diff --git a/.gitignore b/.gitignore index 7de2940..268b07b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-3.0.1-hobbled.tar.xz +SOURCES/openssl-3.0.7-hobbled.tar.gz diff --git a/.openssl.metadata b/.openssl.metadata index f4d8930..68776d7 100644 --- a/.openssl.metadata +++ b/.openssl.metadata @@ -1 +1 @@ -1170b5119f0e591f6a2515d099abd06d0184f77c SOURCES/openssl-3.0.1-hobbled.tar.xz +54ab0e36f279f260196ac3274631bee93ab01d81 SOURCES/openssl-3.0.7-hobbled.tar.gz diff --git a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 9917fcf..7a97dee 100644 --- a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: - ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: -- 2.26.2 diff --git a/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch b/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch index 0fac4eb..2e72999 100644 --- a/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch +++ b/SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch @@ -12,24 +12,12 @@ default context. 3 files changed, 39 insertions(+) create mode 100644 include/openssl/fips.h -diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in -index 1036da9a2b..9d4896fcaf 100644 ---- a/include/openssl/crypto.h.in -+++ b/include/openssl/crypto.h.in -@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); - # include - # include - # include -+# include - - # ifdef CHARSET_EBCDIC - # include diff --git a/include/openssl/fips.h b/include/openssl/fips.h new file mode 100644 index 0000000000..c64f0f8e8f --- /dev/null +++ b/include/openssl/fips.h -@@ -0,0 +1,25 @@ +@@ -0,0 +1,26 @@ +/* + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * @@ -43,6 +31,7 @@ index 0000000000..c64f0f8e8f +# define OPENSSL_FIPS_H +# pragma once + ++# include +# include + +# ifdef __cplusplus @@ -58,10 +47,11 @@ index 0000000000..c64f0f8e8f diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c --- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 +++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 -@@ -488,6 +488,18 @@ static int test_property_list_to_string( +@@ -488,6 +488,19 @@ static int test_property_list_to_string( return ret; } - + ++#include +static int test_downstream_FIPS_mode(void) +{ + int ret = 0; diff --git a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch index 01bd840..30ff325 100644 --- a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -2,8 +2,8 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 --- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100 +++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100 @@ -12,11 +12,46 @@ - #include "internal/bio.h" #include "internal/provider.h" + #include "crypto/ctype.h" +# include +# include diff --git a/SOURCES/0011-Remove-EC-curves.patch b/SOURCES/0011-Remove-EC-curves.patch index 51c9d23..10e200c 100644 --- a/SOURCES/0011-Remove-EC-curves.patch +++ b/SOURCES/0011-Remove-EC-curves.patch @@ -5011,3 +5011,15 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov Title=prime256v1 curve tests PrivateKey=ALICE_cf_prime256v1 +diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t +--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100 ++++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100 +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + diff --git a/SOURCES/0012-Disable-explicit-ec.patch b/SOURCES/0012-Disable-explicit-ec.patch index 9c3ef57..550cdf4 100644 --- a/SOURCES/0012-Disable-explicit-ec.patch +++ b/SOURCES/0012-Disable-explicit-ec.patch @@ -40,17 +40,17 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te static OSSL_PARAM_BLD *bld_tri_nc = NULL; @@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") DOMAIN_KEYS(ECExplicitPrimeNamedCurve); - IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC") + IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") -DOMAIN_KEYS(ECExplicitPrime2G); --IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC") +-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) -IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") +/*DOMAIN_KEYS(ECExplicitPrime2G);*/ -+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/ ++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ +/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ # ifndef OPENSSL_NO_EC2M DOMAIN_KEYS(ECExplicitTriNamedCurve); - IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC") + IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) @@ -1318,7 +1318,7 @@ int setup_tests(void) || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) || !create_ec_explicit_prime_params(bld_prime) diff --git a/SOURCES/0013-FIPS-provider-explicit-ec.patch b/SOURCES/0013-FIPS-provider-explicit-ec.patch deleted file mode 100644 index 8cceeed..0000000 --- a/SOURCES/0013-FIPS-provider-explicit-ec.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index 78dc69082fab..8a86c9108d0d 100644 ---- a/providers/implementations/keymgmt/ec_kmgmt.c -+++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -470,9 +470,6 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0 - && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0) - return 0; -- if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0 -- && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) -- return 0; - - tmpl = OSSL_PARAM_BLD_new(); - if (tmpl == NULL) -diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t -index 766524e8cfa9..80bac6741290 100644 ---- a/test/recipes/15-test_ecparam.t -+++ b/test/recipes/15-test_ecparam.t -@@ -13,7 +13,7 @@ use warnings; - use File::Spec; - use File::Compare qw/compare_text/; - use OpenSSL::Glob; --use OpenSSL::Test qw/:DEFAULT data_file/; -+use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/; - use OpenSSL::Test::Utils; - - setup("test_ecparam"); -@@ -25,7 +25,7 @@ my @valid = glob(data_file("valid", "*.pem")); - my @noncanon = glob(data_file("noncanon", "*.pem")); - my @invalid = glob(data_file("invalid", "*.pem")); - --plan tests => 11; -+plan tests => 12; - - sub checkload { - my $files = shift; # List of files -@@ -59,6 +59,8 @@ sub checkcompare { - } - } - -+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+ - subtest "Check loading valid parameters by ecparam with -check" => sub { - plan tests => scalar(@valid); - checkload(\@valid, 1, "ecparam", "-check"); -@@ -113,3 +115,31 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub { - plan tests => 2 * scalar(@valid); - checkcompare(\@valid, "pkeyparam"); - }; -+ -+subtest "Check loading of fips and non-fips params" => sub { -+ plan skip_all => "FIPS is disabled" -+ if $no_fips; -+ plan tests => 3; -+ -+ my $fipsconf = srctop_file("test", "fips-and-base.cnf"); -+ my $defaultconf = srctop_file("test", "default.cnf"); -+ -+ $ENV{OPENSSL_CONF} = $fipsconf; -+ -+ ok(run(app(['openssl', 'ecparam', -+ '-in', data_file('valid', 'secp384r1-explicit.pem'), -+ '-check'])), -+ "Loading explicitly encoded valid curve"); -+ -+ ok(run(app(['openssl', 'ecparam', -+ '-in', data_file('valid', 'secp384r1-named.pem'), -+ '-check'])), -+ "Loading named valid curve"); -+ -+ ok(!run(app(['openssl', 'ecparam', -+ '-in', data_file('valid', 'secp112r1-named.pem'), -+ '-check'])), -+ "Fail loading named non-fips curve"); -+ -+ $ENV{OPENSSL_CONF} = $defaultconf; -+}; diff --git a/SOURCES/0014-FIPS-disable-explicit-ec.patch b/SOURCES/0014-FIPS-disable-explicit-ec.patch deleted file mode 100644 index 7de159e..0000000 --- a/SOURCES/0014-FIPS-disable-explicit-ec.patch +++ /dev/null @@ -1,421 +0,0 @@ -diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c -index 9dc143c2ac69..4d6f2a76ad20 100644 ---- a/crypto/ec/ec_err.c -+++ b/crypto/ec/ec_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -35,6 +35,8 @@ static const ERR_STRING_DATA EC_str_reasons[] = { - "discriminant is zero"}, - {ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE), - "ec group new by name failure"}, -+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED), -+ "explicit params not supported"}, - {ERR_PACK(ERR_LIB_EC, 0, EC_R_FAILED_MAKING_PUBLIC_KEY), - "failed making public key"}, - {ERR_PACK(ERR_LIB_EC, 0, EC_R_FIELD_TOO_LARGE), "field too large"}, -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index 2aeab7e3b6b5..f686e45f899d 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -1387,6 +1387,7 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1, - } - #endif - -+#ifndef FIPS_MODULE - /* - * Check if the explicit parameters group matches any built-in curves. - * -@@ -1424,7 +1425,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group, - * parameters with one created from a named group. - */ - --#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - /* - * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for - * the same curve, we prefer the SECP nid when matching explicit -@@ -1432,7 +1433,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group, - */ - if (curve_name_nid == NID_wap_wsg_idm_ecid_wtls12) - curve_name_nid = NID_secp224r1; --#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ -+# endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ - - ret_group = EC_GROUP_new_by_curve_name_ex(libctx, propq, curve_name_nid); - if (ret_group == NULL) -@@ -1467,6 +1468,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group, - EC_GROUP_free(ret_group); - return NULL; - } -+#endif /* FIPS_MODULE */ - - static EC_GROUP *group_new_from_name(const OSSL_PARAM *p, - OSSL_LIB_CTX *libctx, const char *propq) -@@ -1536,9 +1538,13 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) - EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - OSSL_LIB_CTX *libctx, const char *propq) - { -- const OSSL_PARAM *ptmp, *pa, *pb; -+ const OSSL_PARAM *ptmp; -+ EC_GROUP *group = NULL; -+ -+#ifndef FIPS_MODULE -+ const OSSL_PARAM *pa, *pb; - int ok = 0; -- EC_GROUP *group = NULL, *named_group = NULL; -+ EC_GROUP *named_group = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *cofactor = NULL; - EC_POINT *point = NULL; - int field_bits = 0; -@@ -1546,6 +1552,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - BN_CTX *bnctx = NULL; - const unsigned char *buf = NULL; - int encoding_flag = -1; -+#endif - - /* This is the simple named group case */ - ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME); -@@ -1559,6 +1566,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - } - return group; - } -+#ifdef FIPS_MODULE -+ ERR_raise(ERR_LIB_EC, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED); -+ return NULL; -+#else - /* If it gets here then we are trying explicit parameters */ - bnctx = BN_CTX_new_ex(libctx); - if (bnctx == NULL) { -@@ -1623,10 +1634,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - /* create the EC_GROUP structure */ - group = EC_GROUP_new_curve_GFp(p, a, b, bnctx); - } else { --#ifdef OPENSSL_NO_EC2M -+# ifdef OPENSSL_NO_EC2M - ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED); - goto err; --#else -+# else - /* create the EC_GROUP structure */ - group = EC_GROUP_new_curve_GF2m(p, a, b, NULL); - if (group != NULL) { -@@ -1636,7 +1647,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - goto err; - } - } --#endif /* OPENSSL_NO_EC2M */ -+# endif /* OPENSSL_NO_EC2M */ - } - - if (group == NULL) { -@@ -1733,4 +1744,5 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - BN_CTX_free(bnctx); - - return group; -+#endif /* FIPS_MODULE */ - } -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index c4a94f955905..41df7127403c 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -553,6 +553,7 @@ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing - EC_R_DECODE_ERROR:142:decode error - EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero - EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure -+EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported - EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key - EC_R_FIELD_TOO_LARGE:143:field too large - EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported -diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h -index 07b6c7aa62dd..4658ae8fb2cd 100644 ---- a/include/crypto/ecerr.h -+++ b/include/crypto/ecerr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h -index 49088d208b2c..46405ac62d91 100644 ---- a/include/openssl/ecerr.h -+++ b/include/openssl/ecerr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -35,6 +35,7 @@ - # define EC_R_DECODE_ERROR 142 - # define EC_R_DISCRIMINANT_IS_ZERO 118 - # define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119 -+# define EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED 127 - # define EC_R_FAILED_MAKING_PUBLIC_KEY 166 - # define EC_R_FIELD_TOO_LARGE 143 - # define EC_R_GF2M_NOT_SUPPORTED 147 -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 0c33dff0ee2b..3d78bea50ea3 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -147,6 +147,7 @@ typedef int (checker)(const char *file, const int line, - typedef void (dumper)(const char *label, const void *data, size_t data_len); - - #define FLAG_DECODE_WITH_TYPE 0x0001 -+#define FLAG_FAIL_IF_FIPS 0x0002 - - static int test_encode_decode(const char *file, const int line, - const char *type, EVP_PKEY *pkey, -@@ -170,8 +171,19 @@ static int test_encode_decode(const char *file, const int line, - * dumping purposes. - */ - if (!TEST_true(encode_cb(file, line, &encoded, &encoded_len, pkey, selection, -- output_type, output_structure, pass, pcipher)) -- || !TEST_true(check_cb(file, line, type, encoded, encoded_len)) -+ output_type, output_structure, pass, pcipher))) -+ goto end; -+ -+ if ((flags & FLAG_FAIL_IF_FIPS) != 0 && is_fips) { -+ if (TEST_false(decode_cb(file, line, (void **)&pkey2, encoded, -+ encoded_len, output_type, output_structure, -+ (flags & FLAG_DECODE_WITH_TYPE ? type : NULL), -+ selection, pass))) -+ ok = 1; -+ goto end; -+ } -+ -+ if (!TEST_true(check_cb(file, line, type, encoded, encoded_len)) - || !TEST_true(decode_cb(file, line, (void **)&pkey2, encoded, encoded_len, - output_type, output_structure, - (flags & FLAG_DECODE_WITH_TYPE ? type : NULL), -@@ -525,7 +537,7 @@ static int check_unprotected_PKCS8_DER(const char *file, const int line, - return ok; - } - --static int test_unprotected_via_DER(const char *type, EVP_PKEY *key) -+static int test_unprotected_via_DER(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_KEYPAIR -@@ -533,7 +545,7 @@ static int test_unprotected_via_DER(const char *type, EVP_PKEY *key) - "DER", "PrivateKeyInfo", NULL, NULL, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, - test_mem, check_unprotected_PKCS8_DER, -- dump_der, 0); -+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - static int check_unprotected_PKCS8_PEM(const char *file, const int line, -@@ -547,7 +559,7 @@ static int check_unprotected_PKCS8_PEM(const char *file, const int line, - sizeof(expected_pem_header) - 1); - } - --static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key) -+static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_KEYPAIR -@@ -555,7 +567,7 @@ static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key) - "PEM", "PrivateKeyInfo", NULL, NULL, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, - test_text, check_unprotected_PKCS8_PEM, -- dump_pem, 0); -+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - #ifndef OPENSSL_NO_KEYPARAMS -@@ -702,7 +714,7 @@ static int check_protected_PKCS8_DER(const char *file, const int line, - return ok; - } - --static int test_protected_via_DER(const char *type, EVP_PKEY *key) -+static int test_protected_via_DER(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_KEYPAIR -@@ -711,7 +723,7 @@ static int test_protected_via_DER(const char *type, EVP_PKEY *key) - pass, pass_cipher, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, - test_mem, check_protected_PKCS8_DER, -- dump_der, 0); -+ dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - static int check_protected_PKCS8_PEM(const char *file, const int line, -@@ -725,7 +737,7 @@ static int check_protected_PKCS8_PEM(const char *file, const int line, - sizeof(expected_pem_header) - 1); - } - --static int test_protected_via_PEM(const char *type, EVP_PKEY *key) -+static int test_protected_via_PEM(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_KEYPAIR -@@ -734,7 +746,7 @@ static int test_protected_via_PEM(const char *type, EVP_PKEY *key) - pass, pass_cipher, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, - test_text, check_protected_PKCS8_PEM, -- dump_pem, 0); -+ dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - static int check_protected_legacy_PEM(const char *file, const int line, -@@ -795,14 +807,15 @@ static int check_public_DER(const char *file, const int line, - return ok; - } - --static int test_public_via_DER(const char *type, EVP_PKEY *key) -+static int test_public_via_DER(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_PUBLIC_KEY - | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, - "DER", "SubjectPublicKeyInfo", NULL, NULL, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, -- test_mem, check_public_DER, dump_der, 0); -+ test_mem, check_public_DER, dump_der, -+ fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - static int check_public_PEM(const char *file, const int line, -@@ -816,14 +829,15 @@ static int check_public_PEM(const char *file, const int line, - sizeof(expected_pem_header) - 1); - } - --static int test_public_via_PEM(const char *type, EVP_PKEY *key) -+static int test_public_via_PEM(const char *type, EVP_PKEY *key, int fips) - { - return test_encode_decode(__FILE__, __LINE__, type, key, - OSSL_KEYMGMT_SELECT_PUBLIC_KEY - | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, - "PEM", "SubjectPublicKeyInfo", NULL, NULL, - encode_EVP_PKEY_prov, decode_EVP_PKEY_prov, -- test_text, check_public_PEM, dump_pem, 0); -+ test_text, check_public_PEM, dump_pem, -+ fips ? 0 : FLAG_FAIL_IF_FIPS); - } - - static int check_public_MSBLOB(const char *file, const int line, -@@ -868,30 +882,30 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key) - EVP_PKEY_free(template_##KEYTYPE); \ - EVP_PKEY_free(key_##KEYTYPE) - --#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr) \ -+#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr, fips) \ - static int test_unprotected_##KEYTYPE##_via_DER(void) \ - { \ -- return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \ - } \ - static int test_unprotected_##KEYTYPE##_via_PEM(void) \ - { \ -- return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \ - } \ - static int test_protected_##KEYTYPE##_via_DER(void) \ - { \ -- return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \ - } \ - static int test_protected_##KEYTYPE##_via_PEM(void) \ - { \ -- return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \ - } \ - static int test_public_##KEYTYPE##_via_DER(void) \ - { \ -- return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \ - } \ - static int test_public_##KEYTYPE##_via_PEM(void) \ - { \ -- return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE); \ -+ return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \ - } - - #define ADD_TEST_SUITE(KEYTYPE) \ -@@ -965,10 +979,10 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key) - - #ifndef OPENSSL_NO_DH - DOMAIN_KEYS(DH); --IMPLEMENT_TEST_SUITE(DH, "DH") -+IMPLEMENT_TEST_SUITE(DH, "DH", 1) - IMPLEMENT_TEST_SUITE_PARAMS(DH, "DH") - DOMAIN_KEYS(DHX); --IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH") -+IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH", 1) - IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH") - /* - * DH has no support for PEM_write_bio_PrivateKey_traditional(), -@@ -977,7 +991,7 @@ IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH") - #endif - #ifndef OPENSSL_NO_DSA - DOMAIN_KEYS(DSA); --IMPLEMENT_TEST_SUITE(DSA, "DSA") -+IMPLEMENT_TEST_SUITE(DSA, "DSA", 1) - IMPLEMENT_TEST_SUITE_PARAMS(DSA, "DSA") - IMPLEMENT_TEST_SUITE_LEGACY(DSA, "DSA") - IMPLEMENT_TEST_SUITE_MSBLOB(DSA, "DSA") -@@ -988,41 +1002,41 @@ IMPLEMENT_TEST_SUITE_PROTECTED_PVK(DSA, "DSA") - #endif - #ifndef OPENSSL_NO_EC - DOMAIN_KEYS(EC); --IMPLEMENT_TEST_SUITE(EC, "EC") -+IMPLEMENT_TEST_SUITE(EC, "EC", 1) - IMPLEMENT_TEST_SUITE_PARAMS(EC, "EC") - IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") - DOMAIN_KEYS(ECExplicitPrimeNamedCurve); --IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC") -+IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) - IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") - /*DOMAIN_KEYS(ECExplicitPrime2G);*/ --/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/ -+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ - /*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ - # ifndef OPENSSL_NO_EC2M - DOMAIN_KEYS(ECExplicitTriNamedCurve); --IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC") -+IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) - IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC") - DOMAIN_KEYS(ECExplicitTri2G); --IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC") -+IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC", 0) - IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC") - # endif - KEYS(ED25519); --IMPLEMENT_TEST_SUITE(ED25519, "ED25519") -+IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1) - KEYS(ED448); --IMPLEMENT_TEST_SUITE(ED448, "ED448") -+IMPLEMENT_TEST_SUITE(ED448, "ED448", 1) - KEYS(X25519); --IMPLEMENT_TEST_SUITE(X25519, "X25519") -+IMPLEMENT_TEST_SUITE(X25519, "X25519", 1) - KEYS(X448); --IMPLEMENT_TEST_SUITE(X448, "X448") -+IMPLEMENT_TEST_SUITE(X448, "X448", 1) - /* - * ED25519, ED448, X25519 and X448 have no support for - * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. - */ - #endif - KEYS(RSA); --IMPLEMENT_TEST_SUITE(RSA, "RSA") -+IMPLEMENT_TEST_SUITE(RSA, "RSA", 1) - IMPLEMENT_TEST_SUITE_LEGACY(RSA, "RSA") - KEYS(RSA_PSS); --IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS") -+IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS", 1) - /* - * RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(), - * so no legacy tests. diff --git a/SOURCES/0015-FIPS-decoded-from-explicit.patch b/SOURCES/0015-FIPS-decoded-from-explicit.patch deleted file mode 100644 index 19d19a3..0000000 --- a/SOURCES/0015-FIPS-decoded-from-explicit.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c -index bea01fb38f66..48721369ae8f 100644 ---- a/crypto/ec/ec_backend.c -+++ b/crypto/ec/ec_backend.c -@@ -318,6 +318,11 @@ int ossl_ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl, - return 0; - } - -+ if (!ossl_param_build_set_int(tmpl, params, -+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, -+ group->decoded_from_explicit_params)) -+ return 0; -+ - curve_nid = EC_GROUP_get_curve_name(group); - - /* -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index 6b0591c6c8c7..b1696d93bd6d 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -1556,13 +1556,23 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - /* This is the simple named group case */ - ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME); - if (ptmp != NULL) { -- group = group_new_from_name(ptmp, libctx, propq); -- if (group != NULL) { -- if (!ossl_ec_group_set_params(group, params)) { -- EC_GROUP_free(group); -- group = NULL; -- } -+ int decoded = 0; -+ -+ if ((group = group_new_from_name(ptmp, libctx, propq)) == NULL) -+ return NULL; -+ if (!ossl_ec_group_set_params(group, params)) { -+ EC_GROUP_free(group); -+ return NULL; -+ } -+ -+ ptmp = OSSL_PARAM_locate_const(params, -+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS); -+ if (ptmp != NULL && !OSSL_PARAM_get_int(ptmp, &decoded)) { -+ ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS); -+ EC_GROUP_free(group); -+ return NULL; - } -+ group->decoded_from_explicit_params = decoded > 0; - return group; - } - #ifdef FIPS_MODULE -@@ -1733,6 +1743,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - EC_GROUP_free(group); - group = named_group; - } -+ /* We've imported the group from explicit parameters, set it so. */ -+ group->decoded_from_explicit_params = 1; - ok = 1; - err: - if (!ok) { -diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod -index eed83237c3b2..ee66a074f889 100644 ---- a/doc/man7/EVP_PKEY-EC.pod -+++ b/doc/man7/EVP_PKEY-EC.pod -@@ -70,8 +70,8 @@ I multiplied by the I gives the number of points on the curve. - - =item "decoded-from-explicit" (B) - --Gets a flag indicating wether the key or parameters were decoded from explicit --curve parameters. Set to 1 if so or 0 if a named curve was used. -+Sets or gets a flag indicating whether the key or parameters were decoded from -+explicit curve parameters. Set to 1 if so or 0 if a named curve was used. - - =item "use-cofactor-flag" (B) - -diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index 9260d4bf3635..7aed057cac89 100644 ---- a/providers/implementations/keymgmt/ec_kmgmt.c -+++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -525,7 +525,8 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb, - OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_GENERATOR, NULL, 0), \ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_ORDER, NULL, 0), \ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_COFACTOR, NULL, 0), \ -- OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_SEED, NULL, 0) -+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_SEED, NULL, 0), \ -+ OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL) - - # define EC_IMEXPORTABLE_PUBLIC_KEY \ - OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 700bbd849c95..ede14864d5ac 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -12,7 +12,7 @@ use warnings; - - use File::Spec::Functions qw/canonpath/; - use File::Copy; --use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips with/; -+use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir ok_nofips with/; - use OpenSSL::Test::Utils; - - setup("test_verify"); -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 160; -+plan tests => 163; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -309,6 +309,29 @@ SKIP: { - ["ca-cert-ec-named"]), - "accept named curve leaf with named curve intermediate"); - } -+# Same as above but with base provider used for decoding -+SKIP: { -+ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+ skip "EC is not supported or FIPS is disabled", 3 -+ if disabled("ec") || $no_fips; -+ -+ my $provconf = srctop_file("test", "fips-and-base.cnf"); -+ my $provpath = bldtop_dir("providers"); -+ my @prov = ("-provider-path", $provpath); -+ $ENV{OPENSSL_CONF} = $provconf; -+ -+ ok(!verify("ee-cert-ec-explicit", "", ["root-cert"], -+ ["ca-cert-ec-named"], @prov), -+ "reject explicit curve leaf with named curve intermediate w/fips"); -+ ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"], -+ ["ca-cert-ec-explicit"], @prov), -+ "reject named curve leaf with explicit curve intermediate w/fips"); -+ ok(verify("ee-cert-ec-named-named", "", ["root-cert"], -+ ["ca-cert-ec-named"], @prov), -+ "accept named curve leaf with named curve intermediate w/fips"); -+ -+ delete $ENV{OPENSSL_CONF}; -+} - - # Depth tests, note the depth limit bounds the number of CA certificates - # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf diff --git a/SOURCES/0031-tmp-Fix-test-names.patch b/SOURCES/0031-tmp-Fix-test-names.patch index 5c22f24..42b3c0a 100644 --- a/SOURCES/0031-tmp-Fix-test-names.patch +++ b/SOURCES/0031-tmp-Fix-test-names.patch @@ -2,9 +2,9 @@ diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/ --- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200 +++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200 @@ -40,7 +40,7 @@ unless ($no_fips) { - srctop_file("test", "recipes", "90-test_sslapi_data", - "passwd.txt"), $tmpfilename, "fips", - srctop_file("test", "fips-and-base.cnf")])), + "recipes", + "90-test_sslapi_data", + "dhparams.pem")])), - "running sslapitest"); + "running sslapitest - FIPS"); } diff --git a/SOURCES/0035-speed-skip-unavailable-dgst.patch b/SOURCES/0035-speed-skip-unavailable-dgst.patch index 6d948dd..9256f7f 100644 --- a/SOURCES/0035-speed-skip-unavailable-dgst.patch +++ b/SOURCES/0035-speed-skip-unavailable-dgst.patch @@ -11,16 +11,3 @@ diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c if (!EVP_MAC_init(mctx, NULL, 0, NULL) || !EVP_MAC_update(mctx, buf, lengths[testnum]) || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) -@@ -1922,8 +1925,10 @@ int speed_main(int argc, char **argv) - if (loopargs[i].mctx == NULL) - goto end; - -- if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) -- goto end; -+ if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) { -+ EVP_MAC_CTX_free(loopargs[i].mctx); -+ loopargs[i].mctx = NULL; -+ } - } - for (testnum = 0; testnum < size_num; testnum++) { - print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum], diff --git a/SOURCES/0045-FIPS-services-minimize.patch b/SOURCES/0045-FIPS-services-minimize.patch index 8308990..abb13e0 100644 --- a/SOURCES/0045-FIPS-services-minimize.patch +++ b/SOURCES/0045-FIPS-services-minimize.patch @@ -717,35 +717,3 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; -diff -up openssl-3.0.1/ssl/t1_lib.c.groupnames openssl-3.0.1/ssl/t1_lib.c ---- openssl-3.0.1/ssl/t1_lib.c.groupnames 2022-06-17 09:42:50.866748854 +0200 -+++ openssl-3.0.1/ssl/t1_lib.c 2022-06-17 09:49:07.715973172 +0200 -@@ -345,6 +345,7 @@ static int add_provider_groups(const OSS - * it. - */ - ret = 1; -+ (void)ERR_set_mark(); - keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); - if (keymgmt != NULL) { - /* -@@ -366,6 +367,7 @@ static int add_provider_groups(const OSS - } - EVP_KEYMGMT_free(keymgmt); - } -+ (void)ERR_pop_to_mark(); - err: - if (ginf != NULL) { - OPENSSL_free(ginf->tlsname); -@@ -725,8 +727,11 @@ static int gid_cb(const char *elem, int - etmp[len] = 0; - - gid = tls1_group_name2id(garg->ctx, etmp); -- if (gid == 0) -+ if (gid == 0) { -+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, -+ "group '%s' cannot be set", etmp); - return 0; -+ } - for (i = 0; i < garg->gidcnt; i++) - if (garg->gid_arr[i] == gid) - return 0; diff --git a/SOURCES/0046-FIPS-s390x-hardening.patch b/SOURCES/0046-FIPS-s390x-hardening.patch deleted file mode 100644 index f79abf9..0000000 --- a/SOURCES/0046-FIPS-s390x-hardening.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c -index 5c70b2d67840..c5726c638bdd 100644 ---- a/crypto/ec/ecp_s390x_nistp.c -+++ b/crypto/ec/ecp_s390x_nistp.c -@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, - /* Otherwise use default. */ - if (rc == -1) - rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); -- OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); -+ OPENSSL_cleanse(param, sizeof(param)); - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return rc; -@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, - - ok = 1; - ret: -- OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); -+ OPENSSL_cleanse(param, sizeof(param)); - if (ok != 1) { - ECDSA_SIG_free(sig); - sig = NULL; diff --git a/SOURCES/0048-correctly-handle-records.patch b/SOURCES/0048-correctly-handle-records.patch deleted file mode 100644 index ecbc09c..0000000 --- a/SOURCES/0048-correctly-handle-records.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -up openssl-3.0.1/apps/s_server.c.handle-records openssl-3.0.1/apps/s_server.c ---- openssl-3.0.1/apps/s_server.c.handle-records 2022-02-03 15:26:16.803434943 +0100 -+++ openssl-3.0.1/apps/s_server.c 2022-02-03 15:34:33.358298697 +0100 -@@ -2982,7 +2982,9 @@ static int www_body(int s, int stype, in - /* Set width for a select call if needed */ - width = s + 1; - -- buf = app_malloc(bufsize, "server www buffer"); -+ /* as we use BIO_gets(), and it always null terminates data, we need -+ * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ -+ buf = app_malloc(bufsize + 1, "server www buffer"); - io = BIO_new(BIO_f_buffer()); - ssl_bio = BIO_new(BIO_f_ssl()); - if ((io == NULL) || (ssl_bio == NULL)) -@@ -3047,7 +3049,7 @@ static int www_body(int s, int stype, in - } - - for (;;) { -- i = BIO_gets(io, buf, bufsize - 1); -+ i = BIO_gets(io, buf, bufsize + 1); - if (i < 0) { /* error */ - if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { - if (!s_quiet) -@@ -3112,7 +3114,7 @@ static int www_body(int s, int stype, in - * we're expecting to come from the client. If they haven't - * sent one there's not much we can do. - */ -- BIO_gets(io, buf, bufsize - 1); -+ BIO_gets(io, buf, bufsize + 1); - } - - BIO_puts(io, -@@ -3401,7 +3403,9 @@ static int rev_body(int s, int stype, in - SSL *con; - BIO *io, *ssl_bio, *sbio; - -- buf = app_malloc(bufsize, "server rev buffer"); -+ /* as we use BIO_gets(), and it always null terminates data, we need -+ * to allocate 1 byte longer buffer to fit the full 2^14 byte record */ -+ buf = app_malloc(bufsize + 1, "server rev buffer"); - io = BIO_new(BIO_f_buffer()); - ssl_bio = BIO_new(BIO_f_ssl()); - if ((io == NULL) || (ssl_bio == NULL)) -@@ -3476,7 +3480,7 @@ static int rev_body(int s, int stype, in - print_ssl_summary(con); - - for (;;) { -- i = BIO_gets(io, buf, bufsize - 1); -+ i = BIO_gets(io, buf, bufsize + 1); - if (i < 0) { /* error */ - if (!BIO_should_retry(io)) { - if (!s_quiet) diff --git a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch index 18b0183..f18e099 100644 --- a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch +++ b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch @@ -479,8 +479,8 @@ index 10b4e57d79..2d3c363bb0 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/SOURCES/0053-CVE-2022-0778.patch b/SOURCES/0053-CVE-2022-0778.patch deleted file mode 100644 index 4f4bcb5..0000000 --- a/SOURCES/0053-CVE-2022-0778.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 23f1773ddf92979006d0f438523f3c73320c384f Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:30 +0100 -Subject: [PATCH] Add documentation of BN_mod_sqrt() - ---- - doc/man3/BN_add.pod | 15 +++++++++++++-- - util/missingcrypto.txt | 1 - - 2 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod -index 62d3ee7205..cf6c49c0e3 100644 ---- a/doc/man3/BN_add.pod -+++ b/doc/man3/BN_add.pod -@@ -3,7 +3,7 @@ - =head1 NAME - - BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, --BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - -+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - - arithmetic operations on BIGNUMs - - =head1 SYNOPSIS -@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs - - int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); - -+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -+ - int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); - - int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, -@@ -87,6 +89,12 @@ L. - BN_mod_sqr() takes the square of I modulo B and places the - result in I. - -+BN_mod_sqrt() returns the modular square root of I such that -+C. The modulus I

must be a -+prime, otherwise an error or an incorrect "result" will be returned. -+The result is stored into I which can be NULL. The result will be -+newly allocated in that case. -+ - BN_exp() raises I to the I

-th power and places the result in I - (C). This function is faster than repeated applications of - BN_mul(). -@@ -108,7 +116,10 @@ the arguments. - - =head1 RETURN VALUES - --For all functions, 1 is returned for success, 0 on error. The return -+The BN_mod_sqrt() returns the result (possibly incorrect if I

is -+not a prime), or NULL. -+ -+For all remaining functions, 1 is returned for success, 0 on error. The return - value should always be checked (e.g., C). - The error codes can be obtained by L. - -diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt -index b61bdeb880..4d2fd7f6b7 100644 ---- a/util/missingcrypto.txt -+++ b/util/missingcrypto.txt -@@ -264,7 +264,6 @@ BN_mod_lshift(3) - BN_mod_lshift1(3) - BN_mod_lshift1_quick(3) - BN_mod_lshift_quick(3) --BN_mod_sqrt(3) - BN_mod_sub_quick(3) - BN_nist_mod_192(3) - BN_nist_mod_224(3) - -From 46673310c9a755b2a56f53d115854983d6ada11a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:35 +0100 -Subject: [PATCH] Add a negative testcase for BN_mod_sqrt - ---- - test/bntest.c | 11 ++++++++++- - test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/test/bntest.c b/test/bntest.c -index efdb3ef963..d49f87373a 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -1732,8 +1732,17 @@ static int file_modsqrt(STANZA *s) - || !TEST_ptr(ret2 = BN_new())) - goto err; - -+ if (BN_is_negative(mod_sqrt)) { -+ /* A negative testcase */ -+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) -+ goto err; -+ -+ st = 1; -+ goto err; -+ } -+ - /* There are two possible answers. */ -- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) -+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) - || !TEST_true(BN_sub(ret2, p, ret))) - goto err; - -diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt -index e22d656091..bc8a434ea5 100644 ---- a/test/recipes/10-test_bn_data/bnmod.txt -+++ b/test/recipes/10-test_bn_data/bnmod.txt -@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f - ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 - A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 - P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f -+ -+# Negative testcases for BN_mod_sqrt() -+ -+# This one triggers an infinite loop with unfixed implementation -+# It should just fail. -+ModSqrt = -1 -+A = 20a7ee -+P = 460201 -+ -+ModSqrt = -1 -+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed -+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f - -From cafcc62d7719dea73f334c9ef763d1e215fcd94d Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:21 +0100 -Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() - -The calculation in some cases does not finish for non-prime p. - -This fixes CVE-2022-0778. - -Based on patch by David Benjamin . ---- - crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c -index b663ae5ec5..c5ea7ab194 100644 ---- a/crypto/bn/bn_sqrt.c -+++ b/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -303,18 +304,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ - diff --git a/SOURCES/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch b/SOURCES/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch deleted file mode 100644 index a66968d..0000000 --- a/SOURCES/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 2 Feb 2022 17:47:26 +0100 -Subject: [PATCH] Replace size check with more meaningful pubkey check - -It does not make sense to check the size because this -function can be used in other contexts than in TLS-1.3 and -the value might not be padded to the size of p. - -However it makes sense to do the partial pubkey check because -there is no valid reason having the pubkey value outside the -1 < pubkey < p-1 bounds. - -Fixes #15465 - -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17630) ---- - crypto/dh/dh_key.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 6b8cd550f2..c78ed618bf 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len) - int err_reason = DH_R_BN_ERROR; - BIGNUM *pubkey = NULL; - const BIGNUM *p; -- size_t p_size; -+ int ret; - - if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL) - goto err; - DH_get0_pqg(dh, &p, NULL, NULL); -- if (p == NULL || (p_size = BN_num_bytes(p)) == 0) { -+ if (p == NULL || BN_num_bytes(p) == 0) { - err_reason = DH_R_NO_PARAMETERS_SET; - goto err; - } -- /* -- * As per Section 4.2.8.1 of RFC 8446 fail if DHE's -- * public key is of size not equal to size of p -- */ -- if (BN_is_zero(pubkey) || p_size != len) { -+ /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */ -+ if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) { - err_reason = DH_R_INVALID_PUBKEY; - goto err; - } --- -2.35.1 - diff --git a/SOURCES/0055-nonlegacy-fetch-null-deref.patch b/SOURCES/0055-nonlegacy-fetch-null-deref.patch deleted file mode 100644 index c4ca4fe..0000000 --- a/SOURCES/0055-nonlegacy-fetch-null-deref.