
||||
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
||||
{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index a4d64b9352..f6782a6ca2 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
@ -704,8 +697,8 @@ index a4d64b9352..f6782a6ca2 100644
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||
ctx->sec, ctx->seclen,
|
||||
/*
|
||||
* The seed buffer is prepended with a label.
|
||||
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
}
|
||||
}
|
||||
@ -794,7 +787,7 @@ diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementation
|
||||
index b1bc6f7e1b..8173fc2cc7 100644
|
||||
--- a/providers/implementations/kdfs/x942kdf.c
|
||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||
@@ -13,10 +13,13 @@
|
||||
@@ -13,11 +13,13 @@
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
@ -803,7 +796,7 @@ index b1bc6f7e1b..8173fc2cc7 100644
|
||||
#include <openssl/proverr.h>
|
||||
#include "internal/packet.h"
|
||||
#include "internal/der.h"
|
||||
+#include "internal/nelem.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "crypto/evp.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/providercommon.h"
|
||||
@ -901,6 +894,18 @@ index b1bc6f7e1b..8173fc2cc7 100644
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 70f7c50fe4..6618122417 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -183,6 +183,7 @@ my %params = (
|
||||
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
||||
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
||||
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
|
||||
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
||||
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
||||
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -16,7 +16,6 @@ parameter.
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/crypto/evp.h | 7 +++++++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 3 +++
|
||||
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
|
||||
4 files changed, 28 insertions(+)
|
||||
@ -39,18 +38,6 @@ index 76fb990de4..1e2240516e 100644
|
||||
struct evp_mac_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index c019afbbb0..94fab83193 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -173,6 +173,7 @@ extern "C" {
|
||||
#define OSSL_MAC_PARAM_SIZE "size" /* size_t */
|
||||
#define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
|
||||
#define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
|
||||
+#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Known MAC names */
|
||||
#define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 49e8e1df78..a5e78efd6e 100644
|
||||
--- a/include/openssl/evp.h
|
||||
@ -75,9 +62,9 @@ index 52ebb08b8f..cf5c3ecbe7 100644
|
||||
|
||||
+#include "crypto/evp.h"
|
||||
+
|
||||
#include "internal/ssl3_cbc.h"
|
||||
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/provider_util.h"
|
||||
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
|
||||
@ -107,6 +94,30 @@ index 52ebb08b8f..cf5c3ecbe7 100644
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 6618122417..8b2d430f17 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -137,12 +137,13 @@ my %params = (
|
||||
# If "engine",or "properties",are specified, they should always be paired
|
||||
# with "cipher",or "digest".
|
||||
|
||||
- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
||||
- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
||||
- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
||||
- 'MAC_PARAM_SIZE' => "size", # size_t
|
||||
- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
||||
- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
||||
+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
||||
+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
||||
+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
||||
+ 'MAC_PARAM_SIZE' => "size", # size_t
|
||||
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
||||
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
||||
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
|
||||
|
||||
# KDF / PRF parameters
|
||||
'KDF_PARAM_SECRET' => "secret", # octet string
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
@ -52,7 +52,7 @@ index 2a0ae63acc..aa0adce5e6 100644
|
||||
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
|
||||
static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free;
|
||||
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
|
||||
@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
ctx->lower_bound_checks = pkcs5 == 0;
|
||||
}
|
||||
|
@ -40,23 +40,11 @@ Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 4 ++++
|
||||
providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++
|
||||
3 files changed, 23 insertions(+)
|
||||
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
|
||||
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
|
||||
3 files changed, 37 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 94fab83193..69c59f0b46 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -453,6 +453,7 @@ extern "C" {
|
||||
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
|
||||
OSSL_PKEY_PARAM_MGF1_PROPERTIES
|
||||
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
|
||||
+#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Asym cipher parameters */
|
||||
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index a5e78efd6e..f239200465 100644
|
||||
--- a/include/openssl/evp.h
|
||||
@ -111,6 +99,40 @@ index 49e7f9158a..0c45008a00 100644
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 8b2d430f17..a109e44521 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -377,17 +377,18 @@ my %params = (
|
||||
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
|
||||
|
||||
# Signature parameters
|
||||
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
||||
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
||||
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
|
||||
# Asym cipher parameters
|
||||
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
@ -1,114 +0,0 @@
|
||||
From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 21 Nov 2022 14:33:57 +0100
|
||||
Subject: [PATCH 2/3] Obtain PSS salt length from provider
|
||||
|
||||
Rather than computing the PSS salt length again in core using
|
||||
ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the
|
||||
salt length, obtain it from the provider using the
|
||||
OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the
|
||||
interpretation of the magic constants in the provider differs from that
|
||||
of OpenSSL core.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/cms/cms_rsa.c | 19 +++++++++++++++----
|
||||
crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++-------------
|
||||
2 files changed, 36 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
|
||||
index 20ed816918..997567fdbf 100644
|
||||
--- a/crypto/cms/cms_rsa.c
|
||||
+++ b/crypto/cms/cms_rsa.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <assert.h>
|
||||
#include <openssl/cms.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/core_names.h>
|
||||
#include "crypto/asn1.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "cms_local.h"
|
||||
@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
||||
int pad_mode = RSA_PKCS1_PADDING;
|
||||
X509_ALGOR *alg;
|
||||
EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
|
||||
- ASN1_STRING *os = NULL;
|
||||
+ unsigned char aid[128];
|
||||
+ const unsigned char *pp = aid;
|
||||
+ size_t aid_len = 0;
|
||||
+ OSSL_PARAM params[2];
|
||||
|
||||
CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
|
||||
if (pkctx != NULL) {
|
||||
@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
||||
/* We don't support it */
|
||||
if (pad_mode != RSA_PKCS1_PSS_PADDING)
|
||||
return 0;
|
||||
- os = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
- if (os == NULL)
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
||||
+ return 0;
|
||||
+ if ((aid_len = params[0].return_size) == 0)
|
||||
+ return 0;
|
||||
+ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index c15554505b..61ec53d424 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
||||
if (pad_mode == RSA_PKCS1_PADDING)
|
||||
return 2;
|
||||
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
- ASN1_STRING *os1 = NULL;
|
||||
- os1 = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
- if (!os1)
|
||||
+ unsigned char aid[128];
|
||||
+ size_t aid_len = 0;
|
||||
+ OSSL_PARAM params[2];
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
||||
return 0;
|
||||
- /* Duplicate parameters if we have to */
|
||||
- if (alg2) {
|
||||
- ASN1_STRING *os2 = ASN1_STRING_dup(os1);
|
||||
- if (!os2) {
|
||||
- ASN1_STRING_free(os1);
|
||||
+ if ((aid_len = params[0].return_size) == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (alg1 != NULL) {
|
||||
+ const unsigned char *pp = aid;
|
||||
+ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (alg2 != NULL) {
|
||||
+ const unsigned char *pp = aid;
|
||||
+ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
- }
|
||||
- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
- V_ASN1_SEQUENCE, os2);
|
||||
}
|
||||
- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
- V_ASN1_SEQUENCE, os1);
|
||||
+
|
||||
return 3;
|
||||
}
|
||||
return 2;
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,338 +0,0 @@
|
||||
From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 18 Nov 2022 12:35:33 +0100
|
||||
Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
the hash function output block (in bytes)."
|
||||
|
||||
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
|
||||
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
|
||||
not use more than the digest legth when signing, so that FIPS 186-4 is
|
||||
not violated. This value has two advantages when compared with
|
||||
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
|
||||
verifying signatures for maximum compatibility, where
|
||||
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
|
||||
work for combinations where the maximum salt length is smaller than the
|
||||
digest size, which typically happens with large digest sizes (e.g.,
|
||||
SHA-512) and small RSA keys.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/rsa/rsa_ameth.c | 18 ++++++++-
|
||||
crypto/rsa/rsa_pss.c | 26 ++++++++++--
|
||||
doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++-
|
||||
doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/rsa.h | 3 ++
|
||||
providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++-----
|
||||
test/recipes/25-test_req.t | 2 +-
|
||||
8 files changed, 87 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index 61ec53d424..e69a98d116 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
||||
const EVP_MD *sigmd, *mgf1md;
|
||||
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
|
||||
int saltlen;
|
||||
+ int saltlenMax = -1;
|
||||
|
||||
if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
|
||||
return NULL;
|
||||
@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
||||
return NULL;
|
||||
if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
|
||||
return NULL;
|
||||
- if (saltlen == -1) {
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
saltlen = EVP_MD_get_size(sigmd);
|
||||
- } else if (saltlen == -2 || saltlen == -3) {
|
||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm",
|
||||
+ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in
|
||||
+ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where
|
||||
+ * hLen is the length of the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default
|
||||
+ * does not violate FIPS 186-4. */
|
||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
+ saltlenMax = EVP_MD_get_size(sigmd);
|
||||
+ }
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
||||
saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2;
|
||||
if ((EVP_PKEY_get_bits(pk) & 0x7) == 1)
|
||||
saltlen--;
|
||||
if (saltlen < 0)
|
||||
return NULL;
|
||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
||||
+ saltlen = saltlenMax;
|
||||
}
|
||||
|
||||
return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen);
|
||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
||||
index 33874bfef8..430c36eb2a 100644
|
||||
--- a/crypto/rsa/rsa_pss.c
|
||||
+++ b/crypto/rsa/rsa_pss.c
|
||||
@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is autorecovered from signature
|
||||
* -3 salt length is maximized
|
||||
+ * -4 salt length is autorecovered from signature
|
||||
* -N reserved
|
||||
*/
|
||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
sLen = hLen;
|
||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
||||
goto err;
|
||||
}
|
||||
@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
|
||||
goto err;
|
||||
}
|
||||
- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
|
||||
+ if (sLen != RSA_PSS_SALTLEN_AUTO
|
||||
+ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
|
||||
+ && (maskedDBLen - i) != sLen) {
|
||||
ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
|
||||
"expected: %d retrieved: %d", sLen,
|
||||
maskedDBLen - i);
|
||||
@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
int hLen, maskedDBLen, MSBits, emLen;
|
||||
unsigned char *H, *salt = NULL, *p;
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
+ int sLenMax = -1;
|
||||
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is maximized
|
||||
* -3 same as above (on signing)
|
||||
+ * -4 salt length is min(hLen, maximum salt length)
|
||||
* -N reserved
|
||||
*/
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
+ * the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default does
|
||||
+ * not violate FIPS 186-4. */
|
||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
sLen = hLen;
|
||||
- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
|
||||
+ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
|
||||
+ || sLen == RSA_PSS_SALTLEN_AUTO) {
|
||||
sLen = RSA_PSS_SALTLEN_MAX;
|
||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ sLen = RSA_PSS_SALTLEN_MAX;
|
||||
+ sLenMax = hLen;
|
||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
||||
goto err;
|
||||
}
|
||||
@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
}
|
||||
if (sLen == RSA_PSS_SALTLEN_MAX) {
|
||||
sLen = emLen - hLen - 2;
|
||||
+ if (sLenMax >= 0 && sLen > sLenMax)
|
||||
+ sLen = sLenMax;
|
||||
} else if (sLen > emLen - hLen - 2) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
goto err;
|
||||
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
index 3075eaafd6..9b96f42dbc 100644
|
||||
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I<ctx>.
|
||||
|
||||
EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I<saltlen>.
|
||||
As its name implies it is only supported for PSS padding. If this function is
|
||||
-not called then the maximum salt length is used when signing and auto detection
|
||||
-when verifying. Three special values are supported:
|
||||
+not called then the salt length is maximized up to the digest length when
|
||||
+signing and auto detection when verifying. Four special values are supported:
|
||||
|
||||
=over 4
|
||||
|
||||
@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the
|
||||
B<PSS> block structure when verifying. When signing, it has the same
|
||||
meaning as B<RSA_PSS_SALTLEN_MAX>.
|
||||
|
||||
+=item B<RSA_PSS_SALTLEN_AUTO_DIGEST_MAX>
|
||||
+
|
||||
+causes the salt length to be automatically determined based on the B<PSS> block
|
||||
+structure when verifying, like B<RSA_PSS_SALTLEN_AUTO>. When signing, the salt
|
||||
+length is maximized up to a maximum of the digest length to comply with FIPS
|
||||
+186-4 section 5.5.
|
||||
+
|
||||
=back
|
||||
|
||||
EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I<ctx>.
|
||||
diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
index 1ce32cc443..13d053e262 100644
|
||||
--- a/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
+++ b/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
@@ -68,6 +68,11 @@ Use the maximum salt length.
|
||||
|
||||
Auto detect the salt length.
|
||||
|
||||
+=item "auto-digestmax" (B<OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX>)
|
||||
+
|
||||
+Auto detect the salt length when verifying. Maximize the salt length up to the
|
||||
+digest size when signing to comply with FIPS 186-4 section 5.5.
|
||||
+
|
||||
=back
|
||||
|
||||
=back
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 69c59f0b46..5779f41427 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -399,6 +399,7 @@ extern "C" {
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest"
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max"
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto"
|
||||
+#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"
|
||||
|
||||
/* Key generation parameters */
|
||||
#define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS
|
||||
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
|
||||
index a55c9727c6..daf55bc6d4 100644
|
||||
--- a/include/openssl/rsa.h
|
||||
+++ b/include/openssl/rsa.h
|
||||
@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
|
||||
# define RSA_PSS_SALTLEN_AUTO -2
|
||||
/* Set salt length to maximum possible */
|
||||
# define RSA_PSS_SALTLEN_MAX -3
|
||||
+/* Auto-detect on verify, set salt length to min(maximum possible, digest
|
||||
+ * length) on sign */
|
||||
+# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4
|
||||
/* Old compatible max salt length for sign only */
|
||||
# define RSA_PSS_SALTLEN_MAX_SIGN -2
|
||||
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 0c45008a00..1a787d77db 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
||||
prsactx->libctx = PROV_LIBCTX_OF(provctx);
|
||||
prsactx->flag_allow_md = 1;
|
||||
prsactx->propq = propq_copy;
|
||||
- /* Maximum for sign, auto for verify */
|
||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ /* Maximum up to digest length for sign, auto for verify */
|
||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
prsactx->min_saltlen = -1;
|
||||
return prsactx;
|
||||
}
|
||||
@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
||||
static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
|
||||
{
|
||||
int saltlen = ctx->saltlen;
|
||||
-
|
||||
+ int saltlenMax = -1;
|
||||
+
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
+ * the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default does
|
||||
+ * not violate FIPS 186-4. */
|
||||
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
saltlen = EVP_MD_get_size(ctx->md);
|
||||
- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
+ saltlenMax = EVP_MD_get_size(ctx->md);
|
||||
+ }
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
||||
saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
|
||||
if ((RSA_bits(ctx->rsa) & 0x7) == 1)
|
||||
saltlen--;
|
||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
||||
+ saltlen = saltlenMax;
|
||||
}
|
||||
if (saltlen < 0) {
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
|
||||
@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
|
||||
|
||||
prsactx->operation = operation;
|
||||
|
||||
- /* Maximum for sign, auto for verify */
|
||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ /* Maximize up to digest length for sign, auto for verify */
|
||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
prsactx->min_saltlen = -1;
|
||||
|
||||
switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
|
||||
@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
case RSA_PSS_SALTLEN_AUTO:
|
||||
value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
|
||||
break;
|
||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
||||
+ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
|
||||
+ break;
|
||||
default:
|
||||
{
|
||||
int len = BIO_snprintf(p->data, p->data_size, "%d",
|
||||
@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
|
||||
saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
|
||||
+ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
else
|
||||
saltlen = atoi(p->data);
|
||||
break;
|
||||
@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
}
|
||||
|
||||
/*
|
||||
- * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
|
||||
- * Contrary to what it's name suggests, it's the currently
|
||||
- * lowest saltlen number possible.
|
||||
+ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
|
||||
+ * Contrary to what it's name suggests, it's the currently lowest
|
||||
+ * saltlen number possible.
|
||||
*/
|
||||
- if (saltlen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
if (rsa_pss_restricted(prsactx)) {
|
||||
switch (saltlen) {
|
||||
case RSA_PSS_SALTLEN_AUTO:
|
||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
||||
if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
|
||||
"Cannot use autodetected salt length");
|
||||
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
|
||||
index e615f1b338..35541aed12 100644
|
||||
--- a/test/recipes/25-test_req.t
|
||||
+++ b/test/recipes/25-test_req.t
|
||||
@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub {
|
||||
ok(!run(app(["openssl", "req",
|
||||
"-config", srctop_file("test", "test.cnf"),
|
||||
"-new", "-out", "testreq-rsapss3.pem", "-utf8",
|
||||
- "-sigopt", "rsa_pss_saltlen:-4",
|
||||
+ "-sigopt", "rsa_pss_saltlen:-5",
|
||||
"-key", srctop_file("test", "testrsapss.pem")])),
|
||||
"Generating request with expected failure");
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,705 +0,0 @@
|
||||
From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 10:46:32 -0500
|
||||
Subject: [PATCH 1/3] Propagate selection all the way on key export
|
||||
|
||||
EVP_PKEY_eq() is used to check, among other things, if a certificate
|
||||
public key corresponds to a private key. When the private key belongs to
|
||||
a provider that does not allow to export private keys this currently
|
||||
fails as the internal functions used to import/export keys ignored the
|
||||
selection given (which specifies that only the public key needs to be
|
||||
considered) and instead tries to export everything.
|
||||
|
||||
This patch allows to propagate the selection all the way down including
|
||||
adding it in the cache so that a following operation actually looking
|
||||
for other selection parameters does not mistakenly pick up an export
|
||||
containing only partial information.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
|
||||
index b06730dc7a..2d0238ee27 100644
|
||||
--- a/crypto/evp/keymgmt_lib.c
|
||||
+++ b/crypto/evp/keymgmt_lib.c
|
||||
@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
export_cb, export_cbarg);
|
||||
}
|
||||
|
||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection)
|
||||
{
|
||||
struct evp_keymgmt_util_try_import_data_st import_data;
|
||||
OP_CACHE_ELEM *op;
|
||||
@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
*/
|
||||
if (pk->dirty_cnt == pk->dirty_cnt_copy) {
|
||||
/* If this key is already exported to |keymgmt|, no more to do */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
||||
if (op != NULL && op->keymgmt != NULL) {
|
||||
void *ret = op->keydata;
|
||||
|
||||
@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
/* Setup for the export callback */
|
||||
import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
|
||||
import_data.keymgmt = keymgmt;
|
||||
- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
+ import_data.selection = selection;
|
||||
|
||||
/*
|
||||
* The export function calls the callback (evp_keymgmt_util_try_import),
|
||||
* which does the import for us. If successful, we're done.
|
||||
*/
|
||||
- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
|
||||
+ if (!evp_keymgmt_util_export(pk, selection,
|
||||
&evp_keymgmt_util_try_import, &import_data))
|
||||
/* If there was an error, bail out */
|
||||
return NULL;
|
||||
@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
return NULL;
|
||||
}
|
||||
/* Check to make sure some other thread didn't get there first */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
||||
if (op != NULL && op->keydata != NULL) {
|
||||
void *ret = op->keydata;
|
||||
|
||||
@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
evp_keymgmt_util_clear_operation_cache(pk, 0);
|
||||
|
||||
/* Add the new export to the operation cache */
|
||||
- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
|
||||
+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
|
||||
+ selection)) {
|
||||
CRYPTO_THREAD_unlock(pk->lock);
|
||||
evp_keymgmt_freedata(keymgmt, import_data.keydata);
|
||||
return NULL;
|
||||
@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
|
||||
}
|
||||
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt)
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection)
|
||||
{
|
||||
int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
|
||||
OP_CACHE_ELEM *p;
|
||||
@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
*/
|
||||
for (i = 0; i < end; i++) {
|
||||
p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
|
||||
- if (keymgmt == p->keymgmt)
|
||||
+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
|
||||
return p;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata)
|
||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection)
|
||||
{
|
||||
OP_CACHE_ELEM *p = NULL;
|
||||
|
||||
@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
return 0;
|
||||
p->keydata = keydata;
|
||||
p->keymgmt = keymgmt;
|
||||
+ p->selection = selection;
|
||||
|
||||
if (!EVP_KEYMGMT_up_ref(keymgmt)) {
|
||||
OPENSSL_free(p);
|
||||
@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
||||
ok = 1;
|
||||
if (keydata1 != NULL) {
|
||||
tmp_keydata =
|
||||
- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
|
||||
+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
|
||||
+ selection);
|
||||
ok = (tmp_keydata != NULL);
|
||||
}
|
||||
if (ok) {
|
||||
@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
||||
ok = 1;
|
||||
if (keydata2 != NULL) {
|
||||
tmp_keydata =
|
||||
- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
|
||||
+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
|
||||
+ selection);
|
||||
ok = (tmp_keydata != NULL);
|
||||
}
|
||||
if (ok) {
|
||||
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
|
||||
index 70d17ec37e..905e9c9ce4 100644
|
||||
--- a/crypto/evp/p_lib.c
|
||||
+++ b/crypto/evp/p_lib.c
|
||||
@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
{
|
||||
EVP_KEYMGMT *allocated_keymgmt = NULL;
|
||||
EVP_KEYMGMT *tmp_keymgmt = NULL;
|
||||
+ int selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
void *keydata = NULL;
|
||||
int check;
|
||||
|
||||
@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
|
||||
if (!CRYPTO_THREAD_read_lock(pk->lock))
|
||||
goto end;
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
|
||||
+ selection);
|
||||
|
||||
/*
|
||||
* If |tmp_keymgmt| is present in the operation cache, it means
|
||||
@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
|
||||
|
||||
/* Check to make sure some other thread didn't get there first */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
|
||||
if (op != NULL && op->keymgmt != NULL) {
|
||||
void *tmp_keydata = op->keydata;
|
||||
|
||||
@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
}
|
||||
|
||||
/* Add the new export to the operation cache */
|
||||
- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
|
||||
+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
|
||||
+ selection)) {
|
||||
CRYPTO_THREAD_unlock(pk->lock);
|
||||
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
||||
keydata = NULL;
|
||||
@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
}
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
|
||||
+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
|
||||
|
||||
end:
|
||||
/*
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index f601b72807..dbbdcccbda 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
|
||||
typedef struct {
|
||||
EVP_KEYMGMT *keymgmt;
|
||||
void *keydata;
|
||||
+ int selection;
|
||||
} OP_CACHE_ELEM;
|
||||
|
||||
DEFINE_STACK_OF(OP_CACHE_ELEM)
|
||||
@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
|
||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt);
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection);
|
||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
||||
int selection, const OSSL_PARAM params[]);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 16:58:28 -0500
|
||||
Subject: [PATCH 2/3] Update documentation for keymgmt export utils
|
||||
|
||||
Change function prototypes and explain how to use the selection
|
||||
argument.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
index 1fee9f6ff9..7099e44964 100644
|
||||
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
@@ -20,12 +20,14 @@ OP_CACHE_ELEM
|
||||
|
||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
||||
- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
||||
+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt);
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
||||
- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection);
|
||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
||||
int selection, const OSSL_PARAM params[]);
|
||||
@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
|
||||
given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
|
||||
helper for L<EVP_PKEY_fromdata(3)>.
|
||||
|
||||
+In all functions that take a I<selection> argument, the selection is used to
|
||||
+constraint the information requested on export. It is also used in the cache
|
||||
+so that key data is guaranteed to contain all the information requested in
|
||||
+the selection.
|
||||
+
|
||||
=head1 RETURN VALUES
|
||||
|
||||
evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 12:18:26 -0500
|
||||
Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
|
||||
|
||||
This tests that the comparison work even if a provider can only return
|
||||
a public key.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
|
||||
index d556551bb6..5e92e72d4b 100644
|
||||
--- a/test/fake_rsaprov.c
|
||||
+++ b/test/fake_rsaprov.c
|
||||
@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
|
||||
static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
|
||||
static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
|
||||
static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
|
||||
+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
|
||||
+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
|
||||
static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
|
||||
|
||||
static int has_selection;
|
||||
static int imptypes_selection;
|
||||
+static int exptypes_selection;
|
||||
static int query_id;
|
||||
|
||||
+struct fake_rsa_keydata {
|
||||
+ int selection;
|
||||
+ int status;
|
||||
+};
|
||||
+
|
||||
static void *fake_rsa_keymgmt_new(void *provctx)
|
||||
{
|
||||
- unsigned char *keydata = OPENSSL_zalloc(1);
|
||||
+ struct fake_rsa_keydata *key;
|
||||
|
||||
- TEST_ptr(keydata);
|
||||
+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
|
||||
+ return NULL;
|
||||
|
||||
/* clear test globals */
|
||||
has_selection = 0;
|
||||
imptypes_selection = 0;
|
||||
+ exptypes_selection = 0;
|
||||
query_id = 0;
|
||||
|
||||
- return keydata;
|
||||
+ return key;
|
||||
}
|
||||
|
||||
static void fake_rsa_keymgmt_free(void *keydata)
|
||||
@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
|
||||
static int fake_rsa_keymgmt_import(void *keydata, int selection,
|
||||
const OSSL_PARAM *p)
|
||||
{
|
||||
- unsigned char *fake_rsa_key = keydata;
|
||||
+ struct fake_rsa_keydata *fake_rsa_key = keydata;
|
||||
|
||||
/* key was imported */
|
||||
- *fake_rsa_key = 1;
|
||||
+ fake_rsa_key->status = 1;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static unsigned char fake_rsa_n[] =
|
||||
+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
|
||||
+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
|
||||
+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
|
||||
+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
|
||||
+ "\xF5";
|
||||
+
|
||||
+static unsigned char fake_rsa_e[] = "\x11";
|
||||
+
|
||||
+static unsigned char fake_rsa_d[] =
|
||||
+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
|
||||
+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
|
||||
+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
|
||||
+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
|
||||
+
|
||||
+static unsigned char fake_rsa_p[] =
|
||||
+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
|
||||
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
|
||||
+ "\x0D";
|
||||
+
|
||||
+static unsigned char fake_rsa_q[] =
|
||||
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
|
||||
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
|
||||
+ "\x89";
|
||||
+
|
||||
+static unsigned char fake_rsa_dmp1[] =
|
||||
+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
|
||||
+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
|
||||
+
|
||||
+static unsigned char fake_rsa_dmq1[] =
|
||||
+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
|
||||
+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
|
||||
+ "\x51";
|
||||
+
|
||||
+static unsigned char fake_rsa_iqmp[] =
|
||||
+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
|
||||
+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
|
||||
+
|
||||
+OSSL_PARAM *fake_rsa_key_params(int priv)
|
||||
+{
|
||||
+ if (priv) {
|
||||
+ OSSL_PARAM params[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
||||
+ sizeof(fake_rsa_n) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
||||
+ sizeof(fake_rsa_e) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
|
||||
+ sizeof(fake_rsa_d) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
|
||||
+ sizeof(fake_rsa_p) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
|
||||
+ sizeof(fake_rsa_q) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
|
||||
+ sizeof(fake_rsa_dmp1) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
|
||||
+ sizeof(fake_rsa_dmq1) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
|
||||
+ sizeof(fake_rsa_iqmp) -1),
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
+ return OSSL_PARAM_dup(params);
|
||||
+ } else {
|
||||
+ OSSL_PARAM params[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
||||
+ sizeof(fake_rsa_n) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
||||
+ sizeof(fake_rsa_e) -1),
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
+ return OSSL_PARAM_dup(params);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int fake_rsa_keymgmt_export(void *keydata, int selection,
|
||||
+ OSSL_CALLBACK *param_callback, void *cbarg)
|
||||
+{
|
||||
+ OSSL_PARAM *params = NULL;
|
||||
+ int ret;
|
||||
+
|
||||
+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0)))
|
||||
+ return 0;
|
||||
+
|
||||
+ ret = param_callback(params, cbarg);
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static const OSSL_PARAM fake_rsa_import_key_types[] = {
|
||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
||||
@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
|
||||
return fake_rsa_import_key_types;
|
||||
}
|
||||
|
||||
+static const OSSL_PARAM fake_rsa_export_key_types[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
||||
+ OSSL_PARAM_END
|
||||
+};
|
||||
+
|
||||
+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
|
||||
+{
|
||||
+ /* record global for checking */
|
||||
+ exptypes_selection = selection;
|
||||
+
|
||||
+ return fake_rsa_export_key_types;
|
||||
+}
|
||||
+
|
||||
static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
|
||||
{
|
||||
- unsigned char *key = NULL;
|
||||
+ struct fake_rsa_keydata *key = NULL;
|
||||
|
||||
- if (reference_sz != sizeof(key))
|
||||
+ if (reference_sz != sizeof(*key))
|
||||
return NULL;
|
||||
|
||||
- key = *(unsigned char **)reference;
|
||||
- if (*key != 1)
|
||||
+ key = *(struct fake_rsa_keydata **)reference;
|
||||
+ if (key->status != 1)
|
||||
return NULL;
|
||||
|
||||
/* detach the reference */
|
||||
- *(unsigned char **)reference = NULL;
|
||||
+ *(struct fake_rsa_keydata **)reference = NULL;
|
||||
|
||||
return key;
|
||||
}
|
||||
@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
{
|
||||
unsigned char *gctx = genctx;
|
||||
static const unsigned char inited[] = { 1 };
|
||||
- unsigned char *keydata;
|
||||
+ struct fake_rsa_keydata *keydata;
|
||||
|
||||
if (!TEST_ptr(gctx)
|
||||
|| !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
|
||||
@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
|
||||
return NULL;
|
||||
|
||||
- *keydata = 2;
|
||||
+ keydata->status = 2;
|
||||
return keydata;
|
||||
}
|
||||
|
||||
@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
|
||||
{ OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
|
||||
{ OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
|
||||
(void (*)(void))fake_rsa_keymgmt_imptypes },
|
||||
+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
|
||||
+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
|
||||
+ (void (*)(void))fake_rsa_keymgmt_exptypes },
|
||||
{ OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
|
||||
@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
unsigned char *sigctx = ctx;
|
||||
- unsigned char *keydata = provkey;
|
||||
+ struct fake_rsa_keydata *keydata = provkey;
|
||||
|
||||
/* we must have a ctx */
|
||||
if (!TEST_ptr(sigctx))
|
||||
return 0;
|
||||
|
||||
/* we must have some initialized key */
|
||||
- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
|
||||
+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
|
||||
return 0;
|
||||
|
||||
/* record that sign init was called */
|
||||
@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
||||
unsigned char *storectx = loaderctx;
|
||||
OSSL_PARAM params[4];
|
||||
int object_type = OSSL_OBJECT_PKEY;
|
||||
- void *key = NULL;
|
||||
+ struct fake_rsa_keydata *key = NULL;
|
||||
int rv = 0;
|
||||
|
||||
switch (*storectx) {
|
||||
@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
||||
/* The address of the key becomes the octet string */
|
||||
params[2] =
|
||||
OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
|
||||
- &key, sizeof(key));
|
||||
+ &key, sizeof(*key));
|
||||
params[3] = OSSL_PARAM_construct_end();
|
||||
rv = object_cb(params, object_cbarg);
|
||||
*storectx = 1;
|
||||
diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
|
||||
index 57de1ecf8d..190c46a285 100644
|
||||
--- a/test/fake_rsaprov.h
|
||||
+++ b/test/fake_rsaprov.h
|
||||
@@ -12,3 +12,4 @@
|
||||
/* Fake RSA provider implementation */
|
||||
OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
|
||||
void fake_rsa_finish(OSSL_PROVIDER *p);
|
||||
+OSSL_PARAM *fake_rsa_key_params(int priv);
|
||||
diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
|
||||
index 5c398398f4..3b190baa5e 100644
|
||||
--- a/test/provider_pkey_test.c
|
||||
+++ b/test/provider_pkey_test.c
|
||||
@@ -176,6 +176,67 @@ end:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int test_pkey_eq(void)
|
||||
+{
|
||||
+ OSSL_PROVIDER *deflt = NULL;
|
||||
+ OSSL_PROVIDER *fake_rsa = NULL;
|
||||
+ EVP_PKEY *pkey_fake = NULL;
|
||||
+ EVP_PKEY *pkey_dflt = NULL;
|
||||
+ EVP_PKEY_CTX *ctx = NULL;
|
||||
+ OSSL_PARAM *params = NULL;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Construct a public key for fake-rsa */
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
||||
+ "provider=fake-rsa"))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
|
||||
+ params))
|
||||
+ || !TEST_ptr(pkey_fake))
|
||||
+ goto end;
|
||||
+
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ ctx = NULL;
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ params = NULL;
|
||||
+
|
||||
+ /* Construct a public key for default */
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
||||
+ "provider=default"))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
|
||||
+ params))
|
||||
+ || !TEST_ptr(pkey_dflt))
|
||||
+ goto end;
|
||||
+
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ ctx = NULL;
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ params = NULL;
|
||||
+
|
||||
+ /* now test for equality */
|
||||
+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
|
||||
+ goto end;
|
||||
+
|
||||
+ ret = 1;
|
||||
+end:
|
||||
+ fake_rsa_finish(fake_rsa);
|
||||
+ OSSL_PROVIDER_unload(deflt);
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ EVP_PKEY_free(pkey_fake);
|
||||
+ EVP_PKEY_free(pkey_dflt);
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int test_pkey_store(int idx)
|
||||
{
|
||||
OSSL_PROVIDER *deflt = NULL;
|
||||
@@ -235,6 +296,7 @@ int setup_tests(void)
|
||||
|
||||
ADD_TEST(test_pkey_sig);
|
||||
ADD_TEST(test_alternative_keygen_init);
|
||||
+ ADD_TEST(test_pkey_eq);
|
||||
ADD_ALL_TESTS(test_pkey_store, 2);
|
||||
|
||||
return 1;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 10:25:15 -0500
|
||||
Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
|
||||
|
||||
The providers indication should always indicate that this is not a
|
||||
legacy request.
|
||||
This makes a check for engines redundant as the default return is that
|
||||
legacy is ok if there are no explicit providers.
|
||||
|
||||
Fixes #19662
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19671)
|
||||
---
|
||||
apps/lib/apps.c | 8 --------
|
||||
test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 8 deletions(-)
|
||||
create mode 100755 test/recipes/20-test_legacy_okay.t
|
||||
|
||||
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
|
||||
index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
|
||||
--- a/apps/lib/apps.c
|
||||
+++ b/apps/lib/apps.c
|
||||
@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
|
||||
{
|
||||
int provider_options = opt_provider_option_given();
|
||||
int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
|
||||
-#ifndef OPENSSL_NO_ENGINE
|
||||
- ENGINE *e = ENGINE_get_first();
|
||||
-
|
||||
- if (e != NULL) {
|
||||
- ENGINE_free(e);
|
||||
- return 1;
|
||||
- }
|
||||
-#endif
|
||||
/*
|
||||
* Having a provider option specified or a custom library context or
|
||||
* property query, is a sure sign we're not using legacy.
|
||||
diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/20-test_legacy_okay.t
|
||||
@@ -0,0 +1,23 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+use OpenSSL::Test;
|
||||
+
|
||||
+setup("test_legacy");
|
||||
+
|
||||
+plan tests => 3;
|
||||
+
|
||||
+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
|
||||
+
|
||||
+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
|
||||
+
|
||||
+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
|
||||
+ 'rand.txt'])), "Fail to generate a digest");
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,281 +0,0 @@
|
||||
From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
||||
Date: Tue, 13 Dec 2022 08:49:13 +0100
|
||||
Subject: [PATCH 01/18] Fix type confusion in nc_match_single()
|
||||
|
||||
This function assumes that if the "gen" is an OtherName, then the "base"
|
||||
is a rfc822Name constraint. This assumption is not true in all cases.
|
||||
If the end-entity certificate contains an OtherName SAN of any type besides
|
||||
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
|
||||
OtherName (of any type), then "nc_email_eai" will be invoked, with the
|
||||
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
|
||||
|
||||
Reported by Corey Bonnell from Digicert.
|
||||
|
||||
CVE-2022-4203
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 31 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
|
||||
index 70a7e8304e..5101598512 100644
|
||||
--- a/crypto/x509/v3_ncons.c
|
||||
+++ b/crypto/x509/v3_ncons.c
|
||||
@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
|
||||
static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
|
||||
|
||||
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
|
||||
-static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
|
||||
+static int nc_match_single(int effective_type, GENERAL_NAME *sub,
|
||||
+ GENERAL_NAME *gen);
|
||||
static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
|
||||
static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
|
||||
static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
|
||||
@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
{
|
||||
GENERAL_SUBTREE *sub;
|
||||
int i, r, match = 0;
|
||||
+ int effective_type = gen->type;
|
||||
+
|
||||
/*
|
||||
* We need to compare not gen->type field but an "effective" type because
|
||||
* the otherName field may contain EAI email address treated specially
|
||||
* according to RFC 8398, section 6
|
||||
*/
|
||||
- int effective_type = ((gen->type == GEN_OTHERNAME) &&
|
||||
- (OBJ_obj2nid(gen->d.otherName->type_id) ==
|
||||
- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type;
|
||||
+ if (effective_type == GEN_OTHERNAME &&
|
||||
+ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) {
|
||||
+ effective_type = GEN_EMAIL;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Permitted subtrees: if any subtrees exist of matching the type at
|
||||
@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
|
||||
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
|
||||
- if (effective_type != sub->base->type)
|
||||
+ if (effective_type != sub->base->type
|
||||
+ || (effective_type == GEN_OTHERNAME &&
|
||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
||||
+ sub->base->d.otherName->type_id) != 0))
|
||||
continue;
|
||||
if (!nc_minmax_valid(sub))
|
||||
return X509_V_ERR_SUBTREE_MINMAX;
|
||||
@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
continue;
|
||||
if (match == 0)
|
||||
match = 1;
|
||||
- r = nc_match_single(gen, sub->base);
|
||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
||||
if (r == X509_V_OK)
|
||||
match = 2;
|
||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
||||
@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
|
||||
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
|
||||
- if (effective_type != sub->base->type)
|
||||
+ if (effective_type != sub->base->type
|
||||
+ || (effective_type == GEN_OTHERNAME &&
|
||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
||||
+ sub->base->d.otherName->type_id) != 0))
|
||||
continue;
|
||||
if (!nc_minmax_valid(sub))
|
||||
return X509_V_ERR_SUBTREE_MINMAX;
|
||||
|
||||
- r = nc_match_single(gen, sub->base);
|
||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
||||
if (r == X509_V_OK)
|
||||
return X509_V_ERR_EXCLUDED_VIOLATION;
|
||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
||||
@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
}
|
||||
|
||||
-static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
|
||||
+static int nc_match_single(int effective_type, GENERAL_NAME *gen,
|
||||
+ GENERAL_NAME *base)
|
||||
{
|
||||
switch (gen->type) {
|
||||
case GEN_OTHERNAME:
|
||||
- /*
|
||||
- * We are here only when we have SmtpUTF8 name,
|
||||
- * so we match the value of othername with base->d.rfc822Name
|
||||
- */
|
||||
- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
||||
+ switch (effective_type) {
|
||||
+ case GEN_EMAIL:
|
||||
+ /*
|
||||
+ * We are here only when we have SmtpUTF8 name,
|
||||
+ * so we match the value of othername with base->d.rfc822Name
|
||||
+ */
|
||||
+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
||||
+
|
||||
+ default:
|
||||
+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
|
||||
+ }
|
||||
|
||||
case GEN_DIRNAME:
|
||||
return nc_dn(gen->d.directoryName, base->d.directoryName);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 19:45:09 +0100
|
||||
Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++
|
||||
test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++
|
||||
test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++
|
||||
test/certs/setup.sh | 11 +++++++++++
|
||||
test/recipes/25-test_verify.t | 5 ++++-
|
||||
5 files changed, 83 insertions(+), 1 deletion(-)
|
||||
create mode 100644 test/certs/bad-othername-cert.pem
|
||||
create mode 100644 test/certs/nccaothername-cert.pem
|
||||
create mode 100644 test/certs/nccaothername-key.pem
|
||||
|
||||
diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..cf279de5ea
|
||||
--- /dev/null
|
||||
+++ b/test/certs/bad-othername-cert.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
|
||||
+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx
|
||||
+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm
|
||||
+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt
|
||||
+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2
|
||||
+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5
|
||||
+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S
|
||||
+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b
|
||||
+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7
|
||||
+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf
|
||||
+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud
|
||||
+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB
|
||||
+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru
|
||||
+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr
|
||||
+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq
|
||||
+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O
|
||||
+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka
|
||||
+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f9b9b07b80
|
||||
--- /dev/null
|
||||
+++ b/test/certs/nccaothername-cert.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD
|
||||
+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN
|
||||
+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H
|
||||
+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh
|
||||
+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA
|
||||
+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB
|
||||
+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD
|
||||
+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw
|
||||
+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g
|
||||
+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB
|
||||
+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4
|
||||
+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu
|
||||
+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR
|
||||
+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y
|
||||
+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx
|
||||
+LKQu2Aw2+bOEZ2vUtz0dBhX8
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem
|
||||
new file mode 100644
|
||||
index 0000000000..d3e300ac2f
|
||||
--- /dev/null
|
||||
+++ b/test/certs/nccaothername-key.pem
|
||||
@@ -0,0 +1,28 @@
|
||||
+-----BEGIN PRIVATE KEY-----
|
||||
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp
|
||||
+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV
|
||||
+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo
|
||||
+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls
|
||||
+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p
|
||||
+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF//
|
||||
+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR
|
||||
+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF
|
||||
+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy
|
||||
+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw
|
||||
+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq
|
||||
+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV
|
||||
+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7
|
||||
+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+
|
||||
+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP
|
||||
+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX
|
||||
+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t
|
||||
+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2
|
||||
+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo
|
||||
+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc
|
||||
+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi
|
||||
+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf
|
||||
++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2
|
||||
+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J
|
||||
+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW
|
||||
+5FtOCFEmwQHTR8lu4c63qfxkEQ==
|
||||
+-----END PRIVATE KEY-----
|
||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||
index b9766aab20..2240cd9df0 100755
|
||||
--- a/test/certs/setup.sh
|
||||
+++ b/test/certs/setup.sh
|
||||
@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
||||
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||
|
||||
+# Certs for CVE-2022-4203 testcase
|
||||
+
|
||||
+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
|
||||
+ "Test NC CA othername" nccaothername-key nccaothername-cert \
|
||||
+ root-key root-cert
|
||||
+
|
||||
+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
|
||||
+ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
|
||||
+ nccaothername-key nccaothername-cert \
|
||||
+ "otherName.1 = SRVName;UTF8STRING:foo@example.org"
|
||||
+
|
||||
# RSA-PSS signatures
|
||||
# SHA1
|
||||
./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index 4613489f57..e6a2bca731 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 162;
|
||||
+plan tests => 163;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
||||
ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
||||
"Name constraints nested DNS name excluded");
|
||||
|
||||
+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
|
||||
+ "CVE-2022-4203 type confusion test");
|
||||
+
|
||||
#Check that we get the expected failure return code
|
||||
with({ exit_checker => sub { return shift == 2; } },
|
||||
sub {
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,750 +0,0 @@
|
||||
From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Fri, 20 Jan 2023 15:03:40 +0000
|
||||
Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption
|
||||
|
||||
A timing based side channel exists in the OpenSSL RSA Decryption
|
||||
implementation which could be sufficient to recover a plaintext across
|
||||
a network in a Bleichenbacher style attack. To achieve a successful
|
||||
decryption an attacker would have to be able to send a very large number
|
||||
of trial messages for decryption. The vulnerability affects all RSA
|
||||
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
||||
|
||||
Patch written by Dmitry Belyavsky and Hubert Kario
|
||||
|
||||
CVE-2022-4304
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_blind.c | 14 -
|
||||
crypto/bn/bn_local.h | 14 +
|
||||
crypto/bn/build.info | 2 +-
|
||||
crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++
|
||||
crypto/rsa/rsa_ossl.c | 19 +-
|
||||
include/crypto/bn.h | 6 +
|
||||
6 files changed, 638 insertions(+), 21 deletions(-)
|
||||
create mode 100644 crypto/bn/rsa_sup_mul.c
|
||||
|
||||
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
||||
index 72457b34cf..6061ebb4c0 100644
|
||||
--- a/crypto/bn/bn_blind.c
|
||||
+++ b/crypto/bn/bn_blind.c
|
||||
@@ -13,20 +13,6 @@
|
||||
|
||||
#define BN_BLINDING_COUNTER 32
|
||||
|
||||
-struct bn_blinding_st {
|
||||
- BIGNUM *A;
|
||||
- BIGNUM *Ai;
|
||||
- BIGNUM *e;
|
||||
- BIGNUM *mod; /* just a reference */
|
||||
- CRYPTO_THREAD_ID tid;
|
||||
- int counter;
|
||||
- unsigned long flags;
|
||||
- BN_MONT_CTX *m_ctx;
|
||||
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
- CRYPTO_RWLOCK *lock;
|
||||
-};
|
||||
-
|
||||
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
||||
{
|
||||
BN_BLINDING *ret = NULL;
|
||||
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
||||
index c9a7ecf298..8c428f919d 100644
|
||||
--- a/crypto/bn/bn_local.h
|
||||
+++ b/crypto/bn/bn_local.h
|
||||
@@ -290,6 +290,20 @@ struct bn_gencb_st {
|
||||
} cb;
|
||||
};
|
||||
|
||||
+struct bn_blinding_st {
|
||||
+ BIGNUM *A;
|
||||
+ BIGNUM *Ai;
|
||||
+ BIGNUM *e;
|
||||
+ BIGNUM *mod; /* just a reference */
|
||||
+ CRYPTO_THREAD_ID tid;
|
||||
+ int counter;
|
||||
+ unsigned long flags;
|
||||
+ BN_MONT_CTX *m_ctx;
|
||||
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
+ CRYPTO_RWLOCK *lock;
|
||||
+};
|
||||
+
|
||||
/*-
|
||||
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
||||
*
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index c4ba51b265..f4ff619239 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
|
||||
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
|
||||
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
|
||||
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
||||
- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
|
||||
+ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c
|
||||
SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
|
||||
DEFINE[../../libcrypto]=$BNDEF
|
||||
IF[{- !$disabled{'deprecated-0.9.8'} -}]
|
||||
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
||||
new file mode 100644
|
||||
index 0000000000..0e0d02e194
|
||||
--- /dev/null
|
||||
+++ b/crypto/bn/rsa_sup_mul.c
|
||||
@@ -0,0 +1,604 @@
|
||||
+#include <openssl/e_os2.h>
|
||||
+#include <stddef.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/rsaerr.h>
|
||||
+#include "internal/endian.h"
|
||||
+#include "internal/numbers.h"
|
||||
+#include "internal/constant_time.h"
|
||||
+#include "bn_local.h"
|
||||
+
|
||||
+# if BN_BYTES == 8
|
||||
+typedef uint64_t limb_t;
|
||||
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
||||
+typedef uint128_t limb2_t;
|
||||
+# define HAVE_LIMB2_T
|
||||
+# endif
|
||||
+# define LIMB_BIT_SIZE 64
|
||||
+# define LIMB_BYTE_SIZE 8
|
||||
+# elif BN_BYTES == 4
|
||||
+typedef uint32_t limb_t;
|
||||
+typedef uint64_t limb2_t;
|
||||
+# define LIMB_BIT_SIZE 32
|
||||
+# define LIMB_BYTE_SIZE 4
|
||||
+# define HAVE_LIMB2_T
|
||||
+# else
|
||||
+# error "Not supported"
|
||||
+# endif
|
||||
+
|
||||
+/*
|
||||
+ * For multiplication we're using schoolbook multiplication,
|
||||
+ * so if we have two numbers, each with 6 "digits" (words)
|
||||
+ * the multiplication is calculated as follows:
|
||||
+ * A B C D E F
|
||||
+ * x I J K L M N
|
||||
+ * --------------
|
||||
+ * N*F
|
||||
+ * N*E
|
||||
+ * N*D
|
||||
+ * N*C
|
||||
+ * N*B
|
||||
+ * N*A
|
||||
+ * M*F
|
||||
+ * M*E
|
||||
+ * M*D
|
||||
+ * M*C
|
||||
+ * M*B
|
||||
+ * M*A
|
||||
+ * L*F
|
||||
+ * L*E
|
||||
+ * L*D
|
||||
+ * L*C
|
||||
+ * L*B
|
||||
+ * L*A
|
||||
+ * K*F
|
||||
+ * K*E
|
||||
+ * K*D
|
||||
+ * K*C
|
||||
+ * K*B
|
||||
+ * K*A
|
||||
+ * J*F
|
||||
+ * J*E
|
||||
+ * J*D
|
||||
+ * J*C
|
||||
+ * J*B
|
||||
+ * J*A
|
||||
+ * I*F
|
||||
+ * I*E
|
||||
+ * I*D
|
||||
+ * I*C
|
||||
+ * I*B
|
||||
+ * + I*A
|
||||
+ * ==========================
|
||||
+ * N*B N*D N*F
|
||||
+ * + N*A N*C N*E
|
||||
+ * + M*B M*D M*F
|
||||
+ * + M*A M*C M*E
|
||||
+ * + L*B L*D L*F
|
||||
+ * + L*A L*C L*E
|
||||
+ * + K*B K*D K*F
|
||||
+ * + K*A K*C K*E
|
||||
+ * + J*B J*D J*F
|
||||
+ * + J*A J*C J*E
|
||||
+ * + I*B I*D I*F
|
||||
+ * + I*A I*C I*E
|
||||
+ *
|
||||
+ * 1+1 1+3 1+5
|
||||
+ * 1+0 1+2 1+4
|
||||
+ * 0+1 0+3 0+5
|
||||
+ * 0+0 0+2 0+4
|
||||
+ *
|
||||
+ * 0 1 2 3 4 5 6
|
||||
+ * which requires n^2 multiplications and 2n full length additions
|
||||
+ * as we can keep every other result of limb multiplication in two separate
|
||||
+ * limbs
|
||||
+ */
|
||||
+
|
||||
+#if defined HAVE_LIMB2_T
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb2_t t;
|
||||
+ /*
|
||||
+ * this is idiomatic code to tell compiler to use the native mul
|
||||
+ * those three lines will actually compile to single instruction
|
||||
+ */
|
||||
+
|
||||
+ t = (limb2_t)a * b;
|
||||
+ *hi = t >> LIMB_BIT_SIZE;
|
||||
+ *lo = (limb_t)t;
|
||||
+}
|
||||
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
||||
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
||||
+#pragma intrinsic(_umul128)
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ *lo = _umul128(a, b, hi);
|
||||
+}
|
||||
+#else
|
||||
+/*
|
||||
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
||||
+ * high 64 bits of multiplication"
|
||||
+ */
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb_t a_low = (limb_t)(uint32_t)a;
|
||||
+ limb_t a_hi = a >> 32;
|
||||
+ limb_t b_low = (limb_t)(uint32_t)b;
|
||||
+ limb_t b_hi = b >> 32;
|
||||
+
|
||||
+ limb_t p0 = a_low * b_low;
|
||||
+ limb_t p1 = a_low * b_hi;
|
||||
+ limb_t p2 = a_hi * b_low;
|
||||
+ limb_t p3 = a_hi * b_hi;
|
||||
+
|
||||
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
||||
+
|
||||
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
||||
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* add two limbs with carry in, return carry out */
|
||||
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
||||
+{
|
||||
+ limb_t carry1, carry2, t;
|
||||
+ /*
|
||||
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
||||
+ * use add with carry on assembly level
|
||||
+ */
|
||||
+
|
||||
+ *ret = a + carry;
|
||||
+ if (*ret < a)
|
||||
+ carry1 = 1;
|
||||
+ else
|
||||
+ carry1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t + b;
|
||||
+ if (*ret < t)
|
||||
+ carry2 = 1;
|
||||
+ else
|
||||
+ carry2 = 0;
|
||||
+
|
||||
+ return carry1 + carry2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * add two numbers of the same size, return overflow
|
||||
+ *
|
||||
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
||||
+ * return overflow from addition (0 or 1)
|
||||
+ */
|
||||
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t c = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for(i = n - 1; i > -1; i--)
|
||||
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
||||
+
|
||||
+ return c;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * return number of limbs necessary for temporary values
|
||||
+ * when multiplying numbers n limbs large
|
||||
+ */
|
||||
+static ossl_inline size_t mul_limb_numb(size_t n)
|
||||
+{
|
||||
+ return 2 * n * 2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * multiply two numbers of the same size
|
||||
+ *
|
||||
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
||||
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
||||
+ * long
|
||||
+ */
|
||||
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i, j, k;
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[2 * n];
|
||||
+
|
||||
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ for (k = 0; k < i + n + 1; k++) {
|
||||
+ r_even[k] = 0;
|
||||
+ r_odd[k] = 0;
|
||||
+ }
|
||||
+ for (j = 0; j < n; j++) {
|
||||
+ /*
|
||||
+ * place results from even and odd limbs in separate arrays so that
|
||||
+ * we don't have to calculate overflow every time we get individual
|
||||
+ * limb multiplication result
|
||||
+ */
|
||||
+ if (j % 2 == 0)
|
||||
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
||||
+ }
|
||||
+ /*
|
||||
+ * skip the least significant limbs when adding multiples of
|
||||
+ * more significant limbs (they're zero anyway)
|
||||
+ */
|
||||
+ add(ret, ret, r_even, n + i + 1);
|
||||
+ add(ret, ret, r_odd, n + i + 1);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* modifies the value in place by performing a right shift by one bit */
|
||||
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
||||
+{
|
||||
+ limb_t shift_in = 0, shift_out = 0;
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ shift_out = val[i] & 1;
|
||||
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
||||
+ shift_in = shift_out;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* extend the LSB of flag to all bits of limb */
|
||||
+static ossl_inline limb_t mk_mask(limb_t flag)
|
||||
+{
|
||||
+ flag |= flag << 1;
|
||||
+ flag |= flag << 2;
|
||||
+ flag |= flag << 4;
|
||||
+ flag |= flag << 8;
|
||||
+ flag |= flag << 16;
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ flag |= flag << 32;
|
||||
+#endif
|
||||
+ return flag;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * copy from either a or b to ret based on flag
|
||||
+ * when flag == 0, then copies from b
|
||||
+ * when flag == 1, then copies from a
|
||||
+ */
|
||||
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ /*
|
||||
+ * would be more efficient with non volatile mask, but then gcc
|
||||
+ * generates code with jumps
|
||||
+ */
|
||||
+ volatile limb_t mask;
|
||||
+ size_t i;
|
||||
+
|
||||
+ mask = mk_mask(flag);
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
||||
+#else
|
||||
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
||||
+{
|
||||
+ limb_t borrow1, borrow2, t;
|
||||
+ /*
|
||||
+ * while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction
|
||||
+ */
|
||||
+
|
||||
+ *ret = a - borrow;
|
||||
+ if (*ret > a)
|
||||
+ borrow1 = 1;
|
||||
+ else
|
||||
+ borrow1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t)
|
||||
+ borrow2 = 1;
|
||||
+ else
|
||||
+ borrow2 = 0;
|
||||
+
|
||||
+ return borrow1 + borrow2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * place the result of a - b into ret, return the borrow bit.