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c -index e1da724bd2f4..2bee5ef19447 100644 ---- a/crypto/core_namemap.c -+++ b/crypto/core_namemap.c -@@ -409,14 +409,16 @@ static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg) - { - const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type); - -- get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg); -+ if (cipher != NULL) -+ get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg); - } - - static void get_legacy_md_names(const OBJ_NAME *on, void *arg) - { - const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type); - -- get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg); -+ if (md != NULL) -+ get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg); - } - - static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth, diff --git a/SOURCES/0056-strcasecmp.patch b/SOURCES/0056-strcasecmp.patch index ed30b2e..8a005e6 100644 --- a/SOURCES/0056-strcasecmp.patch +++ b/SOURCES/0056-strcasecmp.patch @@ -1,2279 +1,54 @@ -diff --git a/apps/ca.c b/apps/ca.c -index 24883615ed6b..8a2b31579549 100644 ---- a/apps/ca.c -+++ b/apps/ca.c -@@ -2367,7 +2367,7 @@ static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg) - - case REV_CRL_REASON: - for (i = 0; i < 8; i++) { -- if (strcasecmp(rev_arg, crl_reasons[i]) == 0) { -+ if (OPENSSL_strcasecmp(rev_arg, crl_reasons[i]) == 0) { - reason = crl_reasons[i]; - break; - } -@@ -2584,7 +2584,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, - } - if (reason_str) { - for (i = 0; i < NUM_REASONS; i++) { -- if (strcasecmp(reason_str, crl_reasons[i]) == 0) { -+ if (OPENSSL_strcasecmp(reason_str, crl_reasons[i]) == 0) { - reason_code = i; - break; - } -diff --git a/apps/cmp.c b/apps/cmp.c -index 9ea5cee4124d..5c6bcdad0a64 100644 ---- a/apps/cmp.c -+++ b/apps/cmp.c -@@ -1745,7 +1745,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx) - valptr[0] = '\0'; - valptr++; - -- if (strncasecmp(valptr, "int:", 4) != 0) { -+ if (OPENSSL_strncasecmp(valptr, "int:", 4) != 0) { - CMP_err("missing 'int:' in -geninfo option"); - return 0; - } -diff --git a/apps/ecparam.c b/apps/ecparam.c -index 12eed703de69..ecce36be71a2 100644 ---- a/apps/ecparam.c -+++ b/apps/ecparam.c -@@ -229,7 +229,7 @@ int ecparam_main(int argc, char **argv) - point_format, 0); - *p = OSSL_PARAM_construct_end(); - -- if (strcasecmp(curve_name, "SM2") == 0) -+ if (OPENSSL_strcasecmp(curve_name, "SM2") == 0) - gctx_params = EVP_PKEY_CTX_new_from_name(NULL, "sm2", NULL); - else - gctx_params = EVP_PKEY_CTX_new_from_name(NULL, "ec", NULL); -diff --git a/apps/lib/apps.c b/apps/lib/apps.c -index 30da6e8a8cb8..227da4982d14 100644 ---- a/apps/lib/apps.c -+++ b/apps/lib/apps.c -@@ -688,8 +688,8 @@ int load_cert_certs(const char *uri, - int ret = 0; - char *pass_string; - -- if (exclude_http && (strncasecmp(uri, "http://", 7) == 0 -- || strncasecmp(uri, "https://", 8) == 0)) { -+ if (exclude_http && (OPENSSL_strncasecmp(uri, "http://", 7) == 0 -+ || OPENSSL_strncasecmp(uri, "https://", 8) == 0)) { - BIO_printf(bio_err, "error: HTTP retrieval not allowed for %s\n", desc); - return ret; - } -@@ -1182,20 +1182,20 @@ int set_name_ex(unsigned long *flags, const char *arg) - - int set_dateopt(unsigned long *dateopt, const char *arg) - { -- if (strcasecmp(arg, "rfc_822") == 0) -+ if (OPENSSL_strcasecmp(arg, "rfc_822") == 0) - *dateopt = ASN1_DTFLGS_RFC822; -- else if (strcasecmp(arg, "iso_8601") == 0) -+ else if (OPENSSL_strcasecmp(arg, "iso_8601") == 0) - *dateopt = ASN1_DTFLGS_ISO8601; - return 0; - } - - int set_ext_copy(int *copy_type, const char *arg) - { -- if (strcasecmp(arg, "none") == 0) -+ if (OPENSSL_strcasecmp(arg, "none") == 0) - *copy_type = EXT_COPY_NONE; -- else if (strcasecmp(arg, "copy") == 0) -+ else if (OPENSSL_strcasecmp(arg, "copy") == 0) - *copy_type = EXT_COPY_ADD; -- else if (strcasecmp(arg, "copyall") == 0) -+ else if (OPENSSL_strcasecmp(arg, "copyall") == 0) - *copy_type = EXT_COPY_ALL; - else - return 0; -@@ -1275,7 +1275,7 @@ static int set_table_opts(unsigned long *flags, const char *arg, - } - - for (ptbl = in_tbl; ptbl->name; ptbl++) { -- if (strcasecmp(arg, ptbl->name) == 0) { -+ if (OPENSSL_strcasecmp(arg, ptbl->name) == 0) { - *flags &= ~ptbl->mask; - if (c) - *flags |= ptbl->flag; -diff --git a/apps/lib/engine_loader.c b/apps/lib/engine_loader.c -index c093f31e1b39..42775a89f361 100644 ---- a/apps/lib/engine_loader.c -+++ b/apps/lib/engine_loader.c -@@ -71,7 +71,7 @@ static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader, - char *keyid = NULL; - OSSL_STORE_LOADER_CTX *ctx = NULL; - -- if (strncasecmp(p, ENGINE_SCHEME_COLON, sizeof(ENGINE_SCHEME_COLON) - 1) -+ if (OPENSSL_strncasecmp(p, ENGINE_SCHEME_COLON, sizeof(ENGINE_SCHEME_COLON) - 1) - != 0) - return NULL; - p += sizeof(ENGINE_SCHEME_COLON) - 1; -diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c -index 03faac7707b7..df9575e2cd21 100644 ---- a/apps/lib/http_server.c -+++ b/apps/lib/http_server.c -@@ -453,10 +453,11 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq, - } - *line_end = '\0'; - /* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */ -- if (found_keep_alive != NULL && strcasecmp(key, "Connection") == 0) { -- if (strcasecmp(value, "keep-alive") == 0) -+ if (found_keep_alive != NULL -+ && OPENSSL_strcasecmp(key, "Connection") == 0) { -+ if (OPENSSL_strcasecmp(value, "keep-alive") == 0) - *found_keep_alive = 1; -- else if (strcasecmp(value, "close") == 0) -+ else if (OPENSSL_strcasecmp(value, "close") == 0) - *found_keep_alive = 0; - } - } -diff --git a/apps/lib/names.c b/apps/lib/names.c -index 5e2e7e147c7f..462703c6462b 100644 ---- a/apps/lib/names.c -+++ b/apps/lib/names.c -@@ -11,14 +11,11 @@ - #include - #include - #include "names.h" -- --#ifdef _WIN32 --# define strcasecmp _stricmp --#endif -+#include "openssl/crypto.h" - - int name_cmp(const char * const *a, const char * const *b) - { -- return strcasecmp(*a, *b); -+ return OPENSSL_strcasecmp(*a, *b); - } - - void collect_names(const char *name, void *vdata) -diff --git a/apps/lib/vms_term_sock.c b/apps/lib/vms_term_sock.c -index 1b27699b9d49..4d9a69b29e03 100644 ---- a/apps/lib/vms_term_sock.c -+++ b/apps/lib/vms_term_sock.c -@@ -132,7 +132,7 @@ int main (int argc, char *argv[], char *envp[]) - len; - - LogMessage ("Enter 'q' or 'Q' to quit ..."); -- while (strcasecmp (TermBuff, "Q")) { -+ while (OPENSSL_strcasecmp (TermBuff, "Q")) { - /* - ** Create the terminal socket - */ -diff --git a/apps/list.c b/apps/list.c -index 9732d6625a05..620ce0083134 100644 ---- a/apps/list.c -+++ b/apps/list.c -@@ -71,7 +71,7 @@ static void legacy_cipher_fn(const EVP_CIPHER *c, - { - if (select_name != NULL - && (c == NULL -- || strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0)) -+ || OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0)) - return; - if (c != NULL) { - BIO_printf(arg, " %s\n", EVP_CIPHER_get0_name(c)); -@@ -370,7 +370,7 @@ DEFINE_STACK_OF(EVP_RAND) - - static int rand_cmp(const EVP_RAND * const *a, const EVP_RAND * const *b) - { -- int ret = strcasecmp(EVP_RAND_get0_name(*a), EVP_RAND_get0_name(*b)); -+ int ret = OPENSSL_strcasecmp(EVP_RAND_get0_name(*a), EVP_RAND_get0_name(*b)); - - if (ret == 0) - ret = strcmp(OSSL_PROVIDER_get0_name(EVP_RAND_get0_provider(*a)), -@@ -404,7 +404,7 @@ static void list_random_generators(void) - const EVP_RAND *m = sk_EVP_RAND_value(rands, i); - - if (select_name != NULL -- && strcasecmp(EVP_RAND_get0_name(m), select_name) != 0) -+ && OPENSSL_strcasecmp(EVP_RAND_get0_name(m), select_name) != 0) - continue; - BIO_printf(bio_out, " %s", EVP_RAND_get0_name(m)); - BIO_printf(bio_out, " @ %s\n", -@@ -463,7 +463,7 @@ static void display_random(const char *name, EVP_RAND_CTX *drbg) - if (gettables != NULL) - for (; gettables->key != NULL; gettables++) { - /* State has been dealt with already, so ignore */ -- if (strcasecmp(gettables->key, OSSL_RAND_PARAM_STATE) == 0) -+ if (OPENSSL_strcasecmp(gettables->key, OSSL_RAND_PARAM_STATE) == 0) - continue; - /* Outside of verbose mode, we skip non-string values */ - if (gettables->data_type != OSSL_PARAM_UTF8_STRING -diff --git a/apps/rehash.c b/apps/rehash.c -index fb6c08c420ca..e4a4e14fd497 100644 ---- a/apps/rehash.c -+++ b/apps/rehash.c -@@ -214,7 +214,7 @@ static int handle_symlink(const char *filename, const char *fullpath) - return -1; - for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--) { - const char *suffix = suffixes[type]; -- if (strncasecmp(suffix, &filename[i], strlen(suffix)) == 0) -+ if (OPENSSL_strncasecmp(suffix, &filename[i], strlen(suffix)) == 0) - break; - } - i += strlen(suffixes[type]); -@@ -249,7 +249,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) - if ((ext = strrchr(filename, '.')) == NULL) - goto end; - for (i = 0; i < OSSL_NELEM(extensions); i++) { -- if (strcasecmp(extensions[i], ext + 1) == 0) -+ if (OPENSSL_strcasecmp(extensions[i], ext + 1) == 0) - break; - } - if (i >= OSSL_NELEM(extensions)) -diff --git a/apps/s_server.c b/apps/s_server.c -index ccaec3124bf4..e93cfa1e2c7a 100644 ---- a/apps/s_server.c -+++ b/apps/s_server.c -@@ -432,7 +432,7 @@ static int ssl_servername_cb(SSL *s, int *ad, void *arg) - return SSL_TLSEXT_ERR_NOACK; - - if (servername != NULL) { -- if (strcasecmp(servername, p->servername)) -+ if (OPENSSL_strcasecmp(servername, p->servername)) - return p->extension_error; - if (ctx2 != NULL) { - BIO_printf(p->biodebug, "Switching server context.\n"); -diff --git a/crypto/LPdir_unix.c b/crypto/LPdir_unix.c -index ddf68b576f88..fe9fc0dd43ba 100644 ---- a/crypto/LPdir_unix.c -+++ b/crypto/LPdir_unix.c -@@ -141,7 +141,8 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory) - p--; - if (p > (*ctx)->entry_name && p[-1] == ';') - p[-1] = '\0'; -- if (strcasecmp((*ctx)->entry_name, (*ctx)->previous_entry_name) == 0) -+ if (OPENSSL_strcasecmp((*ctx)->entry_name, -+ (*ctx)->previous_entry_name) == 0) - goto again; - } - #endif -diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c -index 031a6c936ad1..0de5785c2745 100644 ---- a/crypto/asn1/ameth_lib.c -+++ b/crypto/asn1/ameth_lib.c -@@ -10,7 +10,6 @@ - /* We need to use some engine deprecated APIs */ - #define OPENSSL_SUPPRESS_DEPRECATED - --#include "e_os.h" /* for strncasecmp */ - #include "internal/cryptlib.h" - #include - #include -@@ -134,7 +133,7 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, - if (ameth->pkey_flags & ASN1_PKEY_ALIAS) - continue; - if ((int)strlen(ameth->pem_str) == len -- && strncasecmp(ameth->pem_str, str, len) == 0) -+ && OPENSSL_strncasecmp(ameth->pem_str, str, len) == 0) - return ameth; - } - return NULL; -diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c -index ecff2be02e1f..59d42daf4a1c 100644 ---- a/crypto/asn1/asn1_gen.c -+++ b/crypto/asn1/asn1_gen.c -@@ -10,7 +10,6 @@ - #include "internal/cryptlib.h" - #include - #include --#include "e_os.h" /* strncasecmp() */ - - #define ASN1_GEN_FLAG 0x10000 - #define ASN1_GEN_FLAG_IMP (ASN1_GEN_FLAG|1) -@@ -565,7 +564,8 @@ static int asn1_str2tag(const char *tagstr, int len) - - tntmp = tnst; - for (i = 0; i < OSSL_NELEM(tnst); i++, tntmp++) { -- if ((len == tntmp->len) && (strncasecmp(tntmp->strnam, tagstr, len) == 0)) -+ if ((len == tntmp->len) -+ && (OPENSSL_strncasecmp(tntmp->strnam, tagstr, len) == 0)) - return tntmp->tag; - } - -diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c -index c05c3c6b109d..6fe8427dc5e6 100644 ---- a/crypto/conf/conf_def.c -+++ b/crypto/conf/conf_def.c -@@ -11,7 +11,7 @@ - - #include - #include --#include "e_os.h" /* strcasecmp and struct stat */ -+#include "e_os.h" /* struct stat */ - #ifdef __TANDEM - # include /* needed for stat.h */ - # include /* struct stat */ -@@ -192,11 +192,11 @@ static int def_load(CONF *conf, const char *name, long *line) - /* Parse a boolean value and fill in *flag. Return 0 on error. */ - static int parsebool(const char *pval, int *flag) - { -- if (strcasecmp(pval, "on") == 0 -- || strcasecmp(pval, "true") == 0) { -+ if (OPENSSL_strcasecmp(pval, "on") == 0 -+ || OPENSSL_strcasecmp(pval, "true") == 0) { - *flag = 1; -- } else if (strcasecmp(pval, "off") == 0 -- || strcasecmp(pval, "false") == 0) { -+ } else if (OPENSSL_strcasecmp(pval, "off") == 0 -+ || OPENSSL_strcasecmp(pval, "false") == 0) { - *flag = 0; - } else { - ERR_raise(ERR_LIB_CONF, CONF_R_INVALID_PRAGMA); -@@ -839,8 +839,10 @@ static BIO *get_next_file(const char *path, OPENSSL_DIR_CTX **dirctx) - namelen = strlen(filename); - - -- if ((namelen > 5 && strcasecmp(filename + namelen - 5, ".conf") == 0) -- || (namelen > 4 && strcasecmp(filename + namelen - 4, ".cnf") == 0)) { -+ if ((namelen > 5 -+ && OPENSSL_strcasecmp(filename + namelen - 5, ".conf") == 0) -+ || (namelen > 4 -+ && OPENSSL_strcasecmp(filename + namelen - 4, ".cnf") == 0)) { - size_t newlen; - char *newpath; - BIO *bio; -diff --git a/crypto/context.c b/crypto/context.c -index 3333af4c534e..4fef24cadd5a 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -14,6 +14,7 @@ - #include "internal/core.h" - #include "internal/bio.h" - #include "internal/provider.h" -+#include "crypto/ctype.h" - - # include - # include -@@ -150,7 +151,8 @@ static CRYPTO_THREAD_LOCAL default_context_thread_local; - { - read_kernel_fips_flag(); - return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) -- && context_init(&default_context_int); -+ && context_init(&default_context_int) -+ && ossl_init_casecmp(); - } - - void ossl_lib_ctx_default_deinit(void) -diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c -index 55248affc663..7e11ab1c8845 100644 ---- a/crypto/core_namemap.c -+++ b/crypto/core_namemap.c -@@ -7,7 +7,6 @@ - * https://www.openssl.org/source/license.html - */ - --#include "e_os.h" /* strcasecmp */ - #include "internal/namemap.h" - #include - #include "crypto/lhash.h" /* ossl_lh_strcasehash */ -@@ -49,7 +48,7 @@ static unsigned long namenum_hash(const NAMENUM_ENTRY *n) - - static int namenum_cmp(const NAMENUM_ENTRY *a, const NAMENUM_ENTRY *b) - { -- return strcasecmp(a->name, b->name); -+ return OPENSSL_strcasecmp(a->name, b->name); - } - - static void namenum_free(NAMENUM_ENTRY *n) -diff --git a/crypto/ctype.c b/crypto/ctype.c -index 83c24a546f53..321306eb5f50 100644 ---- a/crypto/ctype.c -+++ b/crypto/ctype.c -@@ -12,6 +12,19 @@ - #include "crypto/ctype.h" - #include - -+#include -+#include "internal/core.h" -+#include "internal/thread_once.h" -+ -+#ifndef OPENSSL_SYS_WINDOWS -+#include -+#endif -+#include -+ -+#ifdef OPENSSL_SYS_MACOSX -+#include -+#endif -+ - /* - * Define the character classes for each character in the seven bit ASCII - * character set. This is independent of the host's character set, characters -@@ -278,3 +291,90 @@ int ossl_ascii_isdigit(const char inchar) { - return 1; - return 0; - } -+ -+/* str[n]casecmp_l is defined in POSIX 2008-01. Value is taken accordingly -+ * https://www.gnu.org/software/libc/manual/html_node/Feature-Test-Macros.html */ -+ -+#if (defined OPENSSL_SYS_WINDOWS) || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200809L) -+ -+# if defined OPENSSL_SYS_WINDOWS -+# define locale_t _locale_t -+# define freelocale _free_locale -+# define strcasecmp_l _stricmp_l -+# define strncasecmp_l _strnicmp_l -+# endif -+ -+# ifndef FIPS_MODULE -+static locale_t loc; -+ -+static int locale_base_inited = 0; -+static CRYPTO_ONCE locale_base = CRYPTO_ONCE_STATIC_INIT; -+static CRYPTO_ONCE locale_base_deinit = CRYPTO_ONCE_STATIC_INIT; -+ -+void *ossl_c_locale() { -+ return (void *)loc; -+} -+ -+DEFINE_RUN_ONCE_STATIC(ossl_init_locale_base) -+{ -+# ifdef OPENSSL_SYS_WINDOWS -+ loc = _create_locale(LC_COLLATE, "C"); -+# else -+ loc = newlocale(LC_COLLATE_MASK, "C", (locale_t) 0); -+# endif -+ locale_base_inited = 1; -+ return (loc == (locale_t) 0) ? 