|
||||
+ * All arrays need to be n limbs long
|
||||
+ */
|
||||
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t borrow = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for (i = n - 1; i > -1; i--)
|
||||
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
||||
+
|
||||
+ return borrow;
|
||||
+}
|
||||
+
|
||||
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
||||
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
||||
+{
|
||||
+ return (anum + modnum) * 3;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place the result in ret
|
||||
+ * size of a is defined by anum, size of ret and mod is modnum,
|
||||
+ * size of tmp is returned by mod_limb_numb()
|
||||
+ */
|
||||
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *atmp, *modtmp, *rettmp;
|
||||
+ limb_t res;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ atmp = tmp;
|
||||
+ modtmp = &tmp[anum + modnum];
|
||||
+ rettmp = &tmp[(anum + modnum) * 2];
|
||||
+
|
||||
+ for (i = modnum; i <modnum + anum; i++)
|
||||
+ atmp[i] = a[i-modnum];
|
||||
+
|
||||
+ for (i = 0; i < modnum; i++)
|
||||
+ modtmp[i] = mod[i];
|
||||
+
|
||||
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
||||
+ rshift1(modtmp, anum + modnum);
|
||||
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
||||
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
||||
+ }
|
||||
+
|
||||
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
||||
+}
|
||||
+
|
||||
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
||||
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
||||
+{
|
||||
+ return 2 * (anum + 1);
|
||||
+}
|
||||
+
|
||||
+/* multiply a by m, add to ret, return carry */
|
||||
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
||||
+ limb_t m, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry = 0;
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[anum + 1];
|
||||
+
|
||||
+ for (i = 0; i < anum; i++) {
|
||||
+ /*
|
||||
+ * place the results from even and odd limbs in separate arrays
|
||||
+ * so that we have to worry about carry just once
|
||||
+ */
|
||||
+ if (i % 2 == 0)
|
||||
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
||||
+ }
|
||||
+ /* assert: add() carry here will be equal zero */
|
||||
+ add(r_even, r_even, r_odd, anum + 1);
|
||||
+ /*
|
||||
+ * while here it will not overflow as the max value from multiplication
|
||||
+ * is -2 while max overflow from addition is 1, so the max value of
|
||||
+ * carry is -1 (i.e. max int)
|
||||
+ */
|
||||
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
||||
+
|
||||
+ return carry;
|
||||
+}
|
||||
+
|
||||
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
||||
+{
|
||||
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place result in ret
|
||||
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
||||
+ * smallest power of two big enough to fit mod and that's also a power
|
||||
+ * of the count of number of bits in limb_t (B).
|
||||
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
||||
+ * anum must be <= 2 * modnum
|
||||
+ * ret needs to be modnum words long
|
||||
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
||||
+ */
|
||||
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry, v;
|
||||
+ limb_t *res, *rp, *tmp2;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ res = tmp;
|
||||
+ /*
|
||||
+ * for intermediate result we need an integer twice as long as modulus
|
||||
+ * but keep the input in the least significant limbs
|
||||
+ */
|
||||
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
||||
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
||||
+ rp = &res[modnum];
|
||||
+ tmp2 = &res[modnum * 2];
|
||||
+
|
||||
+ carry = 0;
|
||||
+
|
||||
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
||||
+ for (i = modnum; i > 0; i--, rp--) {
|
||||
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2);
|
||||
+ v = v + carry + rp[-1];
|
||||
+ carry |= (v != rp[-1]);
|
||||
+ carry &= (v <= rp[-1]);
|
||||
+ rp[-1] = v;
|
||||
+ }
|
||||
+
|
||||
+ /* perform the final reduction by mod... */
|
||||
+ carry -= sub(ret, rp, mod, modnum);
|
||||
+
|
||||
+ /* ...conditionally */
|
||||
+ cselect(carry, ret, rp, ret, modnum);
|
||||
+}
|
||||
+
|
||||
+/* allocated buffer should be freed afterwards */
|
||||
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
||||
+{
|
||||
+ int i;
|
||||
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ limb_t *ptr = buf + (limbs - real_limbs);
|
||||
+
|
||||
+ for (i = 0; i < real_limbs; i++)
|
||||
+ ptr[i] = bn->d[real_limbs - i - 1];
|
||||
+}
|
||||
+
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+static ossl_inline uint64_t be64(uint64_t host)
|
||||
+{
|
||||
+ uint64_t big = 0;
|
||||
+ DECLARE_IS_ENDIAN;
|
||||
+
|
||||
+ if (!IS_LITTLE_ENDIAN)
|
||||
+ return host;
|
||||
+
|
||||
+ big |= (host & 0xff00000000000000) >> 56;
|
||||
+ big |= (host & 0x00ff000000000000) >> 40;
|
||||
+ big |= (host & 0x0000ff0000000000) >> 24;
|
||||
+ big |= (host & 0x000000ff00000000) >> 8;
|
||||
+ big |= (host & 0x00000000ff000000) << 8;
|
||||
+ big |= (host & 0x0000000000ff0000) << 24;
|
||||
+ big |= (host & 0x000000000000ff00) << 40;
|
||||
+ big |= (host & 0x00000000000000ff) << 56;
|
||||
+ return big;
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+/* Not all platforms have htobe32(). */
|
||||
+static ossl_inline uint32_t be32(uint32_t host)
|
||||
+{
|
||||
+ uint32_t big = 0;
|
||||
+ DECLARE_IS_ENDIAN;
|
||||
+
|
||||
+ if (!IS_LITTLE_ENDIAN)
|
||||
+ return host;
|
||||
+
|
||||
+ big |= (host & 0xff000000) >> 24;
|
||||
+ big |= (host & 0x00ff0000) >> 8;
|
||||
+ big |= (host & 0x0000ff00) << 8;
|
||||
+ big |= (host & 0x000000ff) << 24;
|
||||
+ return big;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
||||
+ * similar to BN_BLINDING_invert_ex() arguments.
|
||||
+ * to_mod is RSA modulus.
|
||||
+ * buf and num is the serialization buffer and its length.
|
||||
+ *
|
||||
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
||||
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
||||
+ */
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num)
|
||||
+{
|
||||
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
||||
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
||||
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
||||
+ size_t l_tmp_count = 0;
|
||||
+ int ret = 0;
|
||||
+ size_t i;
|
||||
+ unsigned char *tmp;
|
||||
+ const BIGNUM *arg1 = intermediate;
|
||||
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
||||
+
|
||||
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+
|
||||
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
||||
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ BN_to_limb(arg1, l_im, l_size);
|
||||
+ BN_to_limb(arg2, l_mul, l_size);
|
||||
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
||||
+
|
||||
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ } else {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ }
|
||||
+
|
||||
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
||||
+ blinding->m_ctx->n0[0], l_tmp);
|
||||
+ } else {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
||||
+ }
|
||||
+
|
||||
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
||||
+ if (num < BN_num_bytes(to_mod)) {
|
||||
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ memset(buf, 0, num);
|
||||
+ tmp = buf + num - BN_num_bytes(to_mod);
|
||||
+ for (i = 0; i < l_mod_count; i++) {
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+ l_buf = be64(l_ret[i]);
|
||||
+#else
|
||||
+ l_buf = be32(l_ret[i]);
|
||||
+#endif
|
||||
+ if (i == 0) {
|
||||
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
||||
+
|
||||
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
||||
+ tmp += delta;
|
||||
+ } else {
|
||||
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
||||
+ tmp += LIMB_BYTE_SIZE;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = num;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(l_im);
|
||||
+ OPENSSL_free(l_mul);
|
||||
+ OPENSSL_free(l_mod);
|
||||
+ OPENSSL_free(l_tmp);
|
||||
+ OPENSSL_free(l_ret);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
||||
index 381c659352..7e8b791fba 100644
|
||||
--- a/crypto/rsa/rsa_ossl.c
|
||||
+++ b/crypto/rsa/rsa_ossl.c
|
||||
@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||
BN_free(d);
|
||||
}
|
||||
|
||||
- if (blinding)
|
||||
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
+ if (blinding) {
|
||||
+ /*
|
||||
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||
+ * 0-padded BN BE serialization
|
||||
+ */
|
||||
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
||||
+ buf, num);
|
||||
+ if (j == 0)
|
||||
goto err;
|
||||
-
|
||||
- j = BN_bn2binpad(ret, buf, num);
|
||||
- if (j < 0)
|
||||
- goto err;
|
||||
+ } else {
|
||||
+ j = BN_bn2binpad(ret, buf, num);
|
||||
+ if (j < 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
||||
index cf69bea848..cd45654210 100644
|
||||
--- a/include/crypto/bn.h
|
||||
+++ b/include/crypto/bn.h
|
||||
@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
|
||||
|
||||
extern const BIGNUM ossl_bn_inv_sqrt_2;
|
||||
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num);
|
||||
+
|
||||
#endif
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,106 +0,0 @@
|
||||
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
||||
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
|
||||
PEM_read_bio_ex
|
||||
|
||||
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
||||
allocated for the header and data buffers. However we were not clearing
|
||||
the ptrs stored in *header and *data. Since, on success, the caller is
|
||||
responsible for freeing these ptrs this can potentially lead to a double
|
||||
free if the caller frees them even on failure.
|
||||
|
||||
Thanks to Dawei Wang for reporting this issue.
|
||||
|
||||
Based on a proposed patch by Kurt Roeckx.
|
||||
|
||||
CVE-2022-4450
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
crypto/pem/pem_lib.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
||||
index f9ff80162a..85c47fb627 100644
|
||||
--- a/crypto/pem/pem_lib.c
|
||||
+++ b/crypto/pem/pem_lib.c
|
||||
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
||||
|
||||
out_free:
|
||||
pem_free(*header, flags, 0);
|
||||
+ *header = NULL;
|
||||
pem_free(*data, flags, 0);
|
||||
+ *data = NULL;
|
||||
end:
|
||||
EVP_ENCODE_CTX_free(ctx);
|
||||
pem_free(name, flags, 0);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
||||
Subject: [PATCH 05/18] Add a test for CVE-2022-4450
|
||||
|
||||
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
||||
ptrs and therefore there should be no double free if we free the ptrs on
|
||||
error.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/test/pemtest.c b/test/pemtest.c
|
||||
index a8d2d49bb5..a5d28cb256 100644
|
||||
--- a/test/pemtest.c
|
||||
+++ b/test/pemtest.c
|
||||
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int test_empty_payload(void)
|
||||
+{
|
||||
+ BIO *b;
|
||||
+ static char *emptypay =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "-\n" /* Base64 EOF character */
|
||||
+ "-----END CERTIFICATE-----";
|
||||
+ char *name = NULL, *header = NULL;
|
||||
+ unsigned char *data = NULL;
|
||||
+ long len;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
||||
+ if (!TEST_ptr(b))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Expected to fail because the payload is empty */
|
||||
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ OPENSSL_free(name);
|
||||
+ OPENSSL_free(header);
|
||||
+ OPENSSL_free(data);
|
||||
+ BIO_free(b);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
if (!TEST_ptr(pemfile = test_get_argument(0)))
|
||||
@@ -103,5 +132,6 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
||||
ADD_TEST(test_invalid);
|
||||
ADD_TEST(test_cert_key_cert);
|
||||
+ ADD_TEST(test_empty_payload);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,187 +0,0 @@
|
||||
From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
||||
Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF
|
||||
|
||||
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
||||
be part of an invalid BIO chain. This causes a "use after free" when the
|
||||
BIO is eventually freed.
|
||||
|
||||
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
||||
Buehler.
|
||||
|
||||
Thanks to Octavio Galland for reporting this issue.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
||||
index d94e3a3644..b9df3a7a47 100644
|
||||
--- a/crypto/asn1/bio_ndef.c
|
||||
+++ b/crypto/asn1/bio_ndef.c
|
||||
@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
||||
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
||||
void *parg);
|
||||
|
||||
-/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */
|
||||
+/*
|
||||
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
||||
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
||||
+ *
|
||||
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
||||
+ */
|
||||
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
{
|
||||
NDEF_SUPPORT *ndef_aux = NULL;
|
||||
BIO *asn_bio = NULL;
|
||||
const ASN1_AUX *aux = it->funcs;
|
||||
ASN1_STREAM_ARG sarg;
|
||||
+ BIO *pop_bio = NULL;
|
||||
|
||||
if (!aux || !aux->asn1_cb) {
|
||||
ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
|
||||
@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
out = BIO_push(asn_bio, out);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
+ pop_bio = asn_bio;
|
||||
|
||||
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
||||
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
||||
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
||||
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
||||
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
||||
- * needs.
|
||||
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
||||
+ * ASN1 structure needs.
|
||||
*/
|
||||
|
||||
sarg.out = out;
|
||||
sarg.ndef_bio = NULL;
|
||||
sarg.boundary = NULL;
|
||||
|
||||
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
||||
+ /*
|
||||
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
||||
+ * middle of some partially built, but not returned BIO chain.
|
||||
+ */
|
||||
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
||||
+ /*
|
||||
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
||||
+ * clean up block
|
||||
+ */
|
||||
+ ndef_aux = NULL;
|
||||
goto err;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * We must not fail now because the callback has prepended additional
|
||||
+ * BIOs to the chain
|
||||
+ */
|
||||
|
||||
ndef_aux->val = val;
|
||||
ndef_aux->it = it;
|
||||
@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
ndef_aux->boundary = sarg.boundary;
|
||||
ndef_aux->out = out;
|
||||
|
||||
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
||||
-
|
||||
return sarg.ndef_bio;
|
||||
|
||||
err:
|
||||
+ /* BIO_pop() is NULL safe */
|
||||
+ (void)BIO_pop(pop_bio);
|
||||
BIO_free(asn_bio);
|
||||
OPENSSL_free(ndef_aux);
|
||||
return NULL;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
||||
Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is
|
||||
handled correctly
|
||||
|
||||
Test for the issue fixed in the previous commit
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
||||
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
||||
2 files changed, 31 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/smime-certs/badrsa.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 610f1cbc51..fd53683e6b 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text compare/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
||||
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
|
||||
$no_rc2 = 1 if disabled("legacy");
|
||||
|
||||
-plan tests => 12;
|
||||
+plan tests => 13;
|
||||
|
||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
||||
|
||||
@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify',
|
||||
|
||||
return "";
|
||||
}
|
||||
+
|
||||
+# Check that we get the expected failure return code
|
||||
+with({ exit_checker => sub { return shift == 6; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
||||
+ '-in', srctop_file("test", "smcont.txt"),
|
||||
+ '-stream', '-recip',
|
||||
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
||||
+ ])),
|
||||
+ "Check failure during BIO setup with -stream is handled correctly");
|
||||
+ });
|
||||
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f824fc2267
|
||||
--- /dev/null
|
||||
+++ b/test/smime-certs/badrsa.pem
|
||||
@@ -0,0 +1,18 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
||||
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
||||
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
||||
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
||||
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
||||
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
||||
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
||||
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
||||
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
||||
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
||||
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
||||
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
||||
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
||||
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
||||
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
||||
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,110 +0,0 @@
|
||||
From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 16 Jan 2023 19:45:23 +0100
|
||||
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set
|
||||
|
||||
Fixes CVE-2023-0216
|
||||
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
|
||||
index 753f1276e6..936e50da54 100644
|
||||
--- a/crypto/pkcs7/pk7_lib.c
|
||||
+++ b/crypto/pkcs7/pk7_lib.c
|
||||
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
|
||||
|
||||
static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||
{
|
||||
+ if (p7->d.ptr == NULL)
|
||||
+ return NULL;
|
||||
if (PKCS7_type_is_signed(p7))
|
||||
return p7->d.sign->cert;
|
||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||
|
||||
static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
|
||||
{
|
||||
+ if (p7->d.ptr == NULL)
|
||||
+ return NULL;
|
||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||
return p7->d.signed_and_enveloped->recipientinfo;
|
||||
if (PKCS7_type_is_enveloped(p7))
|
||||
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
|
||||
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
||||
OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
|
||||
const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
|
||||
- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
|
||||
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
|
||||
- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
|
||||
+ STACK_OF(PKCS7_RECIP_INFO) *rinfos;
|
||||
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
|
||||
+ STACK_OF(X509) *certs;
|
||||
|
||||
- if (ctx == NULL)
|
||||
+ if (ctx == NULL || p7->d.ptr == NULL)
|
||||
return;
|
||||
|
||||
+ rinfos = pkcs7_get_recipient_info(p7);
|
||||
+ sinfos = PKCS7_get_signer_info(p7);
|
||||
+ certs = pkcs7_get_signer_certs(p7);
|
||||
+
|
||||
for (i = 0; i < sk_X509_num(certs); i++)
|
||||
ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 16 Jan 2023 19:56:20 +0100
|
||||
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference
|
||||
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
test/recipes/25-test_pkcs7.t | 7 +++++--
|
||||
test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
|
||||
diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
|
||||
index 37cd43dc6b..d61cd6abad 100644
|
||||
--- a/test/recipes/25-test_pkcs7.t
|
||||
+++ b/test/recipes/25-test_pkcs7.t
|
||||
@@ -11,11 +11,11 @@ use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Spec;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
|
||||
|
||||
setup("test_pkcs7");
|
||||
|
||||
-plan tests => 3;
|
||||
+plan tests => 4;
|
||||
|
||||
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
||||
|
||||
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
|
||||
tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
|
||||
-args => ["pkcs7"] );
|
||||
};
|
||||
+
|
||||
+my $malformed = data_file('malformed.pkcs7');
|
||||
+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
|
||||
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
new file mode 100644
|
||||
index 0000000000..e30d1b582c
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
@@ -0,0 +1,3 @@
|
||||
+-----BEGIN PKCS7-----
|
||||
+MAsGCSqGSIb3DQEHAg==
|
||||
+-----END PKCS7-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,404 +0,0 @@
|
||||
From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001
|
||||
From: slontis <shane.lontis@oracle.com>
|
||||
Date: Wed, 11 Jan 2023 11:05:04 +1000
|
||||
Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key.
|
||||
|
||||
Fixes CVE-2023-0217
|
||||
|
||||
When attempting to do a BN_Copy of params->p there was no NULL check.
|
||||
Since BN_copy does not check for NULL this is a NULL reference.
|
||||
|
||||
As an aside BN_cmp() does do a NULL check, so there are other checks
|
||||
that fail because a NULL is passed. A more general check for NULL params
|
||||
has been added for both FFC public and private key validation instead.
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/ffc/ffc_key_validate.c | 9 +++++++++
|
||||
include/internal/ffc.h | 1 +
|
||||
test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++
|
||||
3 files changed, 41 insertions(+)
|
||||
|
||||
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
|
||||
index 9f6525a2c8..442303e4b3 100644
|
||||
--- a/crypto/ffc/ffc_key_validate.c
|
||||
+++ b/crypto/ffc/ffc_key_validate.c
|
||||
@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
*ret = 0;
|
||||
+ if (params == NULL || pub_key == NULL || params->p == NULL) {
|
||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ctx = BN_CTX_new_ex(NULL);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv,
|
||||
|
||||
*ret = 0;
|
||||
|
||||
+ if (priv == NULL || upper == NULL) {
|
||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
||||
+ goto err;
|
||||
+ }
|
||||
if (BN_cmp(priv, BN_value_one()) < 0) {
|
||||
*ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
|
||||
goto err;
|
||||
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
|
||||
index 732514a6c2..b8b7140857 100644
|
||||
--- a/include/internal/ffc.h
|
||||
+++ b/include/internal/ffc.h
|
||||
@@ -76,6 +76,7 @@
|
||||
# define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10
|
||||
# define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20
|
||||
+# define FFC_ERROR_PASSED_NULL_PARAM 0x40
|
||||
|
||||
/*
|
||||
* Finite field cryptography (FFC) domain parameters are used by DH and DSA.
|
||||
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
|
||||
index 2c97293573..9f67bd29b9 100644
|
||||
--- a/test/ffc_internal_test.c
|
||||
+++ b/test/ffc_internal_test.c
|
||||
@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void)
|
||||
if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
|
||||
goto err;
|
||||
|
||||
+ /* Fail if params is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+ /* Fail if pubkey is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+
|
||||
+ BN_free(params->p);
|
||||
+ params->p = NULL;
|
||||
+ /* Fail if params->p is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+
|
||||
ret = 1;
|
||||
err:
|
||||
DH_free(dh);
|
||||
@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void)
|
||||
if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res)))
|
||||
goto err;
|
||||
|
||||
+ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+
|
||||
ret = 1;
|
||||
err:
|
||||
DH_free(dh);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 17:57:59 +0100
|
||||
Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters
|
||||
through import
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
providers/implementations/keymgmt/dh_kmgmt.c | 4 ++--
|
||||
providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++--
|
||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
index 58a5fd009f..c2d87b4a7f 100644
|
||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
||||
- ok = ok && ossl_dh_params_fromdata(dh, params);
|
||||
+ /* a key without parameters is meaningless */
|
||||
+ ok = ok && ossl_dh_params_fromdata(dh, params);
|
||||
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
||||
int include_private =
|
||||
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
index 100e917167..881680c085 100644
|
||||
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||
if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
||||
- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
||||
+ /* a key without parameters is meaningless */
|
||||
+ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
||||
+
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
||||
int include_private =
|
||||
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 17:59:52 +0100
|
||||
Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
crypto/x509/x_pubkey.c | 24 +++++++++++++++++++
|
||||
include/crypto/x509.h | 3 +++
|
||||
.../encode_decode/decode_der2key.c | 2 +-
|
||||
3 files changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
|
||||
index bc90ddd89b..77790faa1f 100644
|
||||
--- a/crypto/x509/x_pubkey.c
|
||||
+++ b/crypto/x509/x_pubkey.c
|
||||
@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
||||
return key;
|
||||
}
|
||||
|
||||
+/* Called from decoders; disallows provided DSA keys without parameters. */
|
||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
||||
+{
|
||||
+ DSA *key = NULL;
|
||||
+ const unsigned char *data;
|
||||
+ const BIGNUM *p, *q, *g;
|
||||
+
|
||||
+ data = *pp;
|
||||
+ key = d2i_DSA_PUBKEY(NULL, &data, length);
|
||||
+ if (key == NULL)
|
||||
+ return NULL;
|
||||
+ DSA_get0_pqg(key, &p, &q, &g);
|
||||
+ if (p == NULL || q == NULL || g == NULL) {
|
||||
+ DSA_free(key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ *pp = data;
|
||||
+ if (a != NULL) {
|
||||
+ DSA_free(*a);
|
||||
+ *a = key;
|
||||
+ }
|
||||
+ return key;
|
||||
+}
|
||||
+
|
||||
int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp)
|
||||
{
|
||||
EVP_PKEY *pktmp;
|
||||
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
|
||||
index 1f00178e89..0c42730ee9 100644
|
||||
--- a/include/crypto/x509.h
|
||||
+++ b/include/crypto/x509.h
|
||||
@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
|
||||
|
||||
RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
|
||||
int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp);
|
||||
+# ifndef OPENSSL_NO_DSA
|
||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length);
|
||||
+# endif /* OPENSSL_NO_DSA */
|
||||
# ifndef OPENSSL_NO_DH
|
||||
DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length);
|
||||
int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp);
|
||||
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
|
||||
index ebc2d24833..d6ad738ef3 100644
|
||||
--- a/providers/implementations/encode_decode/decode_der2key.c
|
||||
+++ b/providers/implementations/encode_decode/decode_der2key.c
|
||||
@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len,
|
||||
(key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8);
|
||||
}
|
||||
|
||||
-# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY
|
||||
+# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY
|
||||
# define dsa_free (free_key_fn *)DSA_free
|
||||
# define dsa_check NULL
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 18:46:15 +0100
|
||||
Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
test/recipes/91-test_pkey_check.t | 48 ++++++++++++++----
|
||||
.../91-test_pkey_check_data/dsapub.pem | 12 +++++
|
||||
.../dsapub_noparam.der | Bin 0 -> 108 bytes
|
||||
3 files changed, 49 insertions(+), 11 deletions(-)
|
||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
||||
|
||||
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
|
||||
index 612a3e3d6c..015d7805db 100644
|
||||
--- a/test/recipes/91-test_pkey_check.t
|
||||
+++ b/test/recipes/91-test_pkey_check.t
|
||||
@@ -11,19 +11,24 @@ use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Spec;
|
||||
-use OpenSSL::Test qw/:DEFAULT data_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT data_file with/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
sub pkey_check {
|
||||
my $f = shift;
|
||||
+ my $pubcheck = shift;
|
||||
+ my @checkopt = ('-check');
|
||||
|
||||
- return run(app(['openssl', 'pkey', '-check', '-text',
|
||||
+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
|
||||
+
|
||||
+ return run(app(['openssl', 'pkey', @checkopt, '-text',
|
||||
'-in', $f]));
|
||||
}
|
||||
|
||||
sub check_key {
|
||||
my $f = shift;
|
||||
my $should_fail = shift;
|
||||
+ my $pubcheck = shift;
|
||||
my $str;
|
||||
|
||||
|
||||
@@ -33,11 +38,10 @@ sub check_key {
|
||||
$f = data_file($f);
|
||||
|
||||
if ( -s $f ) {
|
||||
- if ($should_fail) {
|
||||
- ok(!pkey_check($f), $str);
|
||||
- } else {
|
||||
- ok(pkey_check($f), $str);
|
||||
- }
|
||||
+ with({ exit_checker => sub { return shift == $should_fail; } },
|
||||
+ sub {
|
||||
+ ok(pkey_check($f, $pubcheck), $str);
|
||||
+ });
|
||||
} else {
|
||||
fail("Missing file $f");
|
||||
}
|
||||
@@ -66,15 +70,37 @@ push(@positive_tests, (
|
||||
"dhpkey.pem"
|
||||
)) unless disabled("dh");
|
||||
|
||||
+my @negative_pubtests = ();
|
||||
+
|
||||
+push(@negative_pubtests, (
|
||||
+ "dsapub_noparam.der"
|
||||
+ )) unless disabled("dsa");
|
||||
+
|
||||
+my @positive_pubtests = ();
|
||||
+
|
||||
+push(@positive_pubtests, (
|
||||
+ "dsapub.pem"
|
||||
+ )) unless disabled("dsa");
|
||||
+
|
||||
plan skip_all => "No tests within the current enabled feature set"
|
||||
- unless @negative_tests && @positive_tests;
|
||||
+ unless @negative_tests && @positive_tests
|
||||
+ && @negative_pubtests && @positive_pubtests;
|
||||
|
||||
-plan tests => scalar(@negative_tests) + scalar(@positive_tests);
|
||||
+plan tests => scalar(@negative_tests) + scalar(@positive_tests)
|
||||
+ + scalar(@negative_pubtests) + scalar(@positive_pubtests);
|
||||
|
||||
foreach my $t (@negative_tests) {
|
||||
- check_key($t, 1);
|
||||
+ check_key($t, 1, 0);
|
||||
}
|
||||
|
||||
foreach my $t (@positive_tests) {
|
||||
- check_key($t, 0);
|
||||
+ check_key($t, 0, 0);
|
||||
+}
|
||||
+
|
||||
+foreach my $t (@negative_pubtests) {
|
||||
+ check_key($t, 1, 1);
|
||||
+}
|
||||
+
|
||||
+foreach my $t (@positive_pubtests) {
|
||||
+ check_key($t, 0, 1);
|
||||
}
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
new file mode 100644
|
||||
index 0000000000..0ff4bd83ed
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
@@ -0,0 +1,12 @@
|
||||
+-----BEGIN PUBLIC KEY-----
|
||||
+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4
|
||||
+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD
|
||||
+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD
|
||||
+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV
|
||||
+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+
|
||||
+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq
|
||||
+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr
|
||||
+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER
|
||||
+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys
|
||||
+DRjhKHBjdo0rZeSM8DAk3ctrXA==
|
||||
+-----END PUBLIC KEY-----
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862
|
||||
GIT binary patch
|
||||
literal 108
|
||||
zcmXpIGT>xm*J|@PXTieE%*wz71<Xv0AT}3_&&0^YB*etj0OvEYF$n`XLd*y;pgagL
|
||||
U3o&W4F|x9<gY>|F5F-Nv0Bz9(=Kufz
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 3 Feb 2023 14:57:04 +0100
|
||||
Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds
|
||||
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9)
|
||||
---
|
||||
include/crypto/types.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/include/crypto/types.h b/include/crypto/types.h
|
||||
index 0d81404091..0a75f03a3f 100644
|
||||
--- a/include/crypto/types.h
|
||||
+++ b/include/crypto/types.h
|
||||
@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD;
|
||||
typedef struct ec_key_st EC_KEY;
|
||||
typedef struct ec_key_method_st EC_KEY_METHOD;
|
||||
# endif
|
||||
+# ifndef OPENSSL_NO_DSA
|
||||
+typedef struct dsa_st DSA;
|
||||
+# endif
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||
Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
||||
(3.0)
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
CHANGES.md | 19 +++++++++++++++++++
|
||||
crypto/x509/v3_genn.c | 2 +-
|
||||
include/openssl/x509v3.h.in | 2 +-
|
||||
test/v3nametest.c | 8 ++++++++
|
||||
4 files changed, 29 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
|
||||
index c0a7166cd0..1741c2d2f6 100644
|
||||
--- a/crypto/x509/v3_genn.c
|
||||
+++ b/crypto/x509/v3_genn.c
|
||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
|
||||
index d00a66a343..c087e3cf92 100644
|
||||
--- a/include/openssl/x509v3.h.in
|
||||
+++ b/include/openssl/x509v3.h.in
|
||||
@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
|
||||
OTHERNAME *otherName; /* otherName */
|
||||
ASN1_IA5STRING *rfc822Name;
|
||||
ASN1_IA5STRING *dNSName;
|
||||
- ASN1_TYPE *x400Address;
|
||||
+ ASN1_STRING *x400Address;
|
||||
X509_NAME *directoryName;
|
||||
EDIPARTYNAME *ediPartyName;
|
||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
||||
index 6d2e2f8e27..0341995dde 100644
|
||||
--- a/test/v3nametest.c
|
||||
+++ b/test/v3nametest.c
|
||||
@@ -644,6 +644,14 @@ static struct gennamedata {
|
||||
0xb7, 0x09, 0x02, 0x02
|
||||
},
|
||||
15
|
||||
+ }, {
|
||||
+ /*
|
||||
+ * Regression test for CVE-2023-0286.
|
||||
+ */
|
||||
+ {
|
||||
+ 0xa3, 0x00
|
||||
+ },
|
||||
+ 2
|
||||
}
|
||||
};
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,150 +0,0 @@
|
||||
From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Wed, 18 Jan 2023 09:27:53 +0100
|
||||
Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls
|
||||
|
||||
These calls invoke EVP_DigestInit() which can fail for digests
|
||||
with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
|
||||
or EVP_DigestFinal() from BIO_read() will segfault on NULL
|
||||
dereference. This can be triggered by an attacker providing
|
||||
PKCS7 data digested with MD4 for example if the legacy provider
|
||||
is not loaded.
|
||||
|
||||
If BIO_set_md() fails the md BIO cannot be used.
|
||||
|
||||
CVE-2023-0401
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
---
|
||||
crypto/pkcs7/pk7_doit.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
||||
index bde9ac4787..5e562fbea5 100644
|
||||
--- a/crypto/pkcs7/pk7_doit.c
|
||||
+++ b/crypto/pkcs7/pk7_doit.c
|
||||
@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
- BIO_set_md(btmp, md);
|
||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||
+ EVP_MD_free(fetched);
|
||||
+ goto err;
|
||||
+ }
|
||||
EVP_MD_free(fetched);
|
||||
if (*pbio == NULL)
|
||||
*pbio = btmp;
|
||||
@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
- BIO_set_md(btmp, md);
|
||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||
+ EVP_MD_free(evp_md);
|
||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
EVP_MD_free(evp_md);
|
||||
if (out == NULL)
|
||||
out = btmp;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Wed, 18 Jan 2023 17:07:24 +0100
|
||||
Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md()
|
||||
calls
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 ++++++++--
|
||||
test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++
|
||||
2 files changed, 45 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index fd53683e6b..d45789de70 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text compare/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
|
||||
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
|
||||
$no_rc2 = 1 if disabled("legacy");
|
||||
|
||||
-plan tests => 13;
|
||||
+plan tests => 14;
|
||||
|
||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
||||
|
||||
@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub {
|
||||
"verify binary input with -binary missing -crlfeol");
|
||||
};
|
||||
|
||||
+# Test case for missing MD algorithm (must not segfault)
|
||||
+
|
||||
+with({ exit_checker => sub { return shift == 4; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'smime', '-verify', '-noverify',
|
||||
+ '-inform', 'PEM',
|
||||
+ '-in', data_file("pkcs7-md4.pem"),
|
||||
+ ])),
|
||||
+ "Check failure of EVP_DigestInit is handled correctly");
|
||||
+ });
|
||||
+
|
||||
sub check_availability {
|
||||
my $tnam = shift;
|
||||
|
||||
diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
new file mode 100644
|
||||
index 0000000000..ecff611deb
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
@@ -0,0 +1,32 @@
|
||||
+-----BEGIN PKCS7-----
|
||||
+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG
|
||||
+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G
|
||||
+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx
|
||||
+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ
|
||||
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
|
||||
+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
|
||||
+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
|
||||
+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
|
||||
+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
|
||||
+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9
|
||||
+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR
|
||||
+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
|
||||
+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB
|
||||
+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS
|
||||
+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3
|
||||
+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2
|
||||
++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU
|
||||
+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC
|
||||
+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC
|
||||
+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
|
||||
+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp
|
||||
+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB
|
||||
+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
|
||||
+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B
|
||||
+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7
|
||||
+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c
|
||||
+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp
|
||||
+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk
|
||||
+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a
|
||||
+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6
|
||||
+-----END PKCS7-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 11:01:44 +0100
|
||||
Subject: fips: Zeroize `out` in fips selftest
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Resolves: rhbz#2169314
|
||||
---
|
||||
providers/fips/self_test.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index 80d048a847..11a989209c 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
+ OPENSSL_cleanse(out, sizeof(out));
|
||||
OSSL_SELF_TEST_onend(ev, ret);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
EVP_MAC_free(mac);
|
||||
--
|
||||
2.39.1
|
||||
|
@ -12,24 +12,12 @@ internally at its entirety randomly."
|
||||
Resolves: rhbz#2168289
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/ciphers/ciphercommon.c | 4 +++
|
||||
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
|
||||
4 files changed, 34 insertions(+)
|
||||
util/perl/OpenSSL/paramnames.pm | 5 ++--
|
||||
4 files changed, 36 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 680bfbc7cc..832502a034 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -97,6 +97,7 @@ extern "C" {
|
||||
#define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
|
||||
/* For passing the AlgorithmIdentifier parameter in DER form */
|
||||
#define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
|
||||
+#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
|
||||
|
||||
#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
|
||||
"tls1multi_maxsndfrag" /* uint */
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 49e8e1df78..ec2ba46fbd 100644
|
||||
--- a/include/openssl/evp.h
|
||||
@ -44,7 +32,7 @@ index 49e8e1df78..ec2ba46fbd 100644
|
||||
+
|
||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
/*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
|
||||
index fa383165d8..716add7339 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon.c
|
||||
@ -64,9 +52,9 @@ diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/im
|
||||
index ed95c97ff4..db7910eb0e 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
|| !getivgen(ctx, p->data, p->data_size))
|
||||
return 0;
|
||||
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
|
||||
@ -96,6 +84,22 @@ index ed95c97ff4..db7910eb0e 100644
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index a109e44521..64e9809387 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -101,8 +101,9 @@ my %params = (
|
||||
'CIPHER_PARAM_SPEED' => "speed", # uint
|
||||
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
|
||||
# For passing the AlgorithmIdentifier parameter in DER form
|
||||
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||
- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
|
||||
+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||
|
||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
|
||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
|
||||
--
|
||||
2.39.1
|
||||
|
||||
|
@ -1,82 +0,0 @@
|
||||
From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 12:22:03 +0100
|
||||
Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest
|
||||
|
||||
NIST SP 800-132 [1] section 5.1 says "[t]he length of the
|
||||
randomly-generated portion of the salt shall be at least
|
||||
128 bits", which implies that the salt for PBKDF2 must be at least 16
|
||||
bytes long (see also Appendix A.2.1).
|
||||
|
||||
The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
|
||||
properties of the Password and Salt parameters, as well as the desired
|
||||
length of the Master Key used in a CAST shall be among those supported
|
||||
by the module in the approved mode."
|
||||
|
||||
As a consequence, the salt length in the self test must be at least 16
|
||||
bytes long for FIPS 140-3 compliance. Switch the self test to use the
|
||||
only test vector from RFC 6070 that uses salt that is long enough to
|
||||
fulfil this requirement. Since RFC 6070 does not provide expected
|
||||
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
|
||||
generated with python cryptography, which was tested against the RFC
|
||||
6070 vectors with HMAC-SHA1.
|
||||
|
||||
[1]: https://doi.org/10.6028/NIST.SP.800-132
|
||||
[2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
|
||||
[3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/20429)
|
||||
|
||||
(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956)
|
||||
---
|
||||
providers/fips/self_test_data.inc | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 8ae8cd6f4a..03adf28f3c 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = {
|
||||
};
|
||||
|
||||
static const char pbkdf2_digest[] = "SHA256";
|
||||
+/*
|
||||
+ * Input parameters from RFC 6070, vector 5 (because it is the only one with
|
||||
+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The
|
||||
+ * expected output is taken from
|
||||
+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md,
|
||||
+ * which ran these test vectors with SHA-256.
|
||||
+ */
|
||||
static const unsigned char pbkdf2_password[] = {
|
||||
- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72,
|
||||
- 0x64
|
||||
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
|
||||
+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
|
||||
};
|
||||
static const unsigned char pbkdf2_salt[] = {
|
||||
- 0x73, 0x61, 0x00, 0x6c, 0x74
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
|
||||
+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
|
||||
};
|
||||
static const unsigned char pbkdf2_expected[] = {
|
||||
- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
|
||||
- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
|
||||
+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
|
||||
+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
|
||||
+ 0x1c
|
||||
};
|
||||
static int pbkdf2_iterations = 4096;
|
||||
-static int pbkdf2_pkcs5 = 1;
|
||||
+static int pbkdf2_pkcs5 = 0;
|
||||
static const ST_KAT_PARAM pbkdf2_params[] = {
|
||||
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest),
|
||||
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password),
|
||||
--
|
||||
2.39.2
|
||||
|
@ -21,32 +21,12 @@ Resolves: rhbz#2179331
|
||||
Resolves: RHEL-14083
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 2 ++
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++-
|
||||
4 files changed, 53 insertions(+), 1 deletion(-)
|
||||
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||||
util/perl/OpenSSL/paramnames.pm | 6 ++--
|
||||
4 files changed, 59 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 832502a034..e15d208421 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -477,6 +477,7 @@ extern "C" {
|
||||
#ifdef FIPS_MODULE
|
||||
#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
|
||||
#endif
|
||||
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/*
|
||||
* Encoder / decoder parameters
|
||||
@@ -511,6 +512,7 @@ extern "C" {
|
||||
|
||||
/* KEM parameters */
|
||||
#define OSSL_KEM_PARAM_OPERATION "operation"
|
||||
+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
|
||||
|
||||
/* OSSL_KEM_PARAM_OPERATION values */
|
||||
#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE"
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index ec2ba46fbd..3803b03422 100644
|
||||
--- a/include/openssl/evp.h
|
||||
@ -66,22 +46,25 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme
|
||||
index 568452ec56..2e7ea632d7 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
||||
@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. A request for guidance sent to NIST resulted in
|
||||
+ * further clarification which allows OpenSSL to claim RSA-OAEP. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||||
+ * we have received clarification from NIST on how library modules such
|
||||
+ * as OpenSSL should implement TTP validation. */
|
||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
@ -97,13 +80,13 @@ index 568452ec56..2e7ea632d7 100644
|
||||
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||||
index 882cf16125..b4cc0f9237 100644
|
||||
--- a/providers/implementations/kem/rsa_kem.c
|
||||
+++ b/providers/implementations/kem/rsa_kem.c
|
||||
@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||||
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||||
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
{
|
||||
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
||||
@ -123,9 +106,10 @@ index 882cf16125..b4cc0f9237 100644
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. A request for guidance sent to NIST resulted in
|
||||
+ * further clarification which allows OpenSSL to claim RSASVE. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ * callers to do that. We must thus mark RSASVE unapproved until we
|
||||
+ * have received clarification from NIST on how library modules such as
|
||||
+ * OpenSSL should implement TTP validation. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
@ -143,6 +127,30 @@ index 882cf16125..b4cc0f9237 100644
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 64e9809387..45ab0c8dc4 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -406,6 +406,7 @@ my %params = (
|
||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||
'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
||||
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
|
||||
# Encoder / decoder parameters
|
||||
|
||||
@@ -438,8 +439,9 @@ my %params = (
|
||||
'SIGNATURE_PARAM_KAT' => "kat",
|
||||
|
||||
# KEM parameters
|
||||
- 'KEM_PARAM_OPERATION' => "operation",
|
||||
- 'KEM_PARAM_IKME' => "ikme",
|
||||
+ 'KEM_PARAM_OPERATION' => "operation",
|
||||
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
+ 'KEM_PARAM_IKME' => "ikme",
|
||||
|
||||
# Capabilities
|
||||
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
@ -1,44 +1,72 @@
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index e90e5dc03339..f391e756475c 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error
|
||||
PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed
|
||||
PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed
|
||||
PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed
|
||||
+PROV_R_EMS_NOT_ENABLED:233:ems not enabled
|
||||
PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak
|
||||
PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg
|
||||
PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 173a81d28bbe..5e5be567a578 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -21,11 +21,12 @@ extern "C" {
|
||||
#define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */
|
||||
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:40:56 +0200
|
||||
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
|
||||
|
||||
/* Well known parameter names that Providers can define */
|
||||
-#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_STATUS "status" /* uint */
|
||||
-#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */
|
||||
+#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_STATUS "status" /* uint */
|
||||
+#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */
|
||||
+#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */
|
||||
Patch-name: 0114-FIPS-enforce-EMS-support.patch
|
||||
Patch-id: 114
|
||||
Patch-status: |
|
||||
# We believe that some changes present in CentOS are not necessary
|
||||
# because ustream has a check for FIPS version
|
||||
---
|
||||
doc/man3/SSL_CONF_cmd.pod | 3 +++
|
||||
doc/man5/fips_config.pod | 13 +++++++++++
|
||||
include/openssl/fips_names.h | 8 +++++++
|
||||
include/openssl/ssl.h.in | 1 +
|
||||
providers/fips/fipsprov.c | 2 +-
|
||||
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
|
||||
ssl/ssl_conf.c | 1 +
|
||||
ssl/statem/extensions_srvr.c | 8 ++++++-
|
||||
ssl/t1_enc.c | 11 ++++++++--
|
||||
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
|
||||
test/sslapitest.c | 2 +-
|
||||
11 files changed, 76 insertions(+), 5 deletions(-)
|
||||
|
||||
/* Self test callback parameters */
|
||||
#define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */
|
||||
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
|
||||
index ae6ca43282..b83c04a308 100644
|
||||
--- a/doc/man3/SSL_CONF_cmd.pod
|
||||
+++ b/doc/man3/SSL_CONF_cmd.pod
|
||||
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
||||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||
|
||||
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||||
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||||
+
|
||||
B<CANames>: use CA names extension, enabled by
|
||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||||
index 1c15e32a5c..f2cedaf88d 100644
|
||||
--- a/doc/man5/fips_config.pod
|
||||
+++ b/doc/man5/fips_config.pod
|
||||
@@ -15,6 +15,19 @@ for more information.
|
||||
|
||||
This functionality was added in OpenSSL 3.0.
|
||||
|
||||
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||||
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||||
+should have format
|
||||
+
|
||||
+ [fips_sect]
|
||||
+ tls1-prf-ems-check = 0
|
||||
+ activate = 1
|
||||
+
|
||||
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||||
+presence of extended master secret or not.
|
||||
+
|
||||
+The B<activate> option enforces FIPS provider activation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
||||
index 0fdf5440c7cb..3f29369b3f92 100644
|
||||
index 5c77f6d691..8cdd5a6bf7 100644
|
||||
--- a/include/openssl/fips_names.h
|
||||
+++ b/include/openssl/fips_names.h
|
||||
@@ -53,6 +53,14 @@ extern "C" {
|
||||
@@ -70,6 +70,14 @@ extern "C" {
|
||||
*/
|
||||
# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks"
|
||||
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
|
||||
|
||||
+/*
|
||||
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
||||
@ -51,228 +79,46 @@ index 0fdf5440c7cb..3f29369b3f92 100644
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h
|
||||
index 3685430f5d3e..bf4dc135f592 100644
|
||||
--- a/include/openssl/proverr.h
|
||||
+++ b/include/openssl/proverr.h
|
||||
@@ -32,6 +32,7 @@
|
||||
# define PROV_R_CIPHER_OPERATION_FAILED 102
|
||||
# define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205
|
||||
# define PROV_R_DIGEST_NOT_ALLOWED 174
|
||||
+# define PROV_R_EMS_NOT_ENABLED 233
|
||||
# define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186
|
||||
# define PROV_R_ERROR_INSTANTIATING_DRBG 188
|
||||
# define PROV_R_ERROR_RETRIEVING_ENTROPY 189
|
||||
diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h
|
||||
index 4a7f85f71186..62e60cc0103f 100644
|
||||
--- a/providers/common/include/prov/securitycheck.h
|
||||
+++ b/providers/common/include/prov/securitycheck.h
|
||||
@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md);
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed);
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
|
||||
index f6144072aa04..954aabe80cfc 100644
|
||||
--- a/providers/common/provider_err.c
|
||||
+++ b/providers/common/provider_err.c
|
||||
@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
|
||||
"derivation function init failed"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED),
|
||||
"digest not allowed"},
|
||||
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK),
|
||||
"entropy source strength too weak"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG),
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index de7f0d3a0a57..63c875ecd0b7 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
+++ b/providers/common/securitycheck_default.c
|
||||
@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* Disable the ems check in the default provider */
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed)
|
||||
{
|
||||
diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
|
||||
index b7659bd395c3..2bc8a5992685 100644
|
||||
--- a/providers/common/securitycheck_fips.c
|
||||
+++ b/providers/common/securitycheck_fips.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include "prov/securitycheck.h"
|
||||
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
|
||||
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
}
|
||||
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ return FIPS_tls_prf_ems_check(libctx);
|
||||
+}
|
||||
+
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed)
|
||||
{
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index 0b6de603e2..26a69ca282 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
||||
* interoperability with CryptoPro CSP 3.x
|
||||
*/
|
||||
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||||
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||||
/*
|
||||
* Disable RFC8879 certificate compression
|
||||
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index b86b27d236f3..b881f46f36ad 100644
|
||||
index 5ff9872bd8..eb9653a9df 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query;
|
||||
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
|
||||
|
||||
/*
|
||||
* Should these function pointers be stored in the provider side provctx? Could
|
||||
@@ -82,7 +83,9 @@ typedef struct fips_global_st {
|
||||
const OSSL_CORE_HANDLE *handle;
|
||||
SELF_TEST_POST_PARAMS selftest_params;
|
||||
int fips_security_checks;
|
||||
+ int fips_tls1_prf_ems_check;
|
||||
const char *fips_security_check_option;
|
||||
+ const char *fips_tls1_prf_ems_check_option;
|
||||
} FIPS_GLOBAL;
|
||||
|
||||
static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
fgbl->fips_security_checks = 1;
|
||||
fgbl->fips_security_check_option = "1";
|
||||
|
||||
+ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */
|
||||
+ fgbl->fips_tls1_prf_ems_check_option = "1";
|
||||
+
|
||||
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
if (fgbl == NULL)
|
||||
return NULL;
|
||||
init_fips_option(&fgbl->fips_security_checks, 1);
|
||||
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
|
||||
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
|
||||
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
|
||||
return fgbl;
|
||||
}
|
||||
|
||||
@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = {
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
|
||||
* NOTE: inside core_get_params() these will be loaded from config items
|
||||
* stored inside prov->parameters (except for
|
||||
* OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
|
||||
- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter.
|
||||
+ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
|
||||
+ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
|
||||
*/
|
||||
- OSSL_PARAM core_params[8], *p = core_params;
|
||||
+ OSSL_PARAM core_params[9], *p = core_params;
|
||||
|
||||
*p++ = OSSL_PARAM_construct_utf8_ptr(
|
||||
OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
|
||||
@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
|
||||
OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
|
||||
(char **)&fgbl->fips_security_check_option,
|
||||
sizeof(fgbl->fips_security_check_option));
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_ptr(
|
||||
+ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
|
||||
+ (char **)&fgbl->fips_tls1_prf_ems_check_option,
|
||||
+ sizeof(fgbl->fips_tls1_prf_ems_check_option));
|
||||
*p = OSSL_PARAM_construct_end();
|
||||
|
||||
if (!c_get_params(fgbl->handle, core_params)) {
|
||||
@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks))
|
||||
return 0;
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK);
|
||||
+ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check))
|
||||
+ return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
|
||||
&& strcmp(fgbl->fips_security_check_option, "0") == 0)
|
||||
fgbl->fips_security_checks = 0;
|
||||
|
||||
+ /* Disable the ems check if it's disabled in the fips config file. */
|
||||
+ if (fgbl->fips_tls1_prf_ems_check_option != NULL
|
||||
+ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0)
|
||||
+ fgbl->fips_tls1_prf_ems_check = 0;
|
||||
+
|
||||
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
|
||||
|
||||
if (!SELF_TEST_post(&fgbl->selftest_params, 0)) {
|
||||
@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
return fgbl->fips_security_checks;
|
||||
}
|
||||
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx,
|
||||
+ OSSL_LIB_CTX_FIPS_PROV_INDEX,
|
||||
+ &fips_prov_ossl_ctx_method);
|
||||
+
|
||||
+ return fgbl->fips_tls1_prf_ems_check;
|
||||
+}
|
||||
+
|
||||
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
|
||||
void **cbarg)
|
||||
{
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index 8a3807308408..2c2dbf31cc0b 100644
|
||||
index 25a6c79a2e..79bc7a9719 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||
@@ -45,6 +45,13 @@
|
||||
* A(0) = seed
|
||||
* A(i) = HMAC_<hash>(secret, A(i-1))
|
||||
*/
|
||||
+
|
||||
+/*
|
||||
+ * Low level APIs (such as DH) are deprecated for public use, but still ok for
|
||||
+ * internal use.
|
||||
+ */
|
||||
+#include "internal/deprecated.h"
|
||||
+
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
@@ -60,6 +67,7 @@
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_util.h"
|
||||
+#include "prov/securitycheck.h"
|
||||
#include "e_os.h"
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new;
|
||||
@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
|
||||
unsigned char *out, size_t olen);
|
||||
|
||||
#define TLS1_PRF_MAXBUF 1024
|
||||
+#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
|
||||
+#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
|
||||
|
||||
/* TLS KDF kdf context structure */
|
||||
typedef struct {
|
||||
@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
const OSSL_PARAM params[])
|
||||
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
|
||||
static void kdf_tls1_prf_free(void *vctx)
|
||||
{
|
||||
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
||||
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
||||
|
||||
if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params))
|
||||
return 0;
|
||||
@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
#endif /* defined(FIPS_MODULE) */
|
||||
if (ctx != NULL) {
|
||||
kdf_tls1_prf_reset(ctx);
|
||||
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
}
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * The seed buffer is prepended with a label.
|
||||
@ -298,136 +144,49 @@ index 8a3807308408..2c2dbf31cc0b 100644
|
||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||
ctx->sec, ctx->seclen,
|
||||
ctx->seed, ctx->seedlen,
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 3a8242d2d8c8..b0fbb504689e 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -99,6 +99,7 @@ static char *tmpfilename = NULL;
|
||||
static char *dhfile = NULL;
|
||||
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
|
||||
index 5146cedb96..086db98c33 100644
|
||||
--- a/ssl/ssl_conf.c
|
||||
+++ b/ssl/ssl_conf.c
|
||||
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
||||
SSL_FLAG_TBL("ClientRenegotiation",
|
||||
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||||
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||||
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||||
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||||
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||
index 00b1ee531e..22cdabb308 100644
|
||||
--- a/ssl/statem/extensions_srvr.c
|
||||
+++ b/ssl/statem/extensions_srvr.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
static int is_fips = 0;
|
||||
+static int fips_ems_check = 0;
|
||||
#define COOKIE_STATE_FORMAT_VERSION 1
|
||||
|
||||
#define LOG_BUFFER_SIZE 2048
|
||||
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
|
||||
@@ -796,7 +797,7 @@ static int test_no_ems(void)
|
||||
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
||||
unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
SSL *clientssl = NULL, *serverssl = NULL;
|
||||
- int testresult = 0;
|
||||
+ int testresult = 0, status;
|
||||
|
||||
if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
@@ -812,19 +813,25 @@ static int test_no_ems(void)
|
||||
goto end;
|
||||
}
|
||||
|
||||
- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
|
||||
- printf("Creating SSL connection failed\n");
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (SSL_get_extms_support(serverssl)) {
|
||||
- printf("Server reports Extended Master Secret support\n");
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (SSL_get_extms_support(clientssl)) {
|
||||
- printf("Client reports Extended Master Secret support\n");
|
||||
- goto end;
|
||||
+ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
|
||||
+ if (fips_ems_check) {
|
||||
+ if (status == 1) {
|
||||
+ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
|
||||
+ goto end;
|
||||
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||||
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||||
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ return EXT_RETURN_FAIL;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!status) {
|
||||
+ printf("Creating SSL connection failed\n");
|
||||
+ goto end;
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
+ }
|
||||
+ if (SSL_get_extms_support(serverssl)) {
|
||||
+ printf("Server reports Extended Master Secret support\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ if (SSL_get_extms_support(clientssl)) {
|
||||
+ printf("Client reports Extended Master Secret support\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
}
|
||||
testresult = 1;
|
||||
|
||||
@@ -10740,9 +10747,24 @@ int setup_tests(void)
|
||||
&& !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
|
||||
return 0;
|
||||
|
||||
- if (strcmp(modulename, "fips") == 0)
|
||||
+ if (strcmp(modulename, "fips") == 0) {
|
||||
+ OSSL_PROVIDER *prov = NULL;
|
||||
+ OSSL_PARAM params[2];
|
||||
+
|
||||
is_fips = 1;
|
||||
|
||||
+ prov = OSSL_PROVIDER_load(libctx, "fips");
|
||||
+ if (prov != NULL) {
|
||||
+ /* Query the fips provider to check if the check ems option is enabled */
|
||||
+ params[0] =
|
||||
+ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
|
||||
+ &fips_ems_check);
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+ OSSL_PROVIDER_get_params(prov, params);
|
||||
+ OSSL_PROVIDER_unload(prov);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We add, but don't load the test "tls-provider". We'll load it when we
|
||||
* need it.
|
||||
@@ -10816,6 +10838,12 @@ int setup_tests(void)
|
||||
if (privkey8192 == NULL)
|
||||
goto err;
|
||||
|
||||
+ if (fips_ems_check) {
|
||||
+#ifndef OPENSSL_NO_TLS1_2
|
||||
+ ADD_TEST(test_no_ems);
|
||||
+#endif
|
||||
+ return 1;
|
||||
+ }
|
||||
#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
|
||||
# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
|
||||
ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
|
||||
diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
--- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200
|
||||
+++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
Title = TLS12 PRF tests (from NIST test vectors)
|
||||
|
||||
+Availablein = default
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3
|
||||
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
|
||||
+Availablein = fips
|
||||
+KDF = TLS1-PRF
|
||||
+Ctrl.digest = digest:SHA256
|
||||
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
+Ctrl.label = seed:master secret
|
||||
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||||
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
+Result = KDF_DERIVE_ERROR
|
||||
+
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
|
||||
--- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200
|
||||
+++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||||
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||||
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||||
index 91238e6457..e8ad8ecd9e 100644
|
||||
--- a/ssl/t1_enc.c
|
||||
+++ b/ssl/t1_enc.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/core_names.h>
|
||||
@ -435,7 +194,7 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
/* seed1 through seed5 are concatenated */
|
||||
static int tls1_PRF(SSL *s,
|
||||
static int tls1_PRF(SSL_CONNECTION *s,
|
||||
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
||||
}
|
||||
|
||||
@ -453,87 +212,40 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
|
||||
else
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||||
EVP_KDF_CTX_free(kctx);
|
||||
diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c
|
||||
--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200
|
||||
+++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
+#include <openssl/fips.h>
|
||||
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
index 44040ff66b..deb6bf3fcb 100644
|
||||
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
|
||||
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
|
||||
#define COOKIE_STATE_FORMAT_VERSION 1
|
||||
|
||||
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
|
||||
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||||
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||||
+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ return EXT_RETURN_FAIL;
|
||||
+ }
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
+ }
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||||
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||||
diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in
|
||||
--- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200
|
||||
+++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200
|
||||
@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL
|
||||
* interoperability with CryptoPro CSP 3.x
|
||||
*/
|
||||
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||||
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||||
|
||||
/*
|
||||
* Option "collections."
|
||||
diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c
|
||||
--- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200
|
||||
+++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200
|
||||
@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c
|
||||
SSL_FLAG_TBL("ClientRenegotiation",
|
||||
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||||
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||||
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||||
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||||
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||
diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod
|
||||
--- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200
|
||||
+++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200
|
||||
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended ma
|
||||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||
|
||||
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||||
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||||
+Availablein = fips
|
||||
+KDF = TLS1-PRF
|
||||
+Ctrl.digest = digest:SHA256
|
||||
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
+Ctrl.label = seed:master secret
|
||||
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||||
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
+Result = KDF_DERIVE_ERROR
|
||||
+
|
||||
B<CANames>: use CA names extension, enabled by
|
||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||
diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod
|
||||
--- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200
|
||||
+++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200
|
||||
@@ -11,6 +11,19 @@ automatically loaded when the system is
|
||||
environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
for more information.
|
||||
FIPSversion = <=3.1.0
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 169e3c7466..e67b5bb44c 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
|
||||
STACK_OF(X509) *server_chain;
|
||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
SSL *clientssl = NULL, *serverssl = NULL;
|
||||
- int testresult = 0;
|
||||
+ int testresult = 0, status;
|
||||
|
||||
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||||
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||||
+should have format
|
||||
+
|
||||
+ [fips_sect]
|
||||
+ tls1-prf-ems-check = 0
|
||||
+ activate = 1
|
||||
+
|
||||
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||||
+presence of extended master secret or not.
|
||||
+
|
||||
+The B<activate> option enforces FIPS provider activation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(), TLS1_VERSION, 0,
|
||||
--
|
||||
2.41.0
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -1,195 +0,0 @@
|
||||
diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
|
||||
index 18b53cc09e..cba107ca03 100644
|
||||
--- a/crypto/x509/pcy_local.h
|
||||
+++ b/crypto/x509/pcy_local.h
|
||||
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
|
||||
};
|
||||
|
||||
struct X509_POLICY_TREE_st {
|
||||
+ /* The number of nodes in the tree */
|
||||
+ size_t node_count;
|
||||
+ /* The maximum number of nodes in the tree */
|
||||
+ size_t node_maximum;
|
||||
+
|
||||
/* This is the tree 'level' data */
|
||||
X509_POLICY_LEVEL *levels;
|
||||
int nlevel;
|
||||
@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
- X509_POLICY_TREE *tree);
|
||||
+ X509_POLICY_TREE *tree,
|
||||
+ int extra_data);
|
||||
void ossl_policy_node_free(X509_POLICY_NODE *node);
|
||||
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
|
||||
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
|
||||
diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
|
||||
index 9d9a7ea179..450f95a655 100644
|
||||
--- a/crypto/x509/pcy_node.c
|
||||
+++ b/crypto/x509/pcy_node.c
|
||||
@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
- X509_POLICY_TREE *tree)
|
||||
+ X509_POLICY_TREE *tree,
|
||||
+ int extra_data)
|
||||
{
|
||||
X509_POLICY_NODE *node;
|
||||
|
||||
+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
|
||||
+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
|
||||
+ return NULL;
|
||||
+
|
||||
node = OPENSSL_zalloc(sizeof(*node));
|
||||
if (node == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
node->data = data;
|
||||
node->parent = parent;
|
||||
- if (level) {
|
||||
+ if (level != NULL) {
|
||||
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
||||
if (level->anyPolicy)
|
||||
goto node_error;
|
||||
@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
}
|
||||
|
||||
- if (tree) {
|
||||
+ if (extra_data) {
|
||||
if (tree->extra_data == NULL)
|
||||
tree->extra_data = sk_X509_POLICY_DATA_new_null();
|
||||
if (tree->extra_data == NULL){
|
||||
@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
}
|
||||
|
||||
+ tree->node_count++;
|
||||
if (parent)
|
||||
parent->nchild++;
|
||||
|
||||
diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
|
||||
index fa45da5117..f953a05a41 100644
|
||||
--- a/crypto/x509/pcy_tree.c
|
||||
+++ b/crypto/x509/pcy_tree.c
|
||||
@@ -14,6 +14,17 @@
|
||||
|
||||
#include "pcy_local.h"
|
||||
|
||||
+/*
|
||||
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
|
||||
+ * a generous default of 1000 nodes.
|
||||
+ *
|
||||
+ * Defining this to be zero means unlimited policy tree growth which opens the
|
||||
+ * door on CVE-2023-0464.
|
||||
+ */
|
||||
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
|
||||
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
|
||||
+#endif
|
||||
+
|
||||
static void expected_print(BIO *channel,
|
||||
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
|
||||
int indent)
|
||||
@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
}
|
||||
|
||||
+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
|
||||
+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
|
||||
+
|
||||
/*
|
||||
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
|
||||
*
|
||||
@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
if ((data = ossl_policy_data_new(NULL,
|
||||
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
|
||||
goto bad_tree;
|
||||
- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
|
||||
+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
goto bad_tree;
|
||||
}
|
||||
@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
* Return value: 1 on success, 0 otherwise
|
||||
*/
|
||||
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
- X509_POLICY_DATA *data)
|
||||
+ X509_POLICY_DATA *data,
|
||||
+ X509_POLICY_TREE *tree)
|
||||
{
|
||||
X509_POLICY_LEVEL *last = curr - 1;
|
||||
int i, matched = 0;
|
||||
@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
|
||||
|
||||
if (ossl_policy_node_match(last, node, data->valid_policy)) {
|
||||
- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
|
||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
|
||||
return 0;
|
||||
matched = 1;
|
||||
}
|
||||
}
|
||||
if (!matched && last->anyPolicy) {
|
||||
- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
|
||||
+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
* Return value: 1 on success, 0 otherwise.
|
||||
*/
|
||||
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
- const X509_POLICY_CACHE *cache)
|
||||
+ const X509_POLICY_CACHE *cache,
|
||||
+ X509_POLICY_TREE *tree)
|
||||
{
|
||||
int i;
|
||||
|
||||
@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
|
||||
|
||||
/* Look for matching nodes in previous level */
|
||||
- if (!tree_link_matching_nodes(curr, data))
|
||||
+ if (!tree_link_matching_nodes(curr, data, tree))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
|
||||
/* Curr may not have anyPolicy */
|
||||
data->qualifier_set = cache->anyPolicy->qualifier_set;
|
||||
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
||||
- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
|
||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
return 0;
|
||||
}
|
||||
@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
|
||||
/* Finally add link to anyPolicy */
|
||||
if (last->anyPolicy &&
|
||||
ossl_policy_level_add_node(curr, cache->anyPolicy,
|
||||
- last->anyPolicy, NULL) == NULL)
|
||||
+ last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
|
||||
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
|
||||
| POLICY_DATA_FLAG_EXTRA_NODE;
|
||||
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
|
||||
- tree);
|
||||
+ tree, 1);
|
||||
}
|
||||
if (!tree->user_policies) {
|
||||
tree->user_policies = sk_X509_POLICY_NODE_new_null();
|
||||
@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
|
||||
|
||||
for (i = 1; i < tree->nlevel; i++, curr++) {
|
||||
cache = ossl_policy_cache_set(curr->cert);
|
||||
- if (!tree_link_nodes(curr, cache))
|
||||
+ if (!tree_link_nodes(curr, cache, tree))
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
|
||||
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
|
85
SOURCES/0115-skip-quic-pairwise.patch
Normal file
85
SOURCES/0115-skip-quic-pairwise.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Thu, 7 Mar 2024 17:37:09 +0100
|
||||
Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
|
||||
|
||||
Patch-name: 0115-skip-quic-pairwise.patch
|
||||
Patch-id: 115
|
||||
Patch-status: |
|
||||
# skip quic and pairwise tests temporarily
|
||||
---
|
||||
test/quicapitest.c | 4 +++-
|
||||
test/recipes/01-test_symbol_presence.t | 1 +
|
||||
test/recipes/30-test_pairwise_fail.t | 10 ++++++++--
|
||||
3 files changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/test/quicapitest.c b/test/quicapitest.c
|
||||
index 41cf0fc7a8..0fb7492700 100644
|
||||
--- a/test/quicapitest.c
|
||||
+++ b/test/quicapitest.c
|
||||
@@ -2139,7 +2139,9 @@ int setup_tests(void)
|
||||
ADD_TEST(test_cipher_find);
|
||||
ADD_TEST(test_version);
|
||||
#if defined(DO_SSL_TRACE_TEST)
|
||||
- ADD_TEST(test_ssl_trace);
|
||||
+ if (is_fips == 0) {
|
||||
+ ADD_TEST(test_ssl_trace);
|
||||
+ }
|
||||
#endif
|
||||
ADD_TEST(test_quic_forbidden_apis_ctx);
|
||||
ADD_TEST(test_quic_forbidden_apis);
|
||||
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
|
||||
index c837d48fb4..6291c08c49 100644
|
||||
--- a/test/recipes/30-test_pairwise_fail.t
|
||||
+++ b/test/recipes/30-test_pairwise_fail.t
|
||||
@@ -9,7 +9,7 @@
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
|
||||
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
BEGIN {
|
||||
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config"
|
||||
SKIP: {
|
||||
skip "Skip RSA test because of no rsa in this build", 1
|
||||
if disabled("rsa");
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "rsa"])),
|
||||
"fips provider rsa keygen pairwise failure test");
|
||||
+ });
|
||||
}
|
||||
|
||||
SKIP: {
|
||||
skip "Skip EC test because of no ec in this build", 2
|
||||
if disabled("ec");
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "ec"])),
|
||||
"fips provider ec keygen pairwise failure test");
|
||||
+ });
|
||||
|
||||
skip "FIPS provider version is too old", 1
|
||||
if !$fips_exit;
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "eckat"])),
|
||||
"fips provider ec keygen kat failure test");
|
||||
+ });
|
||||
}
|
||||
|
||||
SKIP: {
|
||||
skip "Skip DSA tests because of no dsa in this build", 2
|
||||
- if disabled("dsa");
|
||||
+ if 1; #if disabled("dsa");
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
|
||||
"fips provider dsa keygen pairwise failure test");
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,179 +0,0 @@
|
||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||
index 9384f1da9b..a0282c3ef1 100644
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
|
||||
goto memerr;
|
||||
/* Invalid or inconsistent extensions */
|
||||
if (ret == X509_PCY_TREE_INVALID) {
|
||||
- int i;
|
||||
+ int i, cbcalled = 0;
|
||||
|
||||
/* Locate certificates with bad extensions and notify callback. */
|
||||
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
||||
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
||||
X509 *x = sk_X509_value(ctx->chain, i);
|
||||
|
||||
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
|
||||
+ cbcalled = 1;
|
||||
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
|
||||
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
|
||||
}
|
||||
+ if (!cbcalled) {
|
||||
+ /* Should not be able to get here */
|
||||
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* The callback ignored the error so we return success */
|
||||
return 1;
|
||||
}
|
||||
if (ret == X509_PCY_TREE_FAILURE) {
|
||||
diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..244af3292b
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ca-pol-cert.pem
|
||||
@@ -0,0 +1,19 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD
|
||||
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
|
||||
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
|
||||
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
|
||||
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
|
||||
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
|
||||
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
|
||||
+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD
|
||||
+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE
|
||||
+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3
|
||||
+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7
|
||||
+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H
|
||||
+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ
|
||||
+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g
|
||||
+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C
|
||||
+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem
|
||||
new file mode 100644
|
||||
index 0000000000..0fcd6372b3
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ee-cert-policies-bad.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
||||
+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy
|
||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
||||
+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
||||
+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G
|
||||
+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ
|
||||
+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs
|
||||
+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N
|
||||
+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa
|
||||
+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx
|
||||
+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem
|
||||
new file mode 100644
|
||||
index 0000000000..2f06d7433f
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ee-cert-policies.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
||||
+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy
|
||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
||||
+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
||||
+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB
|
||||
+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D
|
||||
+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl
|
||||
+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa
|
||||
+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK
|
||||
+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk
|
||||
+D3brBn24UISaFRZoB7jsjok=
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
|
||||
index c3f7ac14b5..a57d9f38dc 100755
|
||||
--- a/test/certs/mkcert.sh
|
||||
+++ b/test/certs/mkcert.sh
|
||||
@@ -119,11 +119,12 @@ genca() {
|
||||
local OPTIND=1
|
||||
local purpose=
|
||||
|
||||
- while getopts p: o
|
||||
+ while getopts p:c: o
|
||||
do
|
||||
case $o in
|
||||
p) purpose="$OPTARG";;
|
||||
- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
|
||||
+ c) certpol="$OPTARG";;
|
||||
+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
|
||||
return 1;;
|
||||
esac
|
||||
done
|
||||
@@ -146,6 +147,10 @@ genca() {
|
||||
if [ -n "$NC" ]; then
|
||||
exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
|
||||
fi
|
||||
+ if [ -n "$certpol" ]; then
|
||||
+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
|
||||
+ fi
|
||||
+
|
||||
csr=$(req "$key" "CN = $cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
|
||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||
index 2240cd9df0..76ceadc7d8 100755
|
||||
--- a/test/certs/setup.sh
|
||||
+++ b/test/certs/setup.sh
|
||||
@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
|
||||
|
||||
# critical id-pkix-ocsp-no-check extension
|
||||
./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
|
||||
+
|
||||
+# certificatePolicies extension
|
||||
+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
|
||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
|
||||
+# We can create a cert with a duplicate policy oid - but its actually invalid!
|
||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index 2a4c36e86d..818c9ac50d 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 163;
|
||||
+plan tests => 165;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -516,3 +516,14 @@ SKIP: {
|
||||
ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])),
|
||||
'Mixed key + cert file test');
|
||||
}
|
||||
+
|
||||
+# Certificate Policies
|
||||
+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
|
||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
||||
+ "-explicit_policy"),
|
||||
+ "Certificate policy");
|
||||
+
|
||||
+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
|
||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
||||
+ "-explicit_policy"),
|
||||
+ "Bad certificate policy");
|
84
SOURCES/0116-version-aliasing.patch
Normal file
84
SOURCES/0116-version-aliasing.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:17 +0100
|
||||
Subject: [PATCH 46/49] 0116-version-aliasing.patch
|
||||
|
||||
Patch-name: 0116-version-aliasing.patch
|
||||
Patch-id: 116
|
||||
Patch-status: |
|
||||
# Add version aliasing due to
|
||||
# https://github.com/openssl/openssl/issues/23534
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
crypto/evp/digest.c | 7 ++++++-
|
||||
crypto/evp/evp_enc.c | 7 ++++++-
|
||||
test/recipes/01-test_symbol_presence.t | 1 +
|
||||
util/libcrypto.num | 2 ++
|
||||
4 files changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||
index 42331703da..3a280acc0e 100644
|
||||
--- a/crypto/evp/digest.c
|
||||
+++ b/crypto/evp/digest.c
|
||||
@@ -553,7 +553,12 @@ legacy:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||
+EVP_MD_CTX
|
||||
+#if !defined(FIPS_MODULE)
|
||||
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||
+#endif
|
||||
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||
{
|
||||
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
||||
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index e9faf31057..5a29b8dbb7 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||
#endif /* FIPS_MODULE */
|
||||
}
|
||||
|
||||
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||
+EVP_CIPHER_CTX
|
||||
+#if !defined(FIPS_MODULE)
|
||||
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||
+#endif
|
||||
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||
{
|
||||
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
||||
|
||||
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
|
||||
index 222b1886ae..7e2f65cccb 100644
|
||||
--- a/test/recipes/01-test_symbol_presence.t
|
||||
+++ b/test/recipes/01-test_symbol_presence.t
|
||||
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
|
||||
}
|
||||
}
|
||||
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
|
||||
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
|
||||
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
|
||||
if (@duplicates) {
|
||||
note "Duplicates:";
|
||||
note join('\n', @duplicates);
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 8046454025..068e9904e2 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
||||
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
||||
+EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||
EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION:
|
||||
+EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
||||
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
||||
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,27 +0,0 @@
|
||||
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
index 75a1677022..43c1900bca 100644
|
||||
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
@@ -98,8 +98,9 @@ B<trust>.
|
||||
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
|
||||
B<t>. Normally the current time is used.
|
||||
|
||||
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
|
||||
-by default) and adds B<policy> to the acceptable policy set.
|
||||
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
|
||||
+Contrary to preexisting documentation of this function it does not enable
|
||||
+policy checking.
|
||||
|
||||
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
|
||||
by default) and sets the acceptable policy set to B<policies>. Any existing
|
||||
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
|
||||
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
|
||||
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
|
||||
|
||||
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
|
||||
+enabling policy checking however the implementation has never done this.
|
||||
+The documentation was changed to align with the implementation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
|
318
SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
318
SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
@ -0,0 +1,318 @@
|
||||
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Thu, 14 Dec 2023 17:08:56 +0100
|
||||
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||
|
||||
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||
Patch-id: 117
|
||||
Patch-status: |
|
||||
# https://github.com/openssl/openssl/issues/23050
|
||||
---
|
||||
CHANGES.md | 13 +++++++
|
||||
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
|
||||
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
|
||||
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
|
||||
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
|
||||
5 files changed, 132 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/CHANGES.md b/CHANGES.md
|
||||
index ca29762ac2..4e21d0ddf9 100644
|
||||
--- a/CHANGES.md
|
||||
+++ b/CHANGES.md
|
||||
@@ -27,6 +27,19 @@ OpenSSL 3.2
|
||||
|
||||
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
|
||||
|
||||
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
|
||||
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
|
||||
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
|
||||
+ ignored and the configuration will still be used.
|
||||
+
|
||||
+ Similarly unknown entries that start with `?` character in a TLS
|
||||
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
|
||||
+ and the configuration will still be used.
|
||||
+
|
||||
+ In both cases if the resulting list is empty, an error is returned.
|
||||
+
|
||||
+ *Tomáš Mráz*
|
||||
+
|
||||
* A file in PKCS12 format can contain certificates and keys and may come from
|
||||
an untrusted source. The PKCS12 specification allows certain fields to be
|
||||
NULL, but OpenSSL did not correctly check for this case. A fix has been
|
||||
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
|
||||
index c26ef00306..f0566e148e 100644
|
||||
--- a/doc/man3/SSL_CTX_set1_curves.pod
|
||||
+++ b/doc/man3/SSL_CTX_set1_curves.pod
|
||||
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
|
||||
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
|
||||
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
|
||||
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
|
||||
-added by external providers.
|
||||
+added by external providers. If a group name is preceded with the C<?>
|
||||
+character, it will be ignored if an implementation is missing.
|
||||
|
||||
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
|
||||
supported groups for the SSL structure B<ssl>.
|
||||
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
|
||||
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
|
||||
was added in OpenSSL 3.0.0.
|
||||
|
||||
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
|
||||
+SSL_set1_groups_list() was added in OpenSSL 3.3.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
index eb31006346..5b7de7d956 100644
|
||||
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
|
||||
must be a null terminated string consisting of a colon separated list of
|
||||
elements, where each element is either a combination of a public key
|
||||
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
|
||||
-SignatureScheme such as rsa_pss_pss_sha256.
|
||||
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
|
||||
+with the C<?> character, it will be ignored if an implementation is missing.
|
||||
+
|
||||
|
||||
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
|
||||
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
|
||||
@@ -106,6 +108,13 @@ using a string:
|
||||
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
|
||||
L<SSL_CONF_CTX_new(3)>
|
||||
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+Support for ignoring unknown signature algorithms in
|
||||
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
|
||||
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
|
||||
+was added in OpenSSL 3.3.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 056aae3863..fe680449c5 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||
size_t i;
|
||||
uint16_t gid = 0;
|
||||
char etmp[GROUP_NAME_BUFFER_LENGTH];
|
||||
+ int ignore_unknown = 0;
|
||||
|
||||
if (elem == NULL)
|
||||
return 0;
|
||||
+ if (elem[0] == '?') {
|
||||
+ ignore_unknown = 1;
|
||||
+ ++elem;
|
||||
+ --len;
|
||||
+ }
|
||||
if (garg->gidcnt == garg->gidmax) {
|
||||
uint16_t *tmp =
|
||||
OPENSSL_realloc(garg->gid_arr,
|
||||
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||
|
||||
gid = tls1_group_name2id(garg->ctx, etmp);
|
||||
if (gid == 0) {
|
||||
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
- "group '%s' cannot be set", etmp);
|
||||
- return 0;
|
||||
+ /* Unknown group - ignore, if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
}
|
||||
for (i = 0; i < garg->gidcnt; i++)
|
||||
- if (garg->gid_arr[i] == gid)
|
||||
- return 0;
|
||||
+ if (garg->gid_arr[i] == gid) {
|
||||
+ /* Duplicate group - ignore */
|
||||
+ return 1;
|
||||
+ }
|
||||
garg->gid_arr[garg->gidcnt++] = gid;
|
||||
return 1;
|
||||
}
|
||||
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
||||
gcb.ctx = ctx;
|
||||
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
|
||||
goto end;
|
||||
+ if (gcb.gidcnt == 0) {
|
||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
+ "No valid groups in '%s'", str);
|
||||
+ goto end;
|
||||
+ }
|
||||
if (pext == NULL) {
|
||||
ret = 1;
|
||||
goto end;
|
||||
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
const SIGALG_LOOKUP *s;
|
||||
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||
+ int ignore_unknown = 0;
|
||||
+
|
||||
if (elem == NULL)
|
||||
return 0;
|
||||
+ if (elem[0] == '?') {
|
||||
+ ignore_unknown = 1;
|
||||
+ ++elem;
|
||||
+ --len;
|
||||
+ }
|
||||
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
|
||||
return 0;
|
||||
if (len > (int)(sizeof(etmp) - 1))
|
||||
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||
- return 0;
|
||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
}
|
||||
} else {
|
||||
*p = 0;
|
||||
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
return 0;
|
||||
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
||||
get_sigorhash(&sig_alg, &hash_alg, p);
|
||||
- if (sig_alg == NID_undef || hash_alg == NID_undef)
|
||||
- return 0;
|
||||
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||
i++, s++) {
|
||||
if (s->hash == hash_alg && s->sig == sig_alg) {
|
||||
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||
- return 0;
|
||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
}
|
||||
|
||||
- /* Reject duplicates */
|
||||
+ /* Ignore duplicates */
|
||||
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
|
||||
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
|
||||
sarg->sigalgcnt--;
|
||||
- return 0;
|
||||
+ return 1;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||
}
|
||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||
return 0;
|
||||
+ if (sig.sigalgcnt == 0) {
|
||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
+ "No valid signature algorithms in '%s'", str);
|
||||
+ return 0;
|
||||
+ }
|
||||
if (c == NULL)
|
||||
return 1;
|
||||
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 1c14f93ed1..184a0f1055 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -39,6 +39,7 @@
|
||||
#include "testutil.h"
|
||||
#include "testutil/output.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "internal/tlsgroups.h"
|
||||
#include "internal/ktls.h"
|
||||
#include "../ssl/ssl_local.h"
|
||||
#include "../ssl/record/methods/recmethod_local.h"
|
||||
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
|
||||
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
|
||||
# endif
|
||||
{NULL, 0, "RSA+SHA256", 1, 1},
|
||||
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
|
||||
# ifndef OPENSSL_NO_EC
|
||||
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
|
||||
{NULL, 0, "ECDSA+SHA512", 1, 0},
|
||||
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
|
||||
return testresult;
|
||||
}
|
||||
|
||||
+static int test_unknown_sigalgs_groups(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ SSL_CTX *ctx = NULL;
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
|
||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
|
||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
|
||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
|
||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "nonexistent"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "P-256:nonexistent"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "P-384:?nonexistent:?P-521"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
|
||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
|
||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
|
||||
+ goto end;
|
||||
+#endif
|
||||
+
|
||||
+ ret = 1;
|
||||
+ end:
|
||||
+ SSL_CTX_free(ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
#if !defined(OPENSSL_NO_EC) \
|
||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||
/*
|
||||
@@ -11519,6 +11579,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
|
||||
#endif
|
||||
ADD_ALL_TESTS(test_servername, 10);
|
||||
+ ADD_TEST(test_unknown_sigalgs_groups);
|
||||
#if !defined(OPENSSL_NO_EC) \
|
||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||
ADD_ALL_TESTS(test_sigalgs_available, 6);
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,20 +0,0 @@
|
||||
--- a/crypto/aes/asm/aesv8-armx.pl
|
||||
+++ b/crypto/aes/asm/aesv8-armx.pl
|
||||
@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/);
|
||||
.align 4
|
||||
.Lxts_dec_tail4x:
|
||||
add $inp,$inp,#16
|
||||
- vld1.32 {$dat0},[$inp],#16
|
||||
+ tst $tailcnt,#0xf
|
||||
veor $tmp1,$dat1,$tmp0
|
||||
vst1.8 {$tmp1},[$out],#16
|
||||
veor $tmp2,$dat2,$tmp2
|
||||
@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/);
|
||||
veor $tmp4,$dat4,$tmp4
|
||||
vst1.8 {$tmp3-$tmp4},[$out],#32
|
||||
|
||||
+ b.eq .Lxts_dec_abort
|
||||
+ vld1.32 {$dat0},[$inp],#16
|
||||
b .Lxts_done
|
||||
.align 4
|
||||
.Lxts_outer_dec_tail:
|
File diff suppressed because it is too large
Load Diff
@ -1,30 +0,0 @@
|
||||
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
|
||||
index 01cde00e98..c0e55197a0 100644
|
||||
--- a/crypto/objects/obj_dat.c
|
||||
+++ b/crypto/objects/obj_dat.c
|
||||
@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
|
||||
first = 1;
|
||||
bl = NULL;
|
||||
|
||||
+ /*
|
||||
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
|
||||
+ *
|
||||
+ * > 3.5. OBJECT IDENTIFIER values
|
||||
+ * >
|
||||
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
|
||||
+ * > numbers. For the SMIv2, each number in the list is referred to as a
|
||||
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
|
||||
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
|
||||
+ * > decimal).
|
||||
+ *
|
||||
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
|
||||
+ * i.e. 586 bytes long.
|
||||
+ *
|
||||
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
|
||||
+ */
|
||||
+ if (len > 586)
|
||||
+ goto err;
|
||||
+
|
||||
while (len > 0) {
|
||||
l = 0;
|
||||
use_bn = 0;
|
16
SOURCES/0122-TMP-KTLS-test-skip.patch
Normal file
16
SOURCES/0122-TMP-KTLS-test-skip.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
|
||||
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
|
||||
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
|
||||
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
|
||||
/* sock must be connected */
|
||||
static int ktls_chk_platform(int sock)
|
||||
{
|
||||
- if (!ktls_enable(sock))
|
||||
+/* if (!ktls_enable(sock))
|
||||
return 0;
|
||||
- return 1;
|
||||
+ return 1; */
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
|
@ -1,244 +0,0 @@
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index bdfc4d02a3f0..548665fba265 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include "internal/bio.h"
|
||||
#include "internal/provider.h"
|
||||
#include "crypto/ctype.h"
|
||||
+#include "crypto/rand.h"
|
||||
|
||||
# include <sys/types.h>
|
||||
# include <sys/stat.h>
|
||||
@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx)
|
||||
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+void ossl_release_default_drbg_ctx(void)
|
||||
+{
|
||||
+ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX];
|
||||
+
|
||||
+ /* early release of the DRBG in global default libctx, no locking */
|
||||
+ if (dynidx != -1) {
|
||||
+ void *data;
|
||||
+
|
||||
+ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx);
|
||||
+ ossl_rand_ctx_free(data);
|
||||
+ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL);
|
||||
+ }
|
||||
+}
|
||||
#endif
|
||||
|
||||
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx)
|
||||
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
||||
index c453d3226133..f341d915db76 100644
|
||||
--- a/crypto/rand/rand_lib.c
|
||||
+++ b/crypto/rand/rand_lib.c
|
||||
@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void)
|
||||
CRYPTO_THREAD_lock_free(rand_meth_lock);
|
||||
rand_meth_lock = NULL;
|
||||
# endif
|
||||
+ ossl_release_default_drbg_ctx();
|
||||
rand_inited = 0;
|
||||
}
|
||||
|
||||
@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static void rand_ossl_ctx_free(void *vdgbl)
|
||||
+void ossl_rand_ctx_free(void *vdgbl)
|
||||
{
|
||||
RAND_GLOBAL *dgbl = vdgbl;
|
||||
|
||||
@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl)
|
||||
static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = {
|
||||
OSSL_LIB_CTX_METHOD_PRIORITY_2,
|
||||
rand_ossl_ctx_new,
|
||||
- rand_ossl_ctx_free,
|
||||
+ ossl_rand_ctx_free,
|
||||
};
|
||||
|
||||
static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx)
|
||||
diff --git a/engines/e_dasync.c b/engines/e_dasync.c
|
||||
index 5a303a9f8528..7974106ae219 100644
|
||||
--- a/engines/e_dasync.c
|
||||
+++ b/engines/e_dasync.c
|
||||
@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
const unsigned char *in, size_t inl);
|
||||
static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx);
|
||||
|
||||
+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
+ void *ptr);
|
||||
+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
+ const unsigned char *iv, int enc);
|
||||
+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
+ const unsigned char *in, size_t inl);
|
||||
+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx);
|
||||
+
|
||||
static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
|
||||
int arg, void *ptr);
|
||||
static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
|
||||
@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void)
|
||||
return _hidden_aes_128_cbc;
|
||||
}
|
||||
|
||||
+static EVP_CIPHER *_hidden_aes_256_ctr = NULL;
|
||||
+static const EVP_CIPHER *dasync_aes_256_ctr(void)
|
||||
+{
|
||||
+ return _hidden_aes_256_ctr;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up
|
||||
* once only during engine bind and can then be reused many times.
|
||||
@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void)
|
||||
static void destroy_ciphers(void)
|
||||
{
|
||||
EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
|
||||
+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr);
|
||||
EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
|
||||
_hidden_aes_128_cbc = NULL;
|
||||
+ _hidden_aes_256_ctr = NULL;
|
||||
_hidden_aes_128_cbc_hmac_sha1 = NULL;
|
||||
}
|
||||
|
||||
@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
|
||||
static int dasync_cipher_nids[] = {
|
||||
NID_aes_128_cbc,
|
||||
+ NID_aes_256_ctr,
|
||||
NID_aes_128_cbc_hmac_sha1,
|
||||
0
|
||||
};
|
||||
@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e)
|
||||
_hidden_aes_128_cbc = NULL;
|
||||
}
|
||||
|
||||
+ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr,
|
||||
+ 1 /* block size */,
|
||||
+ 32 /* key len */);
|
||||
+ if (_hidden_aes_256_ctr == NULL
|
||||
+ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16)
|
||||
+ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr,
|
||||
+ EVP_CIPH_FLAG_DEFAULT_ASN1
|
||||
+ | EVP_CIPH_CTR_MODE
|
||||
+ | EVP_CIPH_FLAG_PIPELINE
|
||||
+ | EVP_CIPH_CUSTOM_COPY)
|
||||
+ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_init_key)
|
||||
+ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_cipher)
|
||||
+ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_cleanup)
|
||||
+ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_ctrl)
|
||||
+ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr,
|
||||
+ sizeof(struct dasync_pipeline_ctx))) {
|
||||
+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr);
|
||||
+ _hidden_aes_256_ctr = NULL;
|
||||
+ }
|
||||
+
|
||||
_hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new(
|
||||
NID_aes_128_cbc_hmac_sha1,
|
||||
16 /* block size */,
|
||||
@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
case NID_aes_128_cbc:
|
||||
*cipher = dasync_aes_128_cbc();
|
||||
break;
|
||||
+ case NID_aes_256_ctr:
|
||||
+ *cipher = dasync_aes_256_ctr();
|
||||
+ break;
|
||||
case NID_aes_128_cbc_hmac_sha1:
|
||||
*cipher = dasync_aes_128_cbc_hmac_sha1();
|
||||
break;
|
||||
@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc());
|
||||
}
|
||||
|
||||
+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
+ void *ptr)
|
||||
+{
|
||||
+ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
+ const unsigned char *iv, int enc)
|
||||
+{
|
||||
+ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
+ const unsigned char *in, size_t inl)
|
||||
+{
|
||||
+ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
+{
|
||||
+ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
|
||||
/*
|
||||
* AES128 CBC HMAC SHA1 Implementation
|
||||
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
|
||||
index 6a71a339c812..165deaf95c5e 100644
|
||||
--- a/include/crypto/rand.h
|
||||
+++ b/include/crypto/rand.h
|
||||
@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
|
||||
size_t ossl_pool_acquire_entropy(RAND_POOL *pool);
|
||||
int ossl_pool_add_nonce_data(RAND_POOL *pool);
|
||||
|
||||
+void ossl_rand_ctx_free(void *vdgbl);
|
||||
#endif
|
||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||
index 1291299b6e50..934d4b089c20 100644
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx,
|
||||
int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn);
|
||||
const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx);
|
||||
|
||||
+void ossl_release_default_drbg_ctx(void);
|
||||
+
|
||||
OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad);
|
||||
int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj,
|
||||
CRYPTO_EX_DATA *ad);
|
||||
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
|
||||
index 4da1e64cb6da..3f352db9df3a 100644
|
||||
--- a/test/recipes/05-test_rand.t
|
||||
+++ b/test/recipes/05-test_rand.t
|
||||
@@ -11,9 +11,30 @@ use warnings;
|
||||
use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
-plan tests => 3;
|
||||
+plan tests => 5;
|
||||
setup("test_rand");
|
||||
|
||||
ok(run(test(["rand_test"])));
|
||||
ok(run(test(["drbgtest"])));
|
||||
ok(run(test(["rand_status_test"])));
|
||||
+
|
||||
+SKIP: {
|
||||
+ skip "engine is not supported by this OpenSSL build", 2
|
||||
+ if disabled("engine") || disabled("dynamic-engine");
|
||||
+
|
||||
+ my $success;
|
||||
+ my @randdata;
|
||||
+ my $expected = '0102030405060708090a0b0c0d0e0f10';
|
||||
+
|
||||
+ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]),
|
||||
+ capture => 1, statusvar => \$success);
|
||||
+ chomp(@randdata);
|
||||
+ ok($success and $randdata[0] eq $expected,
|
||||
+ "rand with ossltest: Check rand output is as expected");
|
||||
+
|
||||
+ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]),
|
||||
+ capture => 1, statusvar => \$success);
|
||||
+ chomp(@randdata);
|
||||
+ ok($success and length($randdata[0]) == 32,
|
||||
+ "rand with dasync: Check rand output is of expected length");
|
||||
+}
|
@ -0,0 +1,62 @@
|
||||
From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 17 Jun 2024 16:48:26 +0200
|
||||
Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
|
||||
providers
|
||||
|
||||
If there is no get_ctx_params() implemented in the key exchange
|
||||
provider implementation the fallback will not work. Instead
|
||||
check the gettable_ctx_params() to see if the fallback should be
|
||||
performed.
|
||||
|
||||
Fixes #24611
|
||||
|
||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
||||
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24661)
|
||||
|
||||
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
|
||||
---
|
||||
crypto/evp/pmeth_lib.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index 2caff2cd6d..d15e43be05 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
int datalen)
|
||||
{
|
||||
OSSL_PARAM os_params[2];
|
||||
+ const OSSL_PARAM *gettables;
|
||||
unsigned char *info = NULL;
|
||||
size_t info_len = 0;
|
||||
size_t info_alloc = 0;
|
||||
@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* Check for older provider that doesn't support getting this parameter */
|
||||
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
|
||||
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
|
||||
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
|
||||
+ data, datalen);
|
||||
+
|
||||
/* Get the original value length */
|
||||
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
|
||||
os_params[1] = OSSL_PARAM_construct_end();
|
||||
@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
|
||||
return 0;
|
||||
|
||||
- /* Older provider that doesn't support getting this parameter */
|
||||
+ /* This should not happen but check to be sure. */
|
||||
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
|
||||
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
|
||||
+ return 0;
|
||||
|
||||
info_alloc = os_params[0].return_size + datalen;
|
||||
if (info_alloc == 0)
|
||||
--
|
||||
2.45.1
|
||||
|
109
SOURCES/0124-Fix-SSL_select_next_proto.patch
Normal file
109
SOURCES/0124-Fix-SSL_select_next_proto.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:14:33 +0100
|
||||
Subject: [PATCH 01/10] Fix SSL_select_next_proto
|
||||
|
||||
Ensure that the provided client list is non-NULL and starts with a valid
|
||||
entry. When called from the ALPN callback the client list should already
|
||||
have been validated by OpenSSL so this should not cause a problem. When
|
||||
called from the NPN callback the client list is locally configured and
|
||||
will not have already been validated. Therefore SSL_select_next_proto
|
||||
should not assume that it is correctly formatted.
|
||||
|
||||
We implement stricter checking of the client protocol list. We also do the
|
||||
same for the server list while we are about it.
|
||||
|
||||
CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
|
||||
1 file changed, 40 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index 016135fe18..cf52b317cf 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
||||
unsigned int server_len,
|
||||
const unsigned char *client, unsigned int client_len)
|
||||
{
|
||||
- unsigned int i, j;
|
||||
- const unsigned char *result;
|
||||
- int status = OPENSSL_NPN_UNSUPPORTED;
|
||||
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
||||
+
|
||||
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
||||
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
||||
+ || PACKET_remaining(&csubpkt) == 0) {
|
||||
+ *out = NULL;
|
||||
+ *outlen = 0;
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
||||
+ * a match.
|
||||
+ */
|
||||
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
||||
|
||||
/*
|
||||
* For each protocol in server preference order, see if we support it.
|
||||
*/
|
||||
- for (i = 0; i < server_len;) {
|
||||
- for (j = 0; j < client_len;) {
|
||||
- if (server[i] == client[j] &&
|
||||
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
||||
- /* We found a match */
|
||||
- result = &server[i];
|
||||
- status = OPENSSL_NPN_NEGOTIATED;
|
||||
- goto found;
|
||||
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
||||
+ if (PACKET_remaining(&ssubpkt) == 0)
|
||||
+ continue; /* Invalid - ignore it */
|
||||
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
||||
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
||||
+ PACKET_remaining(&ssubpkt))) {
|
||||
+ /* We found a match */
|
||||
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
||||
+ return OPENSSL_NPN_NEGOTIATED;
|
||||
+ }
|
||||
+ }
|
||||
+ /* Ignore spurious trailing bytes in the client list */
|
||||
+ } else {
|
||||
+ /* This should never happen */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
- j += client[j];
|
||||
- j++;
|
||||
}
|
||||
- i += server[i];
|
||||
- i++;
|
||||
+ /* Ignore spurious trailing bytes in the server list */
|
||||
}
|
||||
|
||||
- /* There's no overlap between our protocols and the server's list. */
|
||||
- result = client;
|
||||
- status = OPENSSL_NPN_NO_OVERLAP;
|
||||
-
|
||||
- found:
|
||||
- *out = (unsigned char *)result + 1;
|
||||
- *outlen = result[0];
|
||||
- return status;
|
||||
+ /*
|
||||
+ * There's no overlap between our protocols and the server's list. We use
|
||||
+ * the default opportunistic protocol selected earlier
|
||||
+ */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,30 +0,0 @@
|
||||
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
|
||||
index 45010b90db..b396c8651a 100644
|
||||
--- a/providers/implementations/ciphers/cipher_aes_siv.c
|
||||
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
|
||||
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
- if (inl == 0) {
|
||||
- *outl = 0;
|
||||
- return 1;
|
||||
- }
|
||||
+ /* Ignore just empty encryption/decryption call and not AAD. */
|
||||
+ if (out != NULL) {
|
||||
+ if (inl == 0) {
|
||||
+ if (outl != NULL)
|
||||
+ *outl = 0;
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
- if (outsize < inl) {
|
||||
- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
|
||||
- return 0;
|
||||
+ if (outsize < inl) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
|
@ -0,0 +1,39 @@
|
||||
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:18:27 +0100
|
||||
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
|
||||
processing NPN
|
||||
|
||||
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
|
||||
the selected_len is 0 we should fail. Previously this would fail with an
|
||||
internal_error alert because calling OPENSSL_malloc(selected_len) will
|
||||
return NULL when selected_len is 0. We make this error detection more
|
||||
explicit and return a handshake failure alert.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_clnt.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||
index 381a6c9d7b..1ab3c13d57 100644
|
||||
--- a/ssl/statem/extensions_clnt.c
|
||||
+++ b/ssl/statem/extensions_clnt.c
|
||||
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
|
||||
&selected, &selected_len,
|
||||
PACKET_data(pkt), PACKET_remaining(pkt),
|
||||
- sctx->ext.npn_select_cb_arg) !=
|
||||
- SSL_TLSEXT_ERR_OK) {
|
||||
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|
||||
+ || selected_len == 0) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,74 +0,0 @@
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 0b391910d6..84a926998e 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
|
||||
if (nid != NID_undef)
|
||||
return 1;
|
||||
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!DH_check_params(dh, ret))
|
||||
return 0;
|
||||
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index b97871eca7..36420f51d8 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
|
||||
# include <openssl/dherr.h>
|
||||
|
||||
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
||||
-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||
+# endif
|
||||
+
|
||||
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
|
||||
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
|
||||
# endif
|
||||
|
||||
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
|
||||
diff --git a/test/dhtest.c b/test/dhtest.c
|
||||
index 7b587f3cfa..f8dd8f3aa7 100644
|
||||
--- a/test/dhtest.c
|
||||
+++ b/test/dhtest.c
|
||||
@@ -73,7 +73,7 @@ static int dh_test(void)
|
||||
goto err1;
|
||||
|
||||
/* check fails, because p is way too small */
|
||||
- if (!DH_check(dh, &i))
|
||||
+ if (!TEST_true(DH_check(dh, &i)))
|
||||
goto err2;
|
||||
i ^= DH_MODULUS_TOO_SMALL;
|
||||
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|
||||
@@ -124,6 +124,17 @@ static int dh_test(void)
|
||||
/* We'll have a stale error on the queue from the above test so clear it */
|
||||
ERR_clear_error();
|
||||
|
||||
+ /* Modulus of size: dh check max modulus bits + 1 */
|
||||
+ if (!TEST_true(BN_set_word(p, 1))
|
||||
+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
|
||||
+ goto err3;
|
||||
+
|
||||
+ /*
|
||||
+ * We expect no checks at all for an excessively large modulus
|
||||
+ */
|
||||
+ if (!TEST_false(DH_check(dh, &i)))
|
||||
+ goto err3;
|
||||
+
|
||||
/*
|
||||
* II) key generation
|
||||
*/
|
||||
@@ -138,7 +149,7 @@ static int dh_test(void)
|
||||
goto err3;
|
||||
|
||||
/* ... and check whether it is valid */
|
||||
- if (!DH_check(a, &i))
|
||||
+ if (!TEST_true(DH_check(a, &i)))
|
||||
goto err3;
|
||||
if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
|
||||
|| !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
|
@ -0,0 +1,34 @@
|
||||
From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:22:13 +0100
|
||||
Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
|
||||
|
||||
The QUIC test server was using incorrectly formatted ALPN data. With the
|
||||
previous implementation of SSL_select_next_proto this went unnoticed. With
|
||||
the new stricter implemenation it was failing.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/quic/quic_tserver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
|
||||
index 86187d06ff..15694e723f 100644
|
||||
--- a/ssl/quic/quic_tserver.c
|
||||
+++ b/ssl/quic/quic_tserver.c
|
||||
@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
|
||||
|
||||
if (srv->args.alpn == NULL) {
|
||||
alpn = alpndeflt;
|
||||
- alpnlen = sizeof(alpn);
|
||||
+ alpnlen = sizeof(alpndeflt);
|
||||
} else {
|
||||
alpn = srv->args.alpn;
|
||||
alpnlen = srv->args.alpnlen;
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,57 +0,0 @@
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index aef6f9b1b7..fbe2797569 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
|
||||
#ifdef FIPS_MODULE
|
||||
return DH_check_params(dh, ret);
|
||||
#else
|
||||
- int ok = 0, r;
|
||||
+ int ok = 0, r, q_good = 0;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
int nid = DH_get_nid((DH *)dh);
|
||||
@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret)
|
||||
goto err;
|
||||
|
||||
if (dh->params.q != NULL) {
|
||||
+ if (BN_ucmp(dh->params.p, dh->params.q) > 0)
|
||||
+ q_good = 1;
|
||||
+ else
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||
+ }
|
||||
+
|
||||
+ if (q_good) {
|
||||
if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
|
||||
diff --git a/test/dhtest.c b/test/dhtest.c
|
||||
index f8dd8f3aa7..d02b3b7c58 100644
|
||||
--- a/test/dhtest.c
|
||||
+++ b/test/dhtest.c
|
||||
@@ -124,6 +124,15 @@ static int dh_test(void)
|
||||
/* We'll have a stale error on the queue from the above test so clear it */
|
||||
ERR_clear_error();
|
||||
|
||||
+ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one())))
|
||||
+ goto err3;
|
||||
+
|
||||
+ if (!TEST_true(DH_check(dh, &i)))
|
||||
+ goto err3;
|
||||
+ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE)
|
||||
+ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME))
|
||||
+ goto err3;
|
||||
+
|
||||
/* Modulus of size: dh check max modulus bits + 1 */
|
||||
if (!TEST_true(BN_set_word(p, 1))
|
||||
|| !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
|
||||
@@ -135,6 +144,9 @@ static int dh_test(void)
|
||||
if (!TEST_false(DH_check(dh, &i)))
|
||||
goto err3;
|
||||
|
||||
+ /* We'll have a stale error on the queue from the above test so clear it */
|
||||
+ ERR_clear_error();
|
||||
+
|
||||
/*
|
||||
* II) key generation
|
||||
*/
|
@ -0,0 +1,78 @@
|
||||
From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:46:38 +0100
|
||||
Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
|
||||
|
||||
We clarify the input preconditions and the expected behaviour in the event
|
||||
of no overlap.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
index 05fee2fbec..79e1a252f6 100644
|
||||
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
|
||||
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
|
||||
set the list of protocols available to be negotiated. The B<protos> must be in
|
||||
protocol-list format, described below. The length of B<protos> is specified in
|
||||
-B<protos_len>.
|
||||
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
|
||||
+protocols and no ALPN extension will be sent to the server.
|
||||
|
||||
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
|
||||
server to select which protocol to use for the incoming connection. When B<cb>
|
||||
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
|
||||
described below. The first item in the B<server>, B<server_len> list that
|
||||
matches an item in the B<client>, B<client_len> list is selected, and returned
|
||||
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
|
||||
-B<client>, so it should be copied immediately. If no match is found, the first
|
||||
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
|
||||
-function can also be used in the NPN callback.
|
||||
+B<client>, so it should be copied immediately. The client list must include at
|
||||
+least one valid (nonempty) protocol entry in the list.
|
||||
+
|
||||
+The SSL_select_next_proto() helper function can be useful from either the ALPN
|
||||
+callback or the NPN callback (described below). If no match is found, the first
|
||||
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
|
||||
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
|
||||
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
|
||||
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
|
||||
+SSL_select_next_proto().
|
||||
|
||||
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
|
||||
client needs to select a protocol from the server's provided list, and a
|
||||
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
|
||||
The length of the protocol name must be written into B<outlen>. The
|
||||
server's advertised protocols are provided in B<in> and B<inlen>. The
|
||||
callback can assume that B<in> is syntactically valid. The client must
|
||||
-select a protocol. It is fatal to the connection if this callback returns
|
||||
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
|
||||
-set via SSL_CTX_set_next_proto_select_cb().
|
||||
+select a protocol (although it may be an empty, zero length protocol). It is
|
||||
+fatal to the connection if this callback returns a value other than
|
||||
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
|
||||
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
|
||||
|
||||
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
|
||||
when a TLS server needs a list of supported protocols for Next Protocol
|
||||
@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
|
||||
=item OPENSSL_NPN_NO_OVERLAP
|
||||
|
||||
No match was found. The first item in B<client>, B<client_len> is returned in
|
||||
-B<out>, B<outlen>.
|
||||
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
|
||||
+B<client> is invalid).
|
||||
|
||||
=back
|
||||
|
||||
--
|
||||
2.46.0
|
||||
|
172
SOURCES/0128-Add-a-test-for-SSL_select_next_proto.patch
Normal file
172
SOURCES/0128-Add-a-test-for-SSL_select_next_proto.patch
Normal file
@ -0,0 +1,172 @@
|
||||
From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 16:35:16 +0100
|
||||
Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 137 insertions(+)
|
||||
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index ce163322cd..15cb9060cb 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
|
||||
return testresult;
|
||||
}
|
||||
|
||||
+static struct next_proto_st {
|
||||
+ int serverlen;
|
||||
+ unsigned char server[40];
|
||||
+ int clientlen;
|
||||
+ unsigned char client[40];
|
||||
+ int expected_ret;
|
||||
+ size_t selectedlen;
|
||||
+ unsigned char selected[40];
|
||||
+} next_proto_tests[] = {
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'b', 'c', 'd' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 0, { 0 },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ -1, { 0 },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 0, { 0 },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ -1, { 0 },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ },
|
||||
+ {
|
||||
+ 3, { 3, 'a', 'b', 'c' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 3, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+static int test_select_next_proto(int idx)
|
||||
+{
|
||||
+ struct next_proto_st *np = &next_proto_tests[idx];
|
||||
+ int ret = 0;
|
||||
+ unsigned char *out, *client, *server;
|
||||
+ unsigned char outlen;
|
||||
+ unsigned int clientlen, serverlen;
|
||||
+
|
||||
+ if (np->clientlen == -1) {
|
||||
+ client = NULL;
|
||||
+ clientlen = 0;
|
||||
+ } else {
|
||||
+ client = np->client;
|
||||
+ clientlen = (unsigned int)np->clientlen;
|
||||
+ }
|
||||
+ if (np->serverlen == -1) {
|
||||
+ server = NULL;
|
||||
+ serverlen = 0;
|
||||
+ } else {
|
||||
+ server = np->server;
|
||||
+ serverlen = (unsigned int)np->serverlen;
|
||||
+ }
|
||||
+
|
||||
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
|
||||
+ client, clientlen),
|
||||
+ np->expected_ret))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (np->selectedlen == 0) {
|
||||
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
|
||||
+ goto err;
|
||||
+ } else {
|
||||
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
||||
|
||||
int setup_tests(void)
|
||||
@@ -12053,6 +12189,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_handshake_retry, 16);
|
||||
ADD_TEST(test_data_retry);
|
||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
||||
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
||||
return 1;
|
||||
|
||||
err:
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,318 +0,0 @@
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index d2ed3fd378..6a819590e6 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
+ /*
|
||||
+ * Fix for CVE-2023-5363
|
||||
+ * Passing in a size as part of the init call takes effect late
|
||||
+ * so, force such to occur before the initialisation.
|
||||
+ *
|
||||
+ * The FIPS provider's internal library context is used in a manner
|
||||
+ * such that this is not an issue.
|
||||
+ */
|
||||
+ if (params != NULL) {
|
||||
+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
|
||||
+ OSSL_PARAM_END };
|
||||
+ OSSL_PARAM *q = param_lens;
|
||||
+ const OSSL_PARAM *p;
|
||||
+
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
|
||||
+ if (p != NULL)
|
||||
+ memcpy(q++, p, sizeof(*q));
|
||||
+
|
||||
+ /*
|
||||
+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
|
||||
+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
|
||||
+ */
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
|
||||
+ if (p != NULL)
|
||||
+ memcpy(q++, p, sizeof(*q));
|
||||
+
|
||||
+ if (q != param_lens) {
|
||||
+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (enc) {
|
||||
if (ctx->cipher->einit == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
|
||||
index cfffa21350..2318bf6a68 100644
|
||||
--- a/test/evp_extra_test.c
|
||||
+++ b/test/evp_extra_test.c
|
||||
@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst)
|
||||
return options;
|
||||
}
|
||||
|
||||
+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
|
||||
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
|
||||
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
|
||||
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
|
||||
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
|
||||
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen, tmplen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ unsigned char outtag[16];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
|
||||
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
|
||||
+ &gcm_ivlen);
|
||||
+
|
||||
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
|
||||
+ || (gcm_aad != NULL
|
||||
+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
|
||||
+ gcm_aad, gcm_aad_s)))
|
||||
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
|
||||
+ gcm_pt, gcm_pt_s))
|
||||
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
|
||||
+ outtag, sizeof(outtag));
|
||||
+
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
|
||||
+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
|
||||
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
|
||||
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
|
||||
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
|
||||
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
|
||||
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
|
||||
+ &gcm_ivlen);
|
||||
+
|
||||
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
|
||||
+ || (gcm_aad != NULL
|
||||
+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
|
||||
+ gcm_aad, gcm_aad_s)))
|
||||
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
|
||||
+ gcm_ct, gcm_ct_s))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
|
||||
+ (void*)gcm_tag, gcm_tag_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
|
||||
+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
|
||||
+{
|
||||
+ /* AES-GCM test data obtained from NIST public test vectors */
|
||||
+ static const unsigned char gcm_key[] = {
|
||||
+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
|
||||
+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
|
||||
+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
|
||||
+ };
|
||||
+ static const unsigned char gcm_iv[] = {
|
||||
+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
|
||||
+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
|
||||
+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
|
||||
+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
|
||||
+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
|
||||
+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
|
||||
+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
|
||||
+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
|
||||
+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
|
||||
+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
|
||||
+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
|
||||
+ };
|
||||
+ static const unsigned char gcm_pt[] = {
|
||||
+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
|
||||
+ 0x4f, 0xe3, 0x6f, 0x81,
|
||||
+ };
|
||||
+ static const unsigned char gcm_ct[] = {
|
||||
+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
|
||||
+ 0xe2, 0xd0, 0xec, 0xed,
|
||||
+ };
|
||||
+ static const unsigned char gcm_tag[] = {
|
||||
+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
|
||||
+ 0xdb, 0x99, 0x6c, 0x21,
|
||||
+ };
|
||||
+
|
||||
+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
|
||||
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
|
||||
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
|
||||
+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
|
||||
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
|
||||
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
|
||||
+}
|
||||
+
|
||||
+#ifndef OPENSSL_NO_RC4
|
||||
+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
|
||||
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
|
||||
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen, tmplen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
|
||||
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
|
||||
+ &rc4_key_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
|
||||
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
|
||||
+ rc4_pt, rc4_pt_s))
|
||||
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
|
||||
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
|
||||
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
|
||||
+ &rc4_key_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
|
||||
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
|
||||
+ rc4_ct, rc4_ct_s))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int test_aes_rc4_keylen_change_cve_2023_5363(void)
|
||||
+{
|
||||
+ /* RC4 test data obtained from RFC 6229 */
|
||||
+ static const struct {
|
||||
+ unsigned char key[5];
|
||||
+ unsigned char padding[11];
|
||||
+ } rc4_key = {
|
||||
+ { /* Five bytes of key material */
|
||||
+ 0x83, 0x32, 0x22, 0x77, 0x2a,
|
||||
+ },
|
||||
+ { /* Random padding to 16 bytes */
|
||||
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
|
||||
+ }
|
||||
+ };
|
||||
+ static const unsigned char rc4_pt[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
||||
+ };
|
||||
+ static const unsigned char rc4_ct[] = {
|
||||
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
|
||||
+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
|
||||
+ };
|
||||
+
|
||||
+ if (lgcyprov == NULL)
|
||||
+ return TEST_skip("Test requires legacy provider to be loaded");
|
||||
+
|
||||
+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
|
||||
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
|
||||
+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
|
||||
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
OPTION_CHOICE o;
|
||||
@@ -4994,6 +5241,12 @@ int setup_tests(void)
|
||||
|
||||
ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
|
||||
|
||||
+ /* Test cases for CVE-2023-5363 */
|
||||
+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
|
||||
+#ifndef OPENSSL_NO_RC4
|
||||
+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,49 +0,0 @@
|
||||
From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 16 Oct 2023 15:30:26 +0200
|
||||
Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check
|
||||
|
||||
The code did not yet check that the length of the RSA key is positive
|
||||
and even.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9]
|
||||
---
|
||||
crypto/rsa/rsa_sp800_56b_check.c | 5 +++++
|
||||
test/rsa_sp800_56b_test.c | 4 ++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
index fc8f19b487..e6b79e953d 100644
|
||||
--- a/crypto/rsa/rsa_sp800_56b_check.c
|
||||
+++ b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
|
||||
return 0;
|
||||
}
|
||||
+ /* (Step 3.c): check that the modulus length is a positive even integer */
|
||||
+ if (nbits <= 0 || (nbits & 0x1)) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
ctx = BN_CTX_new_ex(rsa->libctx);
|
||||
if (ctx == NULL)
|
||||
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
|
||||
index 7660019f47..aa58bbbe6c 100644
|
||||
--- a/test/rsa_sp800_56b_test.c
|
||||
+++ b/test/rsa_sp800_56b_test.c
|
||||
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
|
||||
&& TEST_true(BN_add_word(n, 1))
|
||||
&& TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
|
||||
&& TEST_true(BN_sub_word(n, 1))
|
||||
+ /* check that validation fails if len(n) is not even */
|
||||
+ && TEST_true(BN_lshift1(n, n))
|
||||
+ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
|
||||
+ && TEST_true(BN_rshift1(n, n))
|
||||
/* check p */
|
||||
&& TEST_true(BN_sub_word(p, 2))
|
||||
&& TEST_true(BN_mul(n, p, q, ctx))
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,143 +0,0 @@
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 7ba2beae7f..e20eb62081 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
|
||||
*/
|
||||
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||
{
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
|
||||
}
|
||||
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 4152397426..f76ac0dd14 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||
"parameter encoding error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||
"unable to check generator"},
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index d84ea99241..afc49f5cdc 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index e51504b7ab..36de321b74 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||
+DH_R_Q_TOO_LARGE:130:q too large
|
||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
|
||||
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
|
||||
index bb24d131eb..519327f795 100644
|
||||
--- a/include/crypto/dherr.h
|
||||
+++ b/include/crypto/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 6533260f20..50e0cf54be 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_GENERATOR_3 3
|
||||
# define DH_GENERATOR_5 5
|
||||
|
||||
-/* DH_check error codes */
|
||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||
/*
|
||||
* NB: These values must align with the equivalently named macros in
|
||||
* internal/ffc.h.
|
||||
@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||
# define DH_MODULUS_TOO_SMALL 0x80
|
||||
-# define DH_MODULUS_TOO_LARGE 0x100
|
||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||
|
||||
/* DH_check_pub_key error codes */
|
||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 5d2a762a96..074a70145f 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -50,6 +50,7 @@
|
||||
# define DH_R_NO_PRIVATE_VALUE 100
|
||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||
# define DH_R_PEER_KEY_ERROR 111
|
||||
+# define DH_R_Q_TOO_LARGE 130
|
||||
# define DH_R_SHARED_INFO_ERROR 113
|
||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||
|
@ -0,0 +1,39 @@
|
||||
From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 10:41:55 +0100
|
||||
Subject: [PATCH 07/10] Correct return values for
|
||||
tls_construct_stoc_next_proto_neg
|
||||
|
||||
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
|
||||
rather than EXT_RETURN_SENT. This actually makes no difference at all to
|
||||
the current control flow since this return value is ignored in this case
|
||||
anyway. But lets make it correct anyway.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_srvr.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||
index 800654450e..66ed7dacf2 100644
|
||||
--- a/ssl/statem/extensions_srvr.c
|
||||
+++ b/ssl/statem/extensions_srvr.c
|
||||
@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
s->s3.npn_seen = 1;
|
||||
+ return EXT_RETURN_SENT;
|
||||
}
|
||||
|
||||
- return EXT_RETURN_SENT;
|
||||
+ return EXT_RETURN_NOT_SENT;
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.46.0
|
||||
|
62
SOURCES/0131-Add-ALPN-validation-in-the-client.patch
Normal file
62
SOURCES/0131-Add-ALPN-validation-in-the-client.patch
Normal file
@ -0,0 +1,62 @@
|
||||
From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 11:51:54 +0100
|
||||
Subject: [PATCH 08/10] Add ALPN validation in the client
|
||||
|
||||
The ALPN protocol selected by the server must be one that we originally
|
||||
advertised. We should verify that it is.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||
index 1ab3c13d57..ff9c009ee5 100644
|
||||
--- a/ssl/statem/extensions_clnt.c
|
||||
+++ b/ssl/statem/extensions_clnt.c
|
||||
@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
size_t len;
|
||||
+ PACKET confpkt, protpkt;
|
||||
+ int valid = 0;
|
||||
|
||||
/* We must have requested it. */
|
||||
if (!s->s3.alpn_sent) {
|
||||
@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* It must be a protocol that we sent */
|
||||
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
|
||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
|
||||
+ if (PACKET_remaining(&protpkt) != len)
|
||||
+ continue;
|
||||
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
|
||||
+ /* Valid protocol found */
|
||||
+ valid = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!valid) {
|
||||
+ /* The protocol sent from the server does not match one we advertised */
|
||||
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
OPENSSL_free(s->s3.alpn_selected);
|
||||
s->s3.alpn_selected = OPENSSL_malloc(len);
|
||||
if (s->s3.alpn_selected == NULL) {
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 51c2283db915d..0928a30c2d37b 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
||||
tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr));
|
||||
if (tmparr == NULL)
|
||||
goto end;
|
||||
+ OPENSSL_free(*pext);
|
||||
*pext = tmparr;
|
||||
*pextlen = gcb.gidcnt;
|
||||
ret = 1;
|
@ -0,0 +1,267 @@
|
||||
From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 10:09:41 +0100
|
||||
Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
|
||||
|
||||
We already had some tests elsewhere - but this extends that testing with
|
||||
additional tests.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 229 insertions(+)
|
||||
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 15cb9060cb..7a55a2b721 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
|
||||
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
|
||||
+
|
||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||||
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
|
||||
+ unsigned int *outlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ default:
|
||||
+ case 0:
|
||||
+ *out = fooprot;
|
||||
+ *outlen = sizeof(fooprot);
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 1:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 2:
|
||||
+ return SSL_TLSEXT_ERR_NOACK;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
|
||||
+ const unsigned char *in, unsigned int inlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ *out = (unsigned char *)(fooprot + 1);
|
||||
+ *outlen = *fooprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 3:
|
||||
+ *out = (unsigned char *)(barprot + 1);
|
||||
+ *outlen = *barprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 4:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ default:
|
||||
+ case 2:
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test the NPN callbacks
|
||||
+ * Test 0: advert = foo, select = foo
|
||||
+ * Test 1: advert = <empty>, select = foo
|
||||
+ * Test 2: no advert
|
||||
+ * Test 3: advert = foo, select = bar
|
||||
+ * Test 4: advert = foo, select = <empty> (should fail)
|
||||
+ */
|
||||
+static int test_npn(int idx)
|
||||
+{
|
||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
+ TLS_client_method(), 0, TLS1_2_VERSION,
|
||||
+ &sctx, &cctx, cert, privkey)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
|
||||
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
||||
+ NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 4) {
|
||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ const unsigned char *prot;
|
||||
+ unsigned int protlen;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
|
||||
+ switch (idx) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ if (!TEST_uint_eq(protlen, 0))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 3:
|
||||
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ default:
|
||||
+ TEST_error("Should not get here");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ testresult = 1;
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
|
||||
+
|
||||
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
|
||||
+ unsigned char *outlen, const unsigned char *in,
|
||||
+ unsigned int inlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ case 0:
|
||||
+ *out = (unsigned char *)(fooprot + 1);
|
||||
+ *outlen = *fooprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 2:
|
||||
+ *out = (unsigned char *)(barprot + 1);
|
||||
+ *outlen = *barprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 3:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ default:
|
||||
+ case 1:
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test the ALPN callbacks
|
||||
+ * Test 0: client = foo, select = foo
|
||||
+ * Test 1: client = <empty>, select = none
|
||||
+ * Test 2: client = foo, select = bar (should fail)
|
||||
+ * Test 3: client = foo, select = <empty> (should fail)
|
||||
+ */
|
||||
+static int test_alpn(int idx)
|
||||
+{
|
||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+ const unsigned char *prots = fooprot;
|
||||
+ unsigned int protslen = sizeof(fooprot);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
+ TLS_client_method(), 0, 0,
|
||||
+ &sctx, &cctx, cert, privkey)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
||||
+ NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 1) {
|
||||
+ prots = NULL;
|
||||
+ protslen = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* SSL_set_alpn_protos returns 0 for success! */
|
||||
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 2 || idx == 3) {
|
||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ const unsigned char *prot;
|
||||
+ unsigned int protlen;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
|
||||
+ switch (idx) {
|
||||
+ case 0:
|
||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ if (!TEST_uint_eq(protlen, 0))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ default:
|
||||
+ TEST_error("Should not get here");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ testresult = 1;
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
||||
|
||||
int setup_tests(void)
|
||||
@@ -12190,6 +12415,10 @@ int setup_tests(void)
|
||||
ADD_TEST(test_data_retry);
|
||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
||||
ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||||
+ ADD_ALL_TESTS(test_npn, 5);
|
||||
+#endif
|
||||
+ ADD_ALL_TESTS(test_alpn, 4);
|
||||
return 1;
|
||||
|
||||
err:
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,86 +0,0 @@
|
||||
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
index 9f86134d923fb..2e601bb9c24be 100755
|
||||
--- a/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
@@ -744,7 +744,7 @@
|
||||
my $LOCALS= 6*$SIZE_T;
|
||||
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
|
||||
$VSXFRAME += 128; # local variables
|
||||
- $VSXFRAME += 13*16; # v20-v31 offload
|
||||
+ $VSXFRAME += 12*16; # v20-v31 offload
|
||||
|
||||
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
|
||||
|
||||
@@ -919,12 +919,12 @@
|
||||
addi r11,r11,32
|
||||
stvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- stvx v23,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- stvx v24,r11,$sp
|
||||
+ stvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- stvx v25,r10,$sp
|
||||
+ stvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
+ stvx v25,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
stvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
stvx v27,r11,$sp
|
||||
@@ -1153,12 +1153,12 @@
|
||||
addi r11,r11,32
|
||||
stvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- stvx v23,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- stvx v24,r11,$sp
|
||||
+ stvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- stvx v25,r10,$sp
|
||||
+ stvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
+ stvx v25,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
stvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
stvx v27,r11,$sp
|
||||
@@ -1899,26 +1899,26 @@
|
||||
mtspr 256,r12 # restore vrsave
|
||||
lvx v20,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v21,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- lvx v22,r11,$sp
|
||||
+ lvx v21,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v23,r10,$sp
|
||||
+ lvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v24,r11,$sp
|
||||
+ lvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v25,r10,$sp
|
||||
+ lvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v26,r11,$sp
|
||||
+ lvx v25,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v27,r10,$sp
|
||||
+ lvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v28,r11,$sp
|
||||
+ lvx v27,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v29,r10,$sp
|
||||
+ lvx v28,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v30,r11,$sp
|
||||
- lvx v31,r10,$sp
|
||||
+ lvx v29,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
+ lvx v30,r10,$sp
|
||||
+ lvx v31,r11,$sp
|
||||
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
|
||||
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
|
||||
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)
|
199
SOURCES/0133-Add-a-test-for-an-empty-NextProto-message.patch
Normal file
199
SOURCES/0133-Add-a-test-for-an-empty-NextProto-message.patch
Normal file
@ -0,0 +1,199 @@
|
||||
From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 14:29:26 +0100
|
||||
Subject: [PATCH 10/10] Add a test for an empty NextProto message
|
||||
|
||||
It is valid according to the spec for a NextProto message to have no
|
||||
protocols listed in it. The OpenSSL implementation however does not allow
|
||||
us to create such a message. In order to check that we work as expected
|
||||
when communicating with a client that does generate such messages we have
|
||||
to use a TLSProxy test.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
|
||||
util/perl/TLSProxy/Message.pm | 9 ++++
|
||||
util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
|
||||
util/perl/TLSProxy/Proxy.pm | 1 +
|
||||
4 files changed, 137 insertions(+)
|
||||
create mode 100644 test/recipes/70-test_npn.t
|
||||
create mode 100644 util/perl/TLSProxy/NextProto.pm
|
||||
|
||||
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
|
||||
new file mode 100644
|
||||
index 0000000000..f82e71af6a
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/70-test_npn.t
|
||||
@@ -0,0 +1,73 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
|
||||
+use OpenSSL::Test::Utils;
|
||||
+
|
||||
+use TLSProxy::Proxy;
|
||||
+
|
||||
+my $test_name = "test_npn";
|
||||
+setup($test_name);
|
||||
+
|
||||
+plan skip_all => "TLSProxy isn't usable on $^O"
|
||||
+ if $^O =~ /^(VMS)$/;
|
||||
+
|
||||
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
|
||||
+ if disabled("engine") || disabled("dynamic-engine");
|
||||
+
|
||||
+plan skip_all => "$test_name needs the sock feature enabled"
|
||||
+ if disabled("sock");
|
||||
+
|
||||
+plan skip_all => "$test_name needs NPN enabled"
|
||||
+ if disabled("nextprotoneg");
|
||||
+
|
||||
+plan skip_all => "$test_name needs TLSv1.2 enabled"
|
||||
+ if disabled("tls1_2");
|
||||
+
|
||||
+my $proxy = TLSProxy::Proxy->new(
|
||||
+ undef,
|
||||
+ cmdstr(app(["openssl"]), display => 1),
|
||||
+ srctop_file("apps", "server.pem"),
|
||||
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
|
||||
+);
|
||||
+
|
||||
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
|
||||
+plan tests => 1;
|
||||
+
|
||||
+my $npnseen = 0;
|
||||
+
|
||||
+# Test 1: Check sending an empty NextProto message from the client works. This is
|
||||
+# valid as per the spec, but OpenSSL does not allow you to send it.
|
||||
+# Therefore we must be prepared to receive such a message but we cannot
|
||||
+# generate it except via TLSProxy
|
||||
+$proxy->clear();
|
||||
+$proxy->filter(\&npn_filter);
|
||||
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
|
||||
+$proxy->serverflags("-nextprotoneg foo");
|
||||
+$proxy->start();
|
||||
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
|
||||
+
|
||||
+sub npn_filter
|
||||
+{
|
||||
+ my $proxy = shift;
|
||||
+ my $message;
|
||||
+
|
||||
+ # The NextProto message always appears in flight 2
|
||||
+ return if $proxy->flight != 2;
|
||||
+
|
||||
+ foreach my $message (@{$proxy->message_list}) {
|
||||
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
|
||||
+ # Our TLSproxy NextProto message support doesn't support parsing of
|
||||
+ # the message. If we repack it just creates an empty NextProto
|
||||
+ # message - which is exactly the scenario we want to test here.
|
||||
+ $message->repack();
|
||||
+ $npnseen = 1;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
|
||||
index ce22187569..fb41b2ffc8 100644
|
||||
--- a/util/perl/TLSProxy/Message.pm
|
||||
+++ b/util/perl/TLSProxy/Message.pm
|
||||
@@ -384,6 +384,15 @@ sub create_message
|
||||
[@message_frag_lens]
|
||||
);
|
||||
$message->parse();
|
||||
+ } elsif ($mt == MT_NEXT_PROTO) {
|
||||
+ $message = TLSProxy::NextProto->new(
|
||||
+ $server,
|
||||
+ $data,
|
||||
+ [@message_rec_list],
|
||||
+ $startoffset,
|
||||
+ [@message_frag_lens]
|
||||
+ );
|
||||
+ $message->parse();
|
||||
} else {
|
||||
#Unknown message type
|
||||
$message = TLSProxy::Message->new(
|
||||
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
|
||||
new file mode 100644
|
||||
index 0000000000..0e18347546
|
||||
--- /dev/null
|
||||
+++ b/util/perl/TLSProxy/NextProto.pm
|
||||
@@ -0,0 +1,54 @@
|
||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+
|
||||
+package TLSProxy::NextProto;
|
||||
+
|
||||
+use vars '@ISA';
|
||||
+push @ISA, 'TLSProxy::Message';
|
||||
+
|
||||
+sub new
|
||||
+{
|
||||
+ my $class = shift;
|
||||
+ my ($server,
|
||||
+ $data,
|
||||
+ $records,
|
||||
+ $startoffset,
|
||||
+ $message_frag_lens) = @_;
|
||||
+
|
||||
+ my $self = $class->SUPER::new(
|
||||
+ $server,
|
||||
+ TLSProxy::Message::MT_NEXT_PROTO,
|
||||
+ $data,
|
||||
+ $records,
|
||||
+ $startoffset,
|
||||
+ $message_frag_lens);
|
||||
+
|
||||
+ return $self;
|
||||
+}
|
||||
+
|
||||
+sub parse
|
||||
+{
|
||||
+ # We don't support parsing at the moment
|
||||
+}
|
||||
+
|
||||
+# This is supposed to reconstruct the on-the-wire message data following changes.
|
||||
+# For now though since we don't support parsing we just create an empty NextProto
|
||||
+# message - this capability is used in test_npn
|
||||
+sub set_message_contents
|
||||
+{
|
||||
+ my $self = shift;
|
||||
+ my $data;
|
||||
+
|
||||
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00);
|
||||
+ $self->data($data);
|
||||
+}
|
||||
+1;
|
||||
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
|
||||
index 3de10eccb9..b707722b6b 100644
|
||||
--- a/util/perl/TLSProxy/Proxy.pm
|
||||
+++ b/util/perl/TLSProxy/Proxy.pm
|
||||
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
|
||||
use TLSProxy::CertificateVerify;
|
||||
use TLSProxy::ServerKeyExchange;
|
||||
use TLSProxy::NewSessionTicket;
|
||||
+use TLSProxy::NextProto;
|
||||
|
||||
my $have_IPv6;
|
||||
my $IP_factory;
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,93 +0,0 @@
|
||||
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
index fc8f19b48770b..bcbdd24fb8199 100644
|
||||
--- a/crypto/rsa/rsa_sp800_56b_check.c
|
||||
+++ b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
|
||||
return 0;
|
||||
|
||||
nbits = BN_num_bits(rsa->n);
|
||||
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
#ifdef FIPS_MODULE
|
||||
/*
|
||||
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
|
||||
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
|
||||
goto err;
|
||||
}
|
||||
|
||||
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
|
||||
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
|
||||
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
|
||||
#ifdef FIPS_MODULE
|
||||
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
|
||||
#else
|
||||
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
|
||||
index dc7cc64533af2..f8088df14d36c 100644
|
||||
--- a/test/recipes/91-test_pkey_check.t
|
||||
+++ b/test/recipes/91-test_pkey_check.t
|
||||
@@ -70,7 +70,7 @@ push(@positive_tests, (
|
||||
"dhpkey.pem"
|
||||
)) unless disabled("dh");
|
||||
|
||||
-my @negative_pubtests = ();
|
||||
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
|
||||
|
||||
push(@negative_pubtests, (
|
||||
"dsapub_noparam.der"
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
|
||||
new file mode 100644
|
||||
index 0000000000000..9a2eaedaf1b22
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
|
||||
@@ -0,0 +1,48 @@
|
||||
+-----BEGIN PUBLIC KEY-----
|
||||
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
|
||||
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
|
||||
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
|
||||
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
|
||||
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
|
||||
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
|
||||
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
|
||||
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
|
||||
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
|
||||
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
|
||||
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
|
||||
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
|
||||
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
|
||||
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
|
||||
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
|
||||
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
|
||||
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
|
||||
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
|
||||
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
|
||||
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
|
||||
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
|
||||
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
|
||||
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
|
||||
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
|
||||
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
|
||||
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
|
||||
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
|
||||
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
|
||||
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
|
||||
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
|
||||
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
|
||||
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
|
||||
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
|
||||
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
|
||||
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
|
||||
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
|
||||
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
|
||||
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
|
||||
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
|
||||
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
|
||||
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
|
||||
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
|
||||
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
|
||||
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
|
||||
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
|
||||
+AQAB
|
||||
+-----END PUBLIC KEY-----
|
@ -1,47 +0,0 @@
|
||||
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
|
||||
index 448a3c3043c1c..9010fa6c4638c 100644
|
||||
--- a/crypto/evp/ctrl_params_translate.c
|
||||
+++ b/crypto/evp/ctrl_params_translate.c
|
||||
@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state,
|
||||
const struct translation_st *translation,
|
||||
struct translation_ctx_st *ctx)
|
||||
{
|
||||
+ char *p2 = NULL;
|
||||
int ret;
|
||||
|
||||
if ((ret = default_check(state, translation, ctx)) <= 0)
|
||||
@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state,
|
||||
if (state == PRE_CTRL_TO_PARAMS) {
|
||||
ctx->p2 = (char *)OBJ_nid2sn(ctx->p1);
|
||||
ctx->p1 = 0;
|
||||
+ } else if (state == PRE_PARAMS_TO_CTRL) {
|
||||
+ /*
|
||||
+ * We're translating from params to ctrl and setting the curve name.
|
||||
+ * The ctrl function needs it to be a NID, but meanwhile, we need
|
||||
+ * space to get the curve name from the param. |ctx->name_buf| is
|
||||
+ * sufficient for that.
|
||||
+ * The double indirection is necessary for default_fixup_args()'s
|
||||
+ * call of OSSL_PARAM_get_utf8_string() to be done correctly.
|
||||
+ */
|
||||
+ p2 = ctx->name_buf;
|
||||
+ ctx->p2 = &p2;
|
||||
+ ctx->sz = sizeof(ctx->name_buf);
|
||||
}
|
||||
|
||||
if ((ret = default_fixup_args(state, translation, ctx)) <= 0)
|
||||
return ret;
|
||||
|
||||
if (state == PRE_PARAMS_TO_CTRL) {
|
||||
- ctx->p1 = OBJ_sn2nid(ctx->p2);
|
||||
+ ctx->p1 = OBJ_sn2nid(p2);
|
||||
ctx->p2 = NULL;
|
||||
}
|
||||
|
||||
@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
|
||||
if (translation->fixup_args != NULL)
|
||||
fixup = translation->fixup_args;
|
||||
ctx.action_type = translation->action_type;
|
||||
+ ctx.ctrl_cmd = translation->ctrl_num;
|
||||
}
|
||||
ctx.pctx = pctx;
|
||||
ctx.params = params;
|
@ -1,178 +0,0 @@
|
||||
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
|
||||
index 6fd4184af5a52..80ce31b3bca66 100644
|
||||
--- a/crypto/pkcs12/p12_add.c
|
||||
+++ b/crypto/pkcs12/p12_add.c
|
||||
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
|
||||
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (p7->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
|
||||
}
|
||||
|
||||
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
|
||||
{
|
||||
if (!PKCS7_type_is_encrypted(p7))
|
||||
return NULL;
|
||||
+
|
||||
+ if (p7->d.encrypted == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
|
||||
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
|
||||
pass, passlen,
|
||||
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
|
||||
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (p12->authsafes->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
p7s = ASN1_item_unpack(p12->authsafes->d.data,
|
||||
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
|
||||
if (p7s != NULL) {
|
||||
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
|
||||
index 67a885a45f89e..68ff54d0e90ee 100644
|
||||
--- a/crypto/pkcs12/p12_mutl.c
|
||||
+++ b/crypto/pkcs12/p12_mutl.c
|
||||
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (p12->authsafes->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
salt = p12->mac->salt->data;
|
||||
saltlen = p12->mac->salt->length;
|
||||
if (p12->mac->iter == NULL)
|
||||
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
|
||||
index 62230bc6187ff..1e5b5495991a4 100644
|
||||
--- a/crypto/pkcs12/p12_npas.c
|
||||
+++ b/crypto/pkcs12/p12_npas.c
|
||||
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
|
||||
bags = PKCS12_unpack_p7data(p7);
|
||||
} else if (bagnid == NID_pkcs7_encrypted) {
|
||||
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
|
||||
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
|
||||
- &pbe_nid, &pbe_iter, &pbe_saltlen))
|
||||
+ if (p7->d.encrypted == NULL
|
||||
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
|
||||
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
|
||||
goto err;
|
||||
} else {
|
||||
continue;
|
||||
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
|
||||
index 49a0da5f819c4..8228315eeaa3a 100644
|
||||
--- a/crypto/pkcs7/pk7_mime.c
|
||||
+++ b/crypto/pkcs7/pk7_mime.c
|
||||
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
|
||||
int ctype_nid = OBJ_obj2nid(p7->type);
|
||||
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
||||
|
||||
- if (ctype_nid == NID_pkcs7_signed)
|
||||
+ if (ctype_nid == NID_pkcs7_signed) {
|
||||
+ if (p7->d.sign == NULL)
|
||||
+ return 0;
|
||||
mdalgs = p7->d.sign->md_algs;
|
||||
- else
|
||||
+ } else {
|
||||
mdalgs = NULL;
|
||||
+ }
|
||||
|
||||
flags ^= SMIME_OLDMIME;
|
||||
|
||||
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
|
||||
index 1f0cb4d501488..b2c376249646d 100644
|
||||
--- a/test/recipes/80-test_pkcs12.t
|
||||
+++ b/test/recipes/80-test_pkcs12.t
|
||||
@@ -9,7 +9,7 @@
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_file with/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
use Encode;
|
||||
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
|
||||
}
|
||||
$ENV{OPENSSL_WIN32_UTF8}=1;
|
||||
|
||||
-plan tests => 13;
|
||||
+plan tests => 17;
|
||||
|
||||
# Test different PKCS#12 formats
|
||||
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
|
||||
@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
|
||||
# Test that the expected friendly name is present in the output
|
||||
ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
|
||||
|
||||
+# Test some bad pkcs12 files
|
||||
+my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
|
||||
+my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
|
||||
+my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12");
|
||||
+
|
||||
+with({ exit_checker => sub { return shift == 1; } },
|
||||
+ sub {
|
||||
+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])),
|
||||
+ "test bad pkcs12 file 1");
|
||||
+
|
||||
+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
|
||||
+ "-nomacver"])),
|
||||
+ "test bad pkcs12 file 1 (nomacver)");
|
||||
+
|
||||
+ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
|
||||
+ "test bad pkcs12 file 2");
|
||||
+
|
||||
+ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
|
||||
+ "test bad pkcs12 file 3");
|
||||
+ });
|
||||
+
|
||||
SetConsoleOutputCP($savedcp) if (defined($savedcp));
|
||||
diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09
|
||||
GIT binary patch
|
||||
literal 85
|
||||
zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY
|
||||
rfR=Py6XX<mRyon58xHv)BAVy}k(l(hJwF5pk-=q7<yb@T0s;sC$etR(
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
diff --git a/test/recipes/80-test_pkcs12_data/bad2.p12 b/test/recipes/80-test_pkcs12_data/bad2.p12
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..113cb6f1cd523e880db869f518e60142dc875115
|
||||
GIT binary patch
|
||||
literal 104
|
||||
zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+<SE8zIDI;AmiIz{|#&(B{FI%FM#V$jZQ?
|
||||
z@Tpc|>#<$m7-wj)xrauuD`}hF=<J_T`^8$QMBK7d>Ng9=0`~S~)@=J%OiUaM0Oze6
|
||||
AD*ylh
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4
|
||||
GIT binary patch
|
||||
literal 104
|
||||
zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+<SE8%fB((ZJAvmyI)_&4V$OnT3gwm4QWp
|
||||
zJ2GXlSm>oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La
|
||||
BAqM~e
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.7
|
||||
Release: 28%{?dist}
|
||||
Version: 3.2.2
|
||||
Release: 6%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -74,8 +74,6 @@ Patch12: 0012-Disable-explicit-ec.patch
|
||||
Patch13: 0013-skipped-tests-EC-curves.patch
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
Patch24: 0024-load-legacy-prov.patch
|
||||
# Tmp: test name change
|
||||
Patch31: 0031-tmp-Fix-test-names.patch
|
||||
# We load FIPS provider and set FIPS properties implicitly
|
||||
Patch32: 0032-Force-fips.patch
|
||||
# Embed HMAC into the fips.so
|
||||
@ -94,8 +92,6 @@ Patch47: 0047-FIPS-early-KATS.patch
|
||||
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
|
||||
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
|
||||
# Backport of patch for RHEL for Edge rhbz #2027261
|
||||
Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
|
||||
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
||||
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
|
||||
# Originally from https://github.com/openssl/openssl/pull/18103
|
||||
@ -106,21 +102,9 @@ Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
|
||||
Patch56: 0056-strcasecmp.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2069235
|
||||
Patch60: 0060-FIPS-KAT-signature-tests.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
||||
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
|
||||
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2130708
|
||||
# https://github.com/openssl/openssl/pull/18883
|
||||
Patch67: 0067-ppc64le-Montgomery-multiply.patch
|
||||
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
|
||||
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
|
||||
Patch71: 0071-AES-GCM-performance-optimization.patch
|
||||
# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149
|
||||
# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa
|
||||
# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447
|
||||
Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||
@ -149,72 +133,43 @@ Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
||||
Patch85: 0085-FIPS-RSA-disable-shake.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
|
||||
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
|
||||
Patch89: 0089-PSS-salt-length-from-provider.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
|
||||
Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
|
||||
Patch91: 0091-FIPS-RSA-encapsulate.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2142517
|
||||
Patch92: 0092-provider-improvements.patch
|
||||
# FIPS-95
|
||||
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
||||
|
||||
# OpenSSL 3.0.8 CVEs
|
||||
Patch101: 0101-CVE-2022-4203-nc-match.patch
|
||||
Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
|
||||
Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
|
||||
Patch104: 0104-CVE-2023-0215-UAF-bio.patch
|
||||
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
|
||||
Patch106: 0106-CVE-2023-0217-dsa.patch
|
||||
Patch107: 0107-CVE-2023-0286-X400.patch
|
||||
Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2169314
|
||||
Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
|
||||
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2175145
|
||||
Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch
|
||||
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2179331
|
||||
Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2157951
|
||||
Patch114: 0114-FIPS-enforce-EMS-support.patch
|
||||
# skip quic and pairwise tests temporarily
|
||||
Patch115: 0115-skip-quic-pairwise.patch
|
||||
# Add version aliasing due to
|
||||
# https://github.com/openssl/openssl/issues/23534
|
||||
Patch116: 0116-version-aliasing.patch
|
||||
# https://github.com/openssl/openssl/issues/23050
|
||||
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||
|
||||
# X.509 policies minor CVEs
|
||||
Patch115: 0115-CVE-2023-0464.patch
|
||||
Patch116: 0116-CVE-2023-0465.patch
|
||||
Patch117: 0117-CVE-2023-0466.patch
|
||||
# AES-XTS CVE
|
||||
Patch118: 0118-CVE-2023-1255.patch
|
||||
|
||||
#https://github.com/openssl/openssl/pull/13817
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=2153471
|
||||
Patch120: 0120-RSA-PKCS15-implicit-rejection.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
|
||||
Patch121: 0121-FIPS-cms-defaults.patch
|
||||
Patch122: 0122-CVE-2023-2650.patch
|
||||
# https://github.com/openssl/openssl/pull/19386
|
||||
Patch123: 0123-ibmca-atexit-crash.patch
|
||||
Patch125: 0125-CVE-2023-2975.patch
|
||||
Patch126: 0126-CVE-2023-3446.patch
|
||||
Patch127: 0127-CVE-2023-3817.patch
|
||||
Patch128: 0128-CVE-2023-5363.patch
|
||||
# https://github.com/openssl/openssl/pull/22403
|
||||
Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
|
||||
Patch130: 0130-CVE-2023-5678.patch
|
||||
# https://github.com/openssl/openssl/pull/20317
|
||||
Patch131: 0131-sslgroups-memleak.patch
|
||||
# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35
|
||||
Patch132: 0132-CVE-2023-6129.patch
|
||||
# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a
|
||||
Patch133: 0133-CVE-2023-6237.patch
|
||||
# https://github.com/openssl/openssl/pull/20780
|
||||
Patch134: 0134-engine-based-ECDHE-kex.patch
|
||||
# https://github.com/openssl/openssl/pull/23362
|
||||
Patch135: 0135-CVE-2024-0727.patch
|
||||
# https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
|
||||
# KTLS regression, temporary skip tests
|
||||
Patch122: 0122-TMP-KTLS-test-skip.patch
|
||||
# HKDF regression with older provider implementations
|
||||
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
|
||||
# https://github.com/openssl/openssl/pull/24717
|
||||
Patch124: 0124-Fix-SSL_select_next_proto.patch
|
||||
Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch
|
||||
Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch
|
||||
Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch
|
||||
Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch
|
||||
Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
|
||||
Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch
|
||||
Patch131: 0131-Add-ALPN-validation-in-the-client.patch
|
||||
Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
|
||||
Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch
|
||||
Patch136: 0136-CVE-2024-6119.patch
|
||||
|
||||
License: ASL 2.0
|
||||
@ -555,9 +510,41 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Tue Sep 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-28
|
||||
- Patch for CVE-2024-6119
|
||||
Resolves: RHEL-55340
|
||||
* Thu Sep 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-6
|
||||
- rebuilt
|
||||
Related: RHEL-55339
|
||||
|
||||
* Wed Sep 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-5
|
||||
- Fix CVE-2024-6119: Possible denial of service in X.509 name checks
|
||||
Resolves: RHEL-55339
|
||||
|
||||
* Wed Aug 21 2024 Clemens Lang <cllang@redhat.com> - 1:3.2.2-4
|
||||
- Fix CVE-2024-5535: SSL_select_next_proto buffer overread
|
||||
Resolves: RHEL-45657
|
||||
|
||||
* Sat Jun 22 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-3
|
||||
- Replace HKDF backward compatibility patch with the official one
|
||||
Related: RHEL-40823
|
||||
|
||||
* Wed Jun 12 2024 Daiki Ueno <dueno@redhat.com> - 1:3.2.2-2
|
||||
- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
|
||||
Resolves: RHEL-40823
|
||||
|
||||
* Wed Jun 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
|
||||
- Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741,
|
||||
and Minerva attack.
|
||||
Resolves: RHEL-32148
|
||||
Resolves: RHEL-36792
|
||||
Resolves: RHEL-38514
|
||||
Resolves: RHEL-39111
|
||||
|
||||
* Thu May 23 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-2
|
||||
- Update RNG changing for FIPS purpose
|
||||
Resolves: RHEL-35380
|
||||
|
||||
* Wed Apr 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.1-1
|
||||
- Rebasing OpenSSL to 3.2.1
|
||||
Resolves: RHEL-26271
|
||||
|
||||
* Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-27
|
||||
- Use certified FIPS module instead of freshly built one in Red Hat distribution
|
||||
|
Loading…
Reference in New Issue
Block a user