0 : 1; -+} -+ -+DEFINE_RUN_ONCE_STATIC(ossl_deinit_locale_base) -+{ -+ if (locale_base_inited && loc) { -+ freelocale(loc); -+ loc = NULL; -+ } -+ return 1; -+} -+ -+int ossl_init_casecmp() -+{ -+ return RUN_ONCE(&locale_base, ossl_init_locale_base); -+} -+ -+void ossl_deinit_casecmp() { -+ (void)RUN_ONCE(&locale_base_deinit, ossl_deinit_locale_base); -+} -+# endif -+ -+int OPENSSL_strcasecmp(const char *s1, const char *s2) -+{ -+ return strcasecmp_l(s1, s2, (locale_t)ossl_c_locale()); -+} -+ -+int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) -+{ -+ return strncasecmp_l(s1, s2, n, (locale_t)ossl_c_locale()); -+} -+#else -+# ifndef FIPS_MODULE -+void *ossl_c_locale() { -+ return NULL; -+} -+# endif -+ -+int ossl_init_casecmp() { -+ return 1; -+} -+ -+void ossl_deinit_casecmp() { -+} -+ -+int OPENSSL_strcasecmp(const char *s1, const char *s2) -+{ -+ return strcasecmp(s1, s2); -+} -+ -+int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) -+{ -+ return strncasecmp(s1, s2, n); -+} -+#endif -diff --git a/crypto/dh/dh_group_params.c b/crypto/dh/dh_group_params.c -index c71f4053da6c..7608cbae5a28 100644 ---- a/crypto/dh/dh_group_params.c -+++ b/crypto/dh/dh_group_params.c -@@ -23,7 +23,6 @@ - #include - #include "internal/nelem.h" - #include "crypto/dh.h" --#include "e_os.h" /* strcasecmp */ - - static DH *dh_param_init(OSSL_LIB_CTX *libctx, const DH_NAMED_GROUP *group) - { -diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c -index 381da71f33a8..0d84a3332296 100644 ---- a/crypto/ec/ec_backend.c -+++ b/crypto/ec/ec_backend.c -@@ -54,7 +54,7 @@ int ossl_ec_encoding_name2id(const char *name) - return OPENSSL_EC_NAMED_CURVE; - - for (i = 0, sz = OSSL_NELEM(encoding_nameid_map); i < sz; i++) { -- if (strcasecmp(name, encoding_nameid_map[i].ptr) == 0) -+ if (OPENSSL_strcasecmp(name, encoding_nameid_map[i].ptr) == 0) - return encoding_nameid_map[i].id; - } - return -1; -@@ -91,7 +91,7 @@ static int ec_check_group_type_name2id(const char *name) - return 0; - - for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) { -- if (strcasecmp(name, check_group_type_nameid_map[i].ptr) == 0) -+ if (OPENSSL_strcasecmp(name, check_group_type_nameid_map[i].ptr) == 0) - return check_group_type_nameid_map[i].id; - } - return -1; -@@ -136,7 +136,7 @@ int ossl_ec_pt_format_name2id(const char *name) - return (int)POINT_CONVERSION_UNCOMPRESSED; - - for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) { -- if (strcasecmp(name, format_nameid_map[i].ptr) == 0) -+ if (OPENSSL_strcasecmp(name, format_nameid_map[i].ptr) == 0) - return format_nameid_map[i].id; - } - return -1; -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index 2ee8284eaff3..ecd53fee008a 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -22,7 +22,6 @@ - #include "crypto/ec.h" - #include "internal/nelem.h" - #include "ec_local.h" --#include "e_os.h" /* strcasecmp */ - - /* functions for EC_GROUP objects */ - -@@ -1581,9 +1580,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], - ERR_raise(ERR_LIB_EC, EC_R_INVALID_FIELD); - goto err; - } -- if (strcasecmp(ptmp->data, SN_X9_62_prime_field) == 0) { -+ if (OPENSSL_strcasecmp(ptmp->data, SN_X9_62_prime_field) == 0) { - is_prime_field = 1; -- } else if (strcasecmp(ptmp->data, SN_X9_62_characteristic_two_field) == 0) { -+ } else if (OPENSSL_strcasecmp(ptmp->data, -+ SN_X9_62_characteristic_two_field) == 0) { - is_prime_field = 0; - } else { - /* Invalid field */ -diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c -index 10a38b6f82a7..de6d3def3101 100644 ---- a/crypto/encode_decode/decoder_lib.c -+++ b/crypto/encode_decode/decoder_lib.c -@@ -789,7 +789,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) - */ - trace_data_structure = data_structure; - if (data_type != NULL && data_structure != NULL -- && strcasecmp(data_structure, "type-specific") == 0) -+ && OPENSSL_strcasecmp(data_structure, "type-specific") == 0) - data_structure = NULL; - - OSSL_TRACE_BEGIN(DECODER) { -@@ -850,7 +850,7 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) - * that's the case, we do this extra check. - */ - if (decoder == NULL && ctx->start_input_type != NULL -- && strcasecmp(ctx->start_input_type, new_input_type) != 0) { -+ && OPENSSL_strcasecmp(ctx->start_input_type, new_input_type) != 0) { - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) %s [%u] the start input type '%s' doesn't match the input type of the considered decoder, skipping...\n", -@@ -896,7 +896,8 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) - */ - if (data_structure != NULL - && (new_input_structure == NULL -- || strcasecmp(data_structure, new_input_structure) != 0)) { -+ || OPENSSL_strcasecmp(data_structure, -+ new_input_structure) != 0)) { - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) %s [%u] the previous decoder's data structure doesn't match the input structure of the considered decoder, skipping...\n", -@@ -915,7 +916,8 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) - && ctx->input_structure != NULL - && new_input_structure != NULL) { - data->flag_input_structure_checked = 1; -- if (strcasecmp(new_input_structure, ctx->input_structure) != 0) { -+ if (OPENSSL_strcasecmp(new_input_structure, -+ ctx->input_structure) != 0) { - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) %s [%u] the previous decoder's data structure doesn't match the input structure given by the user, skipping...\n", -diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c -index 475117a463af..833061d873ed 100644 ---- a/crypto/encode_decode/decoder_pkey.c -+++ b/crypto/encode_decode/decoder_pkey.c -@@ -18,7 +18,6 @@ - #include "crypto/evp.h" - #include "crypto/decoder.h" - #include "encoder_local.h" --#include "e_os.h" /* strcasecmp on Windows */ - - int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, - const unsigned char *kstr, -diff --git a/crypto/encode_decode/encoder_lib.c b/crypto/encode_decode/encoder_lib.c -index cfd9275172f5..2a83af825c2d 100644 ---- a/crypto/encode_decode/encoder_lib.c -+++ b/crypto/encode_decode/encoder_lib.c -@@ -7,7 +7,6 @@ - * https://www.openssl.org/source/license.html - */ - --#include "e_os.h" /* strcasecmp on Windows */ - #include - #include - #include -@@ -453,8 +452,8 @@ static int encoder_process(struct encoder_process_data_st *data) - */ - if (top) { - if (data->ctx->output_type != NULL -- && strcasecmp(current_output_type, -- data->ctx->output_type) != 0) { -+ && OPENSSL_strcasecmp(current_output_type, -+ data->ctx->output_type) != 0) { - OSSL_TRACE_BEGIN(ENCODER) { - BIO_printf(trc_out, - "[%d] Skipping because current encoder output type (%s) != desired output type (%s)\n", -@@ -482,8 +481,8 @@ static int encoder_process(struct encoder_process_data_st *data) - */ - if (data->ctx->output_structure != NULL - && current_output_structure != NULL) { -- if (strcasecmp(data->ctx->output_structure, -- current_output_structure) != 0) { -+ if (OPENSSL_strcasecmp(data->ctx->output_structure, -+ current_output_structure) != 0) { - OSSL_TRACE_BEGIN(ENCODER) { - BIO_printf(trc_out, - "[%d] Skipping because current encoder output structure (%s) != ctx output structure (%s)\n", -diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c -index c37edf966d7e..3a24317cf4d6 100644 ---- a/crypto/encode_decode/encoder_pkey.c -+++ b/crypto/encode_decode/encoder_pkey.c -@@ -7,7 +7,6 @@ - * https://www.openssl.org/source/license.html - */ - --#include "e_os.h" /* strcasecmp on Windows */ - #include - #include - #include -diff --git a/crypto/engine/tb_asnmth.c b/crypto/engine/tb_asnmth.c -index e3a5c82e9957..09d0ed9d3aae 100644 ---- a/crypto/engine/tb_asnmth.c -+++ b/crypto/engine/tb_asnmth.c -@@ -152,7 +152,7 @@ const EVP_PKEY_ASN1_METHOD *ENGINE_get_pkey_asn1_meth_str(ENGINE *e, - e->pkey_asn1_meths(e, &ameth, NULL, nids[i]); - if (ameth != NULL - && ((int)strlen(ameth->pem_str) == len) -- && strncasecmp(ameth->pem_str, str, len) == 0) -+ && OPENSSL_strncasecmp(ameth->pem_str, str, len) == 0) - return ameth; - } - return NULL; -@@ -177,7 +177,7 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg) - e->pkey_asn1_meths(e, &ameth, NULL, nid); - if (ameth != NULL - && ((int)strlen(ameth->pem_str) == lk->len) -- && strncasecmp(ameth->pem_str, lk->str, lk->len) == 0) { -+ && OPENSSL_strncasecmp(ameth->pem_str, lk->str, lk->len) == 0) { - lk->e = e; - lk->ameth = ameth; - return; -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 961ca116b32f..0aa1c23beec7 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -37,8 +37,6 @@ - #include "crypto/dh.h" - #include "crypto/ec.h" - --#include "e_os.h" /* strcasecmp() for Windows */ -- - struct translation_ctx_st; /* Forwarding */ - struct translation_st; /* Forwarding */ - -@@ -905,7 +903,7 @@ static int fix_kdf_type(enum state state, - - /* Convert KDF type strings to numbers */ - for (; kdf_type_map->kdf_type_str != NULL; kdf_type_map++) -- if (strcasecmp(ctx->p2, kdf_type_map->kdf_type_str) == 0) { -+ if (OPENSSL_strcasecmp(ctx->p2, kdf_type_map->kdf_type_str) == 0) { - ctx->p1 = kdf_type_map->kdf_type_num; - ret = 1; - break; -@@ -2469,10 +2467,11 @@ lookup_translation(struct translation_st *tmpl, - * cmd name in the template. - */ - if (item->ctrl_str != NULL -- && strcasecmp(tmpl->ctrl_str, item->ctrl_str) == 0) -+ && OPENSSL_strcasecmp(tmpl->ctrl_str, item->ctrl_str) == 0) - ctrl_str = tmpl->ctrl_str; - else if (item->ctrl_hexstr != NULL -- && strcasecmp(tmpl->ctrl_hexstr, item->ctrl_hexstr) == 0) -+ && OPENSSL_strcasecmp(tmpl->ctrl_hexstr, -+ item->ctrl_hexstr) == 0) - ctrl_hexstr = tmpl->ctrl_hexstr; - else - continue; -@@ -2500,7 +2499,8 @@ lookup_translation(struct translation_st *tmpl, - if ((item->action_type != NONE - && tmpl->action_type != item->action_type) - || (item->param_key != NULL -- && strcasecmp(tmpl->param_key, item->param_key) != 0)) -+ && OPENSSL_strcasecmp(tmpl->param_key, -+ item->param_key) != 0)) - continue; - } else { - return NULL; -diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c -index 8550be65e785..aa3c7fa4efc7 100644 ---- a/crypto/evp/ec_support.c -+++ b/crypto/evp/ec_support.c -@@ -10,7 +10,7 @@ - #include - #include - #include "crypto/ec.h" --#include "e_os.h" /* strcasecmp required by windows */ -+#include "internal/nelem.h" - - typedef struct ec_name2nid_st { - const char *name; -@@ -139,7 +139,7 @@ int ossl_ec_curve_name2nid(const char *name) - return nid; - - for (i = 0; i < OSSL_NELEM(curve_list); i++) { -- if (strcasecmp(curve_list[i].name, name) == 0) -+ if (OPENSSL_strcasecmp(curve_list[i].name, name) == 0) - return curve_list[i].nid; - } - } -diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c -index 24092cfd5be0..da3ef28b3d18 100644 ---- a/crypto/evp/evp_lib.c -+++ b/crypto/evp/evp_lib.c -@@ -15,7 +15,6 @@ - - #include - #include --#include "e_os.h" /* strcasecmp */ - #include "internal/cryptlib.h" - #include - #include -@@ -1170,17 +1169,17 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, - - va_start(args, type); - -- if (strcasecmp(type, "RSA") == 0) { -+ if (OPENSSL_strcasecmp(type, "RSA") == 0) { - bits = va_arg(args, size_t); - params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits); -- } else if (strcasecmp(type, "EC") == 0) { -+ } else if (OPENSSL_strcasecmp(type, "EC") == 0) { - name = va_arg(args, char *); - params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, - name, 0); -- } else if (strcasecmp(type, "ED25519") != 0 -- && strcasecmp(type, "X25519") != 0 -- && strcasecmp(type, "ED448") != 0 -- && strcasecmp(type, "X448") != 0) { -+ } else if (OPENSSL_strcasecmp(type, "ED25519") != 0 -+ && OPENSSL_strcasecmp(type, "X25519") != 0 -+ && OPENSSL_strcasecmp(type, "ED448") != 0 -+ && OPENSSL_strcasecmp(type, "X448") != 0) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); - goto end; - } -diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c -index 27138af56421..668607a72360 100644 ---- a/crypto/evp/p_lib.c -+++ b/crypto/evp/p_lib.c -@@ -50,8 +50,6 @@ - #include "internal/provider.h" - #include "evp_local.h" - --#include "e_os.h" /* strcasecmp on Windows */ -- - static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, - int len, EVP_KEYMGMT *keymgmt); - static void evp_pkey_free_it(EVP_PKEY *key); -@@ -1018,7 +1016,7 @@ int evp_pkey_name2type(const char *name) - size_t i; - - for (i = 0; i < OSSL_NELEM(standard_name2type); i++) { -- if (strcasecmp(name, standard_name2type[i].ptr) == 0) -+ if (OPENSSL_strcasecmp(name, standard_name2type[i].ptr) == 0) - return (int)standard_name2type[i].id; - } - -diff --git a/crypto/ffc/ffc_dh.c b/crypto/ffc/ffc_dh.c -index e9f597c46c00..266cb30bc245 100644 ---- a/crypto/ffc/ffc_dh.c -+++ b/crypto/ffc/ffc_dh.c -@@ -10,7 +10,6 @@ - #include "internal/ffc.h" - #include "internal/nelem.h" - #include "crypto/bn_dh.h" --#include "e_os.h" /* strcasecmp */ - - #ifndef OPENSSL_NO_DH - -@@ -84,7 +83,7 @@ const DH_NAMED_GROUP *ossl_ffc_name_to_dh_named_group(const char *name) - size_t i; - - for (i = 0; i < OSSL_NELEM(dh_named_groups); ++i) { -- if (strcasecmp(dh_named_groups[i].name, name) == 0) -+ if (OPENSSL_strcasecmp(dh_named_groups[i].name, name) == 0) - return &dh_named_groups[i]; - } - return NULL; -diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c -index 6e025a06be6e..500189e49fc0 100644 ---- a/crypto/ffc/ffc_params.c -+++ b/crypto/ffc/ffc_params.c -@@ -12,7 +12,6 @@ - #include "internal/ffc.h" - #include "internal/param_build_set.h" - #include "internal/nelem.h" --#include "e_os.h" /* strcasecmp */ - - #ifndef FIPS_MODULE - # include /* ossl_ffc_params_print */ -diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c -index 33e7b82b9e8c..8133a04936c5 100644 ---- a/crypto/http/http_client.c -+++ b/crypto/http/http_client.c -@@ -322,7 +322,7 @@ static int add1_headers(OSSL_HTTP_REQ_CTX *rctx, - - for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { - hdr = sk_CONF_VALUE_value(headers, i); -- if (add_host && strcasecmp("host", hdr->name) == 0) -+ if (add_host && OPENSSL_strcasecmp("host", hdr->name) == 0) - add_host = 0; - if (!OSSL_HTTP_REQ_CTX_add1_header(rctx, hdr->name, hdr->value)) - return 0; -@@ -666,13 +666,13 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) - } - if (value != NULL && line_end != NULL) { - if (rctx->state == OHS_REDIRECT -- && strcasecmp(key, "Location") == 0) { -+ && OPENSSL_strcasecmp(key, "Location") == 0) { - rctx->redirection_url = value; - return 0; - } - if (rctx->expected_ct != NULL -- && strcasecmp(key, "Content-Type") == 0) { -- if (strcasecmp(rctx->expected_ct, value) != 0) { -+ && OPENSSL_strcasecmp(key, "Content-Type") == 0) { -+ if (OPENSSL_strcasecmp(rctx->expected_ct, value) != 0) { - ERR_raise_data(ERR_LIB_HTTP, HTTP_R_UNEXPECTED_CONTENT_TYPE, - "expected=%s, actual=%s", - rctx->expected_ct, value); -@@ -682,12 +682,12 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) - } - - /* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */ -- if (strcasecmp(key, "Connection") == 0) { -- if (strcasecmp(value, "keep-alive") == 0) -+ if (OPENSSL_strcasecmp(key, "Connection") == 0) { -+ if (OPENSSL_strcasecmp(value, "keep-alive") == 0) - found_keep_alive = 1; -- else if (strcasecmp(value, "close") == 0) -+ else if (OPENSSL_strcasecmp(value, "close") == 0) - found_keep_alive = 0; -- } else if (strcasecmp(key, "Content-Length") == 0) { -+ } else if (OPENSSL_strcasecmp(key, "Content-Length") == 0) { - resp_len = (size_t)strtoul(value, &line_end, 10); - if (line_end == value || *line_end != '\0') { - ERR_raise_data(ERR_LIB_HTTP, -diff --git a/crypto/init.c b/crypto/init.c -index 6a27d1a8e440..1569c35a6b96 100644 ---- a/crypto/init.c -+++ b/crypto/init.c -@@ -32,6 +32,7 @@ - #include "crypto/store.h" - #include /* for OSSL_CMP_log_close() */ - #include -+#include "crypto/ctype.h" - - static int stopped = 0; - static uint64_t optsdone = 0; -@@ -447,6 +448,9 @@ void OPENSSL_cleanup(void) - OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n"); - ossl_trace_cleanup(); - -+ OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_deinit_casecmp()\n"); -+ ossl_deinit_casecmp(); -+ - base_inited = 0; - } - -@@ -460,6 +464,9 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) - uint64_t tmp; - int aloaddone = 0; - -+ if (!ossl_init_casecmp()) -+ return 0; -+ - /* Applications depend on 0 being returned when cleanup was already done */ - if (stopped) { - if (!(opts & OPENSSL_INIT_BASE_ONLY)) -diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c -index 92152eeb6674..7596d720e964 100644 ---- a/crypto/objects/o_names.c -+++ b/crypto/objects/o_names.c -@@ -21,23 +21,6 @@ - #include "obj_local.h" - #include "e_os.h" - --/* -- * We define this wrapper for two reasons. Firstly, later versions of -- * DEC C add linkage information to certain functions, which makes it -- * tricky to use them as values to regular function pointers. -- * Secondly, in the EDK2 build environment, the strcasecmp function is -- * actually an external function with the Microsoft ABI, so we can't -- * transparently assign function pointers to it. -- */ --#if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI) --static int obj_strcasecmp(const char *a, const char *b) --{ -- return strcasecmp(a, b); --} --#else --#define obj_strcasecmp strcasecmp --#endif -- - /* - * I use the ex_data stuff to manage the identifiers for the obj_name_types - * that applications may define. I only really use the free function field. -@@ -111,7 +94,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *), - goto out; - } - name_funcs->hash_func = ossl_lh_strcasehash; -- name_funcs->cmp_func = obj_strcasecmp; -+ name_funcs->cmp_func = OPENSSL_strcasecmp; - push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs); - - if (!push) { -@@ -145,7 +128,7 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b) - ret = sk_NAME_FUNCS_value(name_funcs_stack, - a->type)->cmp_func(a->name, b->name); - } else -- ret = strcasecmp(a->name, b->name); -+ ret = OPENSSL_strcasecmp(a->name, b->name); - } - return ret; - } -diff --git a/crypto/params_dup.c b/crypto/params_dup.c -index 6a58b52f65cb..d92176da46e5 100644 ---- a/crypto/params_dup.c -+++ b/crypto/params_dup.c -@@ -11,7 +11,6 @@ - #include - #include - #include "internal/param_build_set.h" --#include "e_os.h" /* strcasecmp */ - - #define OSSL_PARAM_ALLOCATED_END 127 - #define OSSL_PARAM_MERGE_LIST_MAX 128 -@@ -142,7 +141,7 @@ static int compare_params(const void *left, const void *right) - const OSSL_PARAM *l = *(const OSSL_PARAM **)left; - const OSSL_PARAM *r = *(const OSSL_PARAM **)right; - -- return strcasecmp(l->key, r->key); -+ return OPENSSL_strcasecmp(l->key, r->key); - } - - OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2) -@@ -205,7 +204,7 @@ OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2) - break; - } - /* consume the list element with the smaller key */ -- diff = strcasecmp((*p1cur)->key, (*p2cur)->key); -+ diff = OPENSSL_strcasecmp((*p1cur)->key, (*p2cur)->key); - if (diff == 0) { - /* If the keys are the same then throw away the list1 element */ - *dst++ = **p2cur; -diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c -index 8954ec724617..c5691395c424 100644 ---- a/crypto/property/property_parse.c -+++ b/crypto/property/property_parse.c -@@ -45,7 +45,7 @@ static int match(const char *t[], const char m[], size_t m_len) - { - const char *s = *t; - -- if (strncasecmp(s, m, m_len) == 0) { -+ if (OPENSSL_strncasecmp(s, m, m_len) == 0) { - *t = skip_space(s + m_len); - return 1; - } -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index afe3521186ca..c453d3226133 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -768,22 +768,22 @@ static int random_conf_init(CONF_IMODULE *md, const CONF *cnf) - - for (i = 0; i < sk_CONF_VALUE_num(elist); i++) { - cval = sk_CONF_VALUE_value(elist, i); -- if (strcasecmp(cval->name, "random") == 0) { -+ if (OPENSSL_strcasecmp(cval->name, "random") == 0) { - if (!random_set_string(&dgbl->rng_name, cval->value)) - return 0; -- } else if (strcasecmp(cval->name, "cipher") == 0) { -+ } else if (OPENSSL_strcasecmp(cval->name, "cipher") == 0) { - if (!random_set_string(&dgbl->rng_cipher, cval->value)) - return 0; -- } else if (strcasecmp(cval->name, "digest") == 0) { -+ } else if (OPENSSL_strcasecmp(cval->name, "digest") == 0) { - if (!random_set_string(&dgbl->rng_digest, cval->value)) - return 0; -- } else if (strcasecmp(cval->name, "properties") == 0) { -+ } else if (OPENSSL_strcasecmp(cval->name, "properties") == 0) { - if (!random_set_string(&dgbl->rng_propq, cval->value)) - return 0; -- } else if (strcasecmp(cval->name, "seed") == 0) { -+ } else if (OPENSSL_strcasecmp(cval->name, "seed") == 0) { - if (!random_set_string(&dgbl->seed_name, cval->value)) - return 0; -- } else if (strcasecmp(cval->name, "seed_properties") == 0) { -+ } else if (OPENSSL_strcasecmp(cval->name, "seed_properties") == 0) { - if (!random_set_string(&dgbl->seed_propq, cval->value)) - return 0; - } else { -diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c -index ad1623dd1444..254ebdb24287 100644 ---- a/crypto/rsa/rsa_backend.c -+++ b/crypto/rsa/rsa_backend.c -@@ -27,8 +27,6 @@ - #include "crypto/rsa.h" - #include "rsa_local.h" - --#include "e_os.h" /* strcasecmp for Windows() */ -- - /* - * The intention with the "backend" source file is to offer backend support - * for legacy backends (EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD) and provider -@@ -275,8 +273,8 @@ int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params, - else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgfname)) - return 0; - -- if (strcasecmp(param_mgf->data, -- ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0) -+ if (OPENSSL_strcasecmp(param_mgf->data, -+ ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0) - return 0; - } - -diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c -index 7dcb939066f2..42bf9d555a36 100644 ---- a/crypto/store/store_lib.c -+++ b/crypto/store/store_lib.c -@@ -93,7 +93,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, - OPENSSL_strlcpy(scheme_copy, uri, sizeof(scheme_copy)); - if ((p = strchr(scheme_copy, ':')) != NULL) { - *p++ = '\0'; -- if (strcasecmp(scheme_copy, "file") != 0) { -+ if (OPENSSL_strcasecmp(scheme_copy, "file") != 0) { - if (strncmp(p, "//", 2) == 0) - schemes_n--; /* Invalidate the file scheme */ - schemes[schemes_n++] = scheme_copy; -diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c -index 1306b270bbaf..6f83da4beb02 100644 ---- a/crypto/store/store_result.c -+++ b/crypto/store/store_result.c -@@ -457,7 +457,7 @@ static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v, - - /* If we have a data type, it should be a PEM name */ - if (data->data_type != NULL -- && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) -+ && (OPENSSL_strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0)) - ignore_trusted = 0; - - if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data, -diff --git a/crypto/trace.c b/crypto/trace.c -index 40941990e673..d790409a2d62 100644 ---- a/crypto/trace.c -+++ b/crypto/trace.c -@@ -19,8 +19,6 @@ - #include "internal/refcount.h" - #include "crypto/cryptlib.h" - --#include "e_os.h" /* strcasecmp for Windows */ -- - #ifndef OPENSSL_NO_TRACE - - static CRYPTO_RWLOCK *trace_lock = NULL; -@@ -158,7 +156,7 @@ int OSSL_trace_get_category_num(const char *name) - size_t i; - - for (i = 0; i < OSSL_NELEM(trace_categories); i++) -- if (strcasecmp(name, trace_categories[i].name) == 0) -+ if (OPENSSL_strcasecmp(name, trace_categories[i].name) == 0) - return trace_categories[i].num; - return -1; /* not found */ - } -diff --git a/crypto/x509/v3_tlsf.c b/crypto/x509/v3_tlsf.c -index 6a613d64e6aa..9927c083b115 100644 ---- a/crypto/x509/v3_tlsf.c -+++ b/crypto/x509/v3_tlsf.c -@@ -108,7 +108,7 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method, - extval = val->name; - - for (j = 0; j < OSSL_NELEM(tls_feature_tbl); j++) -- if (strcasecmp(extval, tls_feature_tbl[j].name) == 0) -+ if (OPENSSL_strcasecmp(extval, tls_feature_tbl[j].name) == 0) - break; - if (j < OSSL_NELEM(tls_feature_tbl)) - tlsextid = tls_feature_tbl[j].num; -diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c -index ff049c897bae..6e4ef26ed608 100644 ---- a/crypto/x509/v3_utl.c -+++ b/crypto/x509/v3_utl.c -@@ -715,7 +715,7 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len, - } - /* IDNA labels cannot match partial wildcards */ - if (!allow_idna && -- subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0) -+ subject_len >= 4 && OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0) - return 0; - /* The wildcard may match a literal '*' */ - if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') -@@ -775,7 +775,7 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, - || ('A' <= p[i] && p[i] <= 'Z') - || ('0' <= p[i] && p[i] <= '9')) { - if ((state & LABEL_START) != 0 -- && len - i >= 4 && strncasecmp((char *)&p[i], "xn--", 4) == 0) -+ && len - i >= 4 && OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0) - state |= LABEL_IDNA; - state &= ~(LABEL_HYPHEN | LABEL_START); - } else if (p[i] == '.') { -diff --git a/doc/build.info b/doc/build.info -index c1d98a4ca669..7e86de588aed 100644 ---- a/doc/build.info -+++ b/doc/build.info -@@ -1531,6 +1531,10 @@ DEPEND[html/man3/OPENSSL_secure_malloc.html]=man3/OPENSSL_secure_malloc.pod - GENERATE[html/man3/OPENSSL_secure_malloc.html]=man3/OPENSSL_secure_malloc.pod - DEPEND[man/man3/OPENSSL_secure_malloc.3]=man3/OPENSSL_secure_malloc.pod - GENERATE[man/man3/OPENSSL_secure_malloc.3]=man3/OPENSSL_secure_malloc.pod -+DEPEND[html/man3/OPENSSL_strcasecmp.html]=man3/OPENSSL_strcasecmp.pod -+GENERATE[html/man3/OPENSSL_strcasecmp.html]=man3/OPENSSL_strcasecmp.pod -+DEPEND[man/man3/OPENSSL_strcasecmp.3]=man3/OPENSSL_strcasecmp.pod -+GENERATE[man/man3/OPENSSL_strcasecmp.3]=man3/OPENSSL_strcasecmp.pod - DEPEND[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod - GENERATE[html/man3/OSSL_CMP_CTX_new.html]=man3/OSSL_CMP_CTX_new.pod - DEPEND[man/man3/OSSL_CMP_CTX_new.3]=man3/OSSL_CMP_CTX_new.pod -@@ -3110,6 +3114,7 @@ html/man3/OPENSSL_load_builtin_modules.html \ - html/man3/OPENSSL_malloc.html \ - html/man3/OPENSSL_s390xcap.html \ - html/man3/OPENSSL_secure_malloc.html \ -+html/man3/OPENSSL_strcasecmp.html \ - html/man3/OSSL_CMP_CTX_new.html \ - html/man3/OSSL_CMP_HDR_get0_transactionID.html \ - html/man3/OSSL_CMP_ITAV_set0.html \ -@@ -3704,6 +3709,7 @@ man/man3/OPENSSL_load_builtin_modules.3 \ - man/man3/OPENSSL_malloc.3 \ - man/man3/OPENSSL_s390xcap.3 \ - man/man3/OPENSSL_secure_malloc.3 \ -+man/man3/OPENSSL_strcasecmp.3 \ - man/man3/OSSL_CMP_CTX_new.3 \ - man/man3/OSSL_CMP_HDR_get0_transactionID.3 \ - man/man3/OSSL_CMP_ITAV_set0.3 \ -diff --git a/doc/man3/OPENSSL_strcasecmp.pod b/doc/man3/OPENSSL_strcasecmp.pod -new file mode 100644 -index 000000000000..1bb8b18c5013 ---- /dev/null -+++ b/doc/man3/OPENSSL_strcasecmp.pod -@@ -0,0 +1,47 @@ -+=pod -+ -+=head1 NAME -+ -+OPENSSL_strcasecmp, OPENSSL_strncasecmp - compare two strings ignoring case -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ int OPENSSL_strcasecmp(const char *s1, const char *s2); -+ int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n); -+ -+=head1 DESCRIPTION -+ -+The OPENSSL_strcasecmp function performs a byte-by-byte comparison of the strings -+B and B, ignoring the case of the characters. -+ -+The OPENSSL_strncasecmp function is similar, except that it compares no more than -+B bytes of B and B. -+ -+In POSIX-compatible system and on Windows these functions use "C" locale for -+case insensitive. Otherwise the comparison is done in current locale. -+ -+=head1 RETURN VALUES -+ -+Both functions return an integer less than, equal to, or greater than zero if -+s1 is found, respectively, to be less than, to match, or be greater than s2. -+ -+=head1 NOTES -+ -+OpenSSL extensively uses case insensitive comparison of ASCII strings. Though -+OpenSSL itself is locale-agnostic, the applications using OpenSSL libraries may -+unpredictably suffer when they use localization (e.g. Turkish locale is -+well-known with a specific I/i cases). These functions use C locale for string -+comparison. -+ -+=head1 COPYRIGHT -+ -+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff --git a/e_os.h b/e_os.h -index e1608ae55d7d..5490a48fcd48 100644 ---- a/e_os.h -+++ b/e_os.h -@@ -249,8 +249,6 @@ FILE *__iob_func(); - /***********************************************/ - - # if defined(OPENSSL_SYS_WINDOWS) --# define strcasecmp _stricmp --# define strncasecmp _strnicmp - # if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) - # define open _open - # define fdopen _fdopen -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index fa01317db5eb..a9c10d375a58 100644 ---- a/engines/e_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -1159,9 +1159,9 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - case DEVCRYPTO_CMD_CIPHERS: - if (p == NULL) - return 1; -- if (strcasecmp((const char *)p, "ALL") == 0) { -+ if (OPENSSL_strcasecmp((const char *)p, "ALL") == 0) { - devcrypto_select_all_ciphers(selected_ciphers); -- } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ } else if (OPENSSL_strcasecmp((const char*)p, "NONE") == 0) { - memset(selected_ciphers, 0, sizeof(selected_ciphers)); - } else { - new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -@@ -1179,9 +1179,9 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - case DEVCRYPTO_CMD_DIGESTS: - if (p == NULL) - return 1; -- if (strcasecmp((const char *)p, "ALL") == 0) { -+ if (OPENSSL_strcasecmp((const char *)p, "ALL") == 0) { - devcrypto_select_all_digests(selected_digests); -- } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ } else if (OPENSSL_strcasecmp((const char*)p, "NONE") == 0) { - memset(selected_digests, 0, sizeof(selected_digests)); - } else { - new_list=OPENSSL_zalloc(sizeof(selected_digests)); -diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c -index 391ed33d5e3a..f6de29c0c33a 100644 ---- a/engines/e_loader_attic.c -+++ b/engines/e_loader_attic.c -@@ -14,7 +14,6 @@ - /* We need to use some engine deprecated APIs */ - #define OPENSSL_SUPPRESS_DEPRECATED - --/* #include "e_os.h" */ - #include - #include - #include -@@ -44,7 +43,6 @@ DEFINE_STACK_OF(OSSL_STORE_INFO) - - #ifdef _WIN32 - # define stat _stat --# define strncasecmp _strnicmp - #endif - - #ifndef S_ISDIR -@@ -971,12 +969,12 @@ static OSSL_STORE_LOADER_CTX *file_open_ex - * There's a special case if the URI also contains an authority, then - * the full URI shouldn't be used as a path anywhere. - */ -- if (strncasecmp(uri, "file:", 5) == 0) { -+ if (OPENSSL_strncasecmp(uri, "file:", 5) == 0) { - const char *p = &uri[5]; - - if (strncmp(&uri[5], "//", 2) == 0) { - path_data_n--; /* Invalidate using the full URI */ -- if (strncasecmp(&uri[7], "localhost/", 10) == 0) { -+ if (OPENSSL_strncasecmp(&uri[7], "localhost/", 10) == 0) { - p = &uri[16]; - } else if (uri[7] == '/') { - p = &uri[7]; -@@ -1466,7 +1464,8 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name) - /* - * First, check the basename - */ -- if (strncasecmp(name, ctx->_.dir.search_name, len) != 0 || name[len] != '.') -+ if (OPENSSL_strncasecmp(name, ctx->_.dir.search_name, len) != 0 -+ || name[len] != '.') - return 0; - p = &name[len + 1]; - -diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c -index 0506faa6285b..5d31b31c11f1 100644 ---- a/engines/e_ossltest.c -+++ b/engines/e_ossltest.c -@@ -42,10 +42,6 @@ - - #include "e_ossltest_err.c" - --#ifdef _WIN32 --# define strncasecmp _strnicmp --#endif -- - /* Engine Id and Name */ - static const char *engine_ossltest_id = "ossltest"; - static const char *engine_ossltest_name = "OpenSSL Test engine support"; -@@ -383,7 +379,7 @@ static EVP_PKEY *load_key(ENGINE *eng, const char *key_id, int pub, - BIO *in; - EVP_PKEY *key; - -- if (strncasecmp(key_id, "ot:", 3) != 0) -+ if (OPENSSL_strncasecmp(key_id, "ot:", 3) != 0) - return NULL; - key_id += 3; - -diff --git a/include/crypto/ctype.h b/include/crypto/ctype.h -index a35c137e8431..44fa9a8ae930 100644 ---- a/include/crypto/ctype.h -+++ b/include/crypto/ctype.h -@@ -80,4 +80,6 @@ int ossl_ascii_isdigit(const char inchar); - # define ossl_isbase64(c) (ossl_ctype_check((c), CTYPE_MASK_base64)) - # define ossl_isasn1print(c) (ossl_ctype_check((c), CTYPE_MASK_asn1print)) - -+int ossl_init_casecmp(void); -+void ossl_deinit_casecmp(void); - #endif -diff --git a/include/internal/core.h b/include/internal/core.h -index d9dc424164c9..b63af84787af 100644 ---- a/include/internal/core.h -+++ b/include/internal/core.h -@@ -63,4 +63,6 @@ __owur int ossl_lib_ctx_read_lock(OSSL_LIB_CTX *ctx); - int ossl_lib_ctx_unlock(OSSL_LIB_CTX *ctx); - int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx); - -+void *ossl_c_locale(void); -+ - #endif -diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in -index c56885d2d6ff..7232f647e8a3 100644 ---- a/include/openssl/crypto.h.in -+++ b/include/openssl/crypto.h.in -@@ -133,6 +133,8 @@ int OPENSSL_hexstr2buf_ex(unsigned char *buf, size_t buf_n, size_t *buflen, - const char *str, const char sep); - unsigned char *OPENSSL_hexstr2buf(const char *str, long *buflen); - int OPENSSL_hexchar2int(unsigned char c); -+int OPENSSL_strcasecmp(const char *s1, const char *s2); -+int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n); - - # define OPENSSL_MALLOC_MAX_NELEMS(type) (((1U<<(sizeof(int)*8-1))-1)/sizeof(type)) - -diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c -index f6d95197f07c..e1e1961b2329 100644 ---- a/providers/common/capabilities.c -+++ b/providers/common/capabilities.c -@@ -217,7 +217,7 @@ static int tls_group_capability(OSSL_CALLBACK *cb, void *arg) - int ossl_prov_get_capabilities(void *provctx, const char *capability, - OSSL_CALLBACK *cb, void *arg) - { -- if (strcasecmp(capability, "TLS-GROUP") == 0) -+ if (OPENSSL_strcasecmp(capability, "TLS-GROUP") == 0) - return tls_group_capability(cb, arg); - - /* We don't support this capability */ -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index f4605dcd6ce5..fc17a958ce26 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -22,6 +22,7 @@ - #include "prov/provider_util.h" - #include "prov/seeding.h" - #include "self_test.h" -+#include "internal/core.h" - - static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; - static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; -@@ -35,6 +36,22 @@ static OSSL_FUNC_provider_gettable_params_fn fips_gettable_params; - static OSSL_FUNC_provider_get_params_fn fips_get_params; - static OSSL_FUNC_provider_query_operation_fn fips_query; - -+/* Locale object accessor functions */ -+#ifdef OPENSSL_SYS_MACOSX -+# include -+#else -+# include -+#endif -+ -+#if defined OPENSSL_SYS_WINDOWS -+# define locale_t _locale_t -+# define freelocale _free_locale -+#endif -+static locale_t loc; -+ -+static int fips_init_casecmp(void); -+static void fips_deinit_casecmp(void); -+ - #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } - #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) - extern OSSL_FUNC_core_thread_start_fn *c_thread_start; -@@ -486,6 +503,23 @@ static const OSSL_ALGORITHM *fips_query(void *provctx, int operation_id, - return NULL; - } - -+void *ossl_c_locale() { -+ return (void *)loc; -+} -+ -+static int fips_init_casecmp(void) { -+# ifdef OPENSSL_SYS_WINDOWS -+ loc = _create_locale(LC_COLLATE, "C"); -+# else -+ loc = newlocale(LC_COLLATE_MASK, "C", (locale_t) 0); -+# endif -+ return (loc == (locale_t) 0) ? 0 : 1; -+} -+ -+static void fips_deinit_casecmp(void) { -+ freelocale(loc); -+} -+ - static void fips_teardown(void *provctx) - { - OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); -@@ -498,6 +532,7 @@ static void fips_intern_teardown(void *provctx) - * We know that the library context is the same as for the outer provider, - * so no need to destroy it here. - */ -+ fips_deinit_casecmp(); - ossl_prov_ctx_free(provctx); - } - -@@ -547,6 +582,8 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, - - memset(&selftest_params, 0, sizeof(selftest_params)); - -+ if (!fips_init_casecmp()) -+ return 0; - if (!ossl_prov_seeding_from_dispatch(in)) - return 0; - for (; in->function_id != 0; in++) { -diff --git a/providers/implementations/ciphers/cipher_cts.c b/providers/implementations/ciphers/cipher_cts.c -index cb3372c646aa..5c48f37c9527 100644 ---- a/providers/implementations/ciphers/cipher_cts.c -+++ b/providers/implementations/ciphers/cipher_cts.c -@@ -46,7 +46,6 @@ - * Otherwise it is the same as CS2. - */ - --#include "e_os.h" /* strcasecmp */ - #include - #include "prov/ciphercommon.h" - #include "internal/nelem.h" -@@ -92,7 +91,7 @@ int ossl_cipher_cbc_cts_mode_name2id(const char *name) - size_t i; - - for (i = 0; i < OSSL_NELEM(cts_modes); ++i) { -- if (strcasecmp(name, cts_modes[i].name) == 0) -+ if (OPENSSL_strcasecmp(name, cts_modes[i].name) == 0) - return (int)cts_modes[i].id; - } - return -1; -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index 667d5e9619ff..89f304b41816 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -199,11 +199,11 @@ static int hkdf_common_set_ctx_params(KDF_HKDF *ctx, const OSSL_PARAM params[]) - - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE)) != NULL) { - if (p->data_type == OSSL_PARAM_UTF8_STRING) { -- if (strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) { -+ if (OPENSSL_strcasecmp(p->data, "EXTRACT_AND_EXPAND") == 0) { - ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; -- } else if (strcasecmp(p->data, "EXTRACT_ONLY") == 0) { -+ } else if (OPENSSL_strcasecmp(p->data, "EXTRACT_ONLY") == 0) { - ctx->mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; -- } else if (strcasecmp(p->data, "EXPAND_ONLY") == 0) { -+ } else if (OPENSSL_strcasecmp(p->data, "EXPAND_ONLY") == 0) { - ctx->mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; - } else { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index 5f30b037d94e..6be7f45fc58a 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -298,10 +298,11 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - } - - p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); -- if (p != NULL && strncasecmp("counter", p->data, p->data_size) == 0) { -+ if (p != NULL -+ && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { - ctx->mode = COUNTER; - } else if (p != NULL -- && strncasecmp("feedback", p->data, p->data_size) == 0) { -+ && OPENSSL_strncasecmp("feedback", p->data, p->data_size) == 0) { - ctx->mode = FEEDBACK; - } else if (p != NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); -diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index 74a0f7e1f3e6..e0b5971a3b7a 100644 ---- a/providers/implementations/kdfs/tls1_prf.c -+++ b/providers/implementations/kdfs/tls1_prf.c -@@ -172,7 +172,7 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 1; - - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) { -- if (strcasecmp(p->data, SN_md5_sha1) == 0) { -+ if (OPENSSL_strcasecmp(p->data, SN_md5_sha1) == 0) { - if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params, - OSSL_MAC_NAME_HMAC, - NULL, SN_md5, libctx) -diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c -index 313ab133b33a..bfc3da690875 100644 ---- a/providers/implementations/kem/rsa_kem.c -+++ b/providers/implementations/kem/rsa_kem.c -@@ -12,8 +12,8 @@ - * internal use. - */ - #include "internal/deprecated.h" -+#include "internal/nelem.h" - --#include "e_os.h" /* strcasecmp */ - #include - #include - #include -@@ -69,7 +69,7 @@ static int name2id(const char *name, const OSSL_ITEM *map, size_t sz) - return -1; - - for (i = 0; i < sz; ++i) { -- if (strcasecmp(map[i].ptr, name) == 0) -+ if (OPENSSL_strcasecmp(map[i].ptr, name) == 0) - return map[i].id; - } - return -1; -diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c -index 885bd62eeaae..2ab69f5f32f5 100644 ---- a/providers/implementations/keymgmt/dsa_kmgmt.c -+++ b/providers/implementations/keymgmt/dsa_kmgmt.c -@@ -13,7 +13,6 @@ - */ - #include "internal/deprecated.h" - --#include "e_os.h" /* strcasecmp */ - #include - #include - #include -@@ -90,7 +89,7 @@ static int dsa_gen_type_name2id(const char *name) - size_t i; - - for (i = 0; i < OSSL_NELEM(dsatype2id); ++i) { -- if (strcasecmp(dsatype2id[i].name, name) == 0) -+ if (OPENSSL_strcasecmp(dsatype2id[i].name, name) == 0) - return dsatype2id[i].id; - } - return -1; -diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index f564a470ac04..68bb35e4cbe1 100644 ---- a/providers/implementations/keymgmt/ec_kmgmt.c -+++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -13,7 +13,6 @@ - */ - #include "internal/deprecated.h" - --#include "e_os.h" /* strcasecmp */ - #include - #include - #include -diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c -index 99d685735e2f..2a7f867aa56b 100644 ---- a/providers/implementations/keymgmt/ecx_kmgmt.c -+++ b/providers/implementations/keymgmt/ecx_kmgmt.c -@@ -9,8 +9,6 @@ - - #include - #include --/* For strcasecmp on Windows */ --#include "e_os.h" - #include - #include - #include -@@ -546,7 +544,7 @@ static int ecx_gen_set_params(void *genctx, const OSSL_PARAM params[]) - } - if (p->data_type != OSSL_PARAM_UTF8_STRING - || groupname == NULL -- || strcasecmp(p->data, groupname) != 0) { -+ || OPENSSL_strcasecmp(p->data, groupname) != 0) { - ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); - return 0; - } -diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c -index ec34a3ee7131..ecfd2eaaa5c0 100644 ---- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c -+++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c -@@ -26,7 +26,6 @@ - #include "prov/providercommon.h" - #include "prov/provider_ctx.h" - #include "prov/macsignature.h" --#include "e_os.h" /* strcasecmp */ - - static OSSL_FUNC_keymgmt_new_fn mac_new; - static OSSL_FUNC_keymgmt_free_fn mac_free; -diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c -index dbe57b0d2898..c51eb4b4e581 100644 ---- a/providers/implementations/rands/drbg_ctr.c -+++ b/providers/implementations/rands/drbg_ctr.c -@@ -14,7 +14,6 @@ - #include - #include - #include --#include "e_os.h" /* strcasecmp */ - #include "crypto/modes.h" - #include "internal/thread_once.h" - #include "prov/implementations.h" -@@ -690,7 +689,7 @@ static int drbg_ctr_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (p->data_type != OSSL_PARAM_UTF8_STRING - || p->data_size < ctr_str_len) - return 0; -- if (strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) { -+ if (OPENSSL_strcasecmp("CTR", base + p->data_size - ctr_str_len) != 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_REQUIRE_CTR_MODE_CIPHER); - return 0; - } -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 325e855333e9..9460136bca0b 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -13,7 +13,6 @@ - */ - #include "internal/deprecated.h" - --#include "e_os.h" /* strcasecmp */ - #include - #include - #include -@@ -854,7 +853,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, - - if (mdname != NULL - /* was rsa_setup_md already called in rsa_signverify_init()? */ -- && (mdname[0] == '\0' || strcasecmp(prsactx->mdname, mdname) != 0) -+ && (mdname[0] == '\0' || OPENSSL_strcasecmp(prsactx->mdname, mdname) != 0) - && !rsa_setup_md(prsactx, mdname, prsactx->propq)) - return 0; - -diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c -index fef2b1d2900f..fceef73b7c09 100644 ---- a/providers/implementations/storemgmt/file_store.c -+++ b/providers/implementations/storemgmt/file_store.c -@@ -9,8 +9,6 @@ - - /* This file has quite some overlap with engines/e_loader_attic.c */ - --#include "e_os.h" /* To get strncasecmp() on Windows */ -- - #include - #include - #include /* isdigit */ -@@ -220,12 +218,12 @@ static void *file_open(void *provctx, const char *uri) - * There's a special case if the URI also contains an authority, then - * the full URI shouldn't be used as a path anywhere. - */ -- if (strncasecmp(uri, "file:", 5) == 0) { -+ if (OPENSSL_strncasecmp(uri, "file:", 5) == 0) { - const char *p = &uri[5]; - - if (strncmp(&uri[5], "//", 2) == 0) { - path_data_n--; /* Invalidate using the full URI */ -- if (strncasecmp(&uri[7], "localhost/", 10) == 0) { -+ if (OPENSSL_strncasecmp(&uri[7], "localhost/", 10) == 0) { - p = &uri[16]; - } else if (uri[7] == '/') { - p = &uri[7]; -@@ -592,7 +590,8 @@ static int file_name_check(struct file_ctx_st *ctx, const char *name) - /* - * First, check the basename - */ -- if (strncasecmp(name, ctx->_.dir.search_name, len) != 0 || name[len] != '.') -+ if (OPENSSL_strncasecmp(name, ctx->_.dir.search_name, len) != 0 -+ || name[len] != '.') - return 0; - p = &name[len + 1]; - -diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c -index deb0c9aaa650..ae97c38b1597 100644 ---- a/ssl/ssl_conf.c -+++ b/ssl/ssl_conf.c -@@ -148,7 +148,8 @@ static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl, - if (namelen == -1) { - if (strcmp(tbl->name, name)) - return 0; -- } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen)) -+ } else if (tbl->namelen != namelen -+ || OPENSSL_strncasecmp(tbl->name, name, namelen)) - return 0; - ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff); - return 1; -@@ -232,8 +233,8 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) - - /* Ignore values supported by 1.0.2 for the automatic selection */ - if ((cctx->flags & SSL_CONF_FLAG_FILE) -- && (strcasecmp(value, "+automatic") == 0 -- || strcasecmp(value, "automatic") == 0)) -+ && (OPENSSL_strcasecmp(value, "+automatic") == 0 -+ || OPENSSL_strcasecmp(value, "automatic") == 0)) - return 1; - if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && - strcmp(value, "auto") == 0) -@@ -812,7 +813,7 @@ static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) - strncmp(*pcmd, cctx->prefix, cctx->prefixlen)) - return 0; - if (cctx->flags & SSL_CONF_FLAG_FILE && -- strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) -+ OPENSSL_strncasecmp(*pcmd, cctx->prefix, cctx->prefixlen)) - return 0; - *pcmd += cctx->prefixlen; - } else if (cctx->flags & SSL_CONF_FLAG_CMDLINE) { -@@ -854,7 +855,7 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, - return t; - } - if (cctx->flags & SSL_CONF_FLAG_FILE) { -- if (t->str_file && strcasecmp(t->str_file, cmd) == 0) -+ if (t->str_file && OPENSSL_strcasecmp(t->str_file, cmd) == 0) - return t; - } - } -diff --git a/test/bntest.c b/test/bntest.c -index 4c1ee0c13b6d..c5894c157b3c 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -10,9 +10,6 @@ - #include - #include - #include --#ifdef __TANDEM --# include /* strcasecmp */ --#endif - #include - - #include -@@ -23,10 +20,6 @@ - #include "internal/numbers.h" - #include "testutil.h" - --#ifdef OPENSSL_SYS_WINDOWS --# define strcasecmp _stricmp --#endif -- - /* - * Things in boring, not in openssl. - */ -@@ -64,7 +57,7 @@ static const char *findattr(STANZA *s, const char *key) - PAIR *pp = s->pairs; - - for ( ; --i >= 0; pp++) -- if (strcasecmp(pp->key, key) == 0) -+ if (OPENSSL_strcasecmp(pp->key, key) == 0) - return pp->value; - return NULL; - } -diff --git a/test/build.info b/test/build.info -index 0f379e11e222..14a84f00a258 100644 ---- a/test/build.info -+++ b/test/build.info -@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}] - sanitytest rsa_complex exdatatest bntest \ - ecstresstest gmdifftest pbelutest \ - destest mdc2test sha_test \ -- exptest pbetest \ -+ exptest pbetest localetest \ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test evp_libctx_test ossl_store_test \ - v3nametest v3ext \ -@@ -135,6 +135,10 @@ IF[{- !$disabled{tests} -}] - INCLUDE[exptest]=../include ../apps/include - DEPEND[exptest]=../libcrypto libtestutil.a - -+ SOURCE[localetest]=localetest.c -+ INCLUDE[localetest]=../include ../apps/include -+ DEPEND[localetest]=../libcrypto libtestutil.a -+ - SOURCE[pbetest]=pbetest.c - INCLUDE[pbetest]=../include ../apps/include - DEPEND[pbetest]=../libcrypto libtestutil.a -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index 826e558cc0cd..3b597617791a 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -35,7 +35,6 @@ - #include "internal/nelem.h" - #include "internal/sizes.h" - #include "crypto/evp.h" --#include "../e_os.h" /* strcasecmp */ - - static OSSL_LIB_CTX *testctx = NULL; - static char *testpropq = NULL; -@@ -1739,7 +1738,7 @@ static int ec_export_get_encoding_cb(const OSSL_PARAM params[], void *arg) - return 0; - - for (i = 0; i < OSSL_NELEM(ec_encodings); i++) { -- if (strcasecmp(enc_name, ec_encodings[i].encoding_name) == 0) { -+ if (OPENSSL_strcasecmp(enc_name, ec_encodings[i].encoding_name) == 0) { - *enc = ec_encodings[i].encoding; - break; - } -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index e2663dc02998..9b2f4a016893 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c -@@ -33,7 +33,6 @@ - #include "testutil.h" - #include "internal/nelem.h" - #include "crypto/bn_dh.h" /* _bignum_ffdhe2048_p */ --#include "../e_os.h" /* strcasecmp */ - - static OSSL_LIB_CTX *libctx = NULL; - static OSSL_PROVIDER *nullprov = NULL; -@@ -478,7 +477,7 @@ static int test_cipher_reinit_partialupdate(int test_id) - - static int name_cmp(const char * const *a, const char * const *b) - { -- return strcasecmp(*a, *b); -+ return OPENSSL_strcasecmp(*a, *b); - } - - static void collect_cipher_names(EVP_CIPHER *cipher, void *cipher_names_list) -diff --git a/test/evp_test.c b/test/evp_test.c -index 7a5b9345e0db..8a0758f857a5 100644 ---- a/test/evp_test.c -+++ b/test/evp_test.c -@@ -12,7 +12,6 @@ - #include - #include - #include --#include "../e_os.h" /* strcasecmp */ - #include - #include - #include -@@ -3886,9 +3885,9 @@ void cleanup_tests(void) - OSSL_LIB_CTX_free(libctx); - } - --#define STR_STARTS_WITH(str, pre) strncasecmp(pre, str, strlen(pre)) == 0 -+#define STR_STARTS_WITH(str, pre) OPENSSL_strncasecmp(pre, str, strlen(pre)) == 0 - #define STR_ENDS_WITH(str, pre) \ --strlen(str) < strlen(pre) ? 0 : (strcasecmp(pre, str + strlen(str) - strlen(pre)) == 0) -+strlen(str) < strlen(pre) ? 0 : (OPENSSL_strcasecmp(pre, str + strlen(str) - strlen(pre)) == 0) - - static int is_digest_disabled(const char *name) - { -@@ -3897,31 +3896,31 @@ static int is_digest_disabled(const char *name) - return 1; - #endif - #ifdef OPENSSL_NO_MD2 -- if (strcasecmp(name, "MD2") == 0) -+ if (OPENSSL_strcasecmp(name, "MD2") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_MDC2 -- if (strcasecmp(name, "MDC2") == 0) -+ if (OPENSSL_strcasecmp(name, "MDC2") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_MD4 -- if (strcasecmp(name, "MD4") == 0) -+ if (OPENSSL_strcasecmp(name, "MD4") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_MD5 -- if (strcasecmp(name, "MD5") == 0) -+ if (OPENSSL_strcasecmp(name, "MD5") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_RMD160 -- if (strcasecmp(name, "RIPEMD160") == 0) -+ if (OPENSSL_strcasecmp(name, "RIPEMD160") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_SM3 -- if (strcasecmp(name, "SM3") == 0) -+ if (OPENSSL_strcasecmp(name, "SM3") == 0) - return 1; - #endif - #ifdef OPENSSL_NO_WHIRLPOOL -- if (strcasecmp(name, "WHIRLPOOL") == 0) -+ if (OPENSSL_strcasecmp(name, "WHIRLPOOL") == 0) - return 1; - #endif - return 0; -diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c -index 1374b04cf02f..7236ffd4a6ac 100644 ---- a/test/helpers/ssl_test_ctx.c -+++ b/test/helpers/ssl_test_ctx.c -@@ -16,21 +16,17 @@ - #include "ssl_test_ctx.h" - #include "../testutil.h" - --#ifdef OPENSSL_SYS_WINDOWS --# define strcasecmp _stricmp --#endif -- - static const int default_app_data_size = 256; - /* Default set to be as small as possible to exercise fragmentation. */ - static const int default_max_fragment_size = 512; - - static int parse_boolean(const char *value, int *result) - { -- if (strcasecmp(value, "Yes") == 0) { -+ if (OPENSSL_strcasecmp(value, "Yes") == 0) { - *result = 1; - return 1; - } -- else if (strcasecmp(value, "No") == 0) { -+ else if (OPENSSL_strcasecmp(value, "No") == 0) { - *result = 0; - return 1; - } -diff --git a/test/localetest.c b/test/localetest.c -new file mode 100644 -index 000000000000..3db66b7a9e5f ---- /dev/null -+++ b/test/localetest.c -@@ -0,0 +1,122 @@ -+ -+#include -+#include -+#include -+#include "testutil.h" -+#include "testutil/output.h" -+ -+#include -+#include -+#include -+#ifdef OPENSSL_SYS_WINDOWS -+# define strcasecmp _stricmp -+#else -+# include -+#endif -+ -+int setup_tests(void) -+{ -+ const unsigned char der_bytes[] = { -+ 0x30, 0x82, 0x03, 0x09, 0x30, 0x82, 0x01, 0xf1, 0xa0, 0x03, 0x02, 0x01, -+ 0x02, 0x02, 0x14, 0x08, 0xe0, 0x8c, 0xd3, 0xf3, 0xbf, 0x2c, 0xf2, 0x0d, -+ 0x0a, 0x75, 0xd1, 0xe8, 0xea, 0xbe, 0x70, 0x61, 0xd9, 0x67, 0xf9, 0x30, -+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, -+ 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, -+ 0x03, 0x0c, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, -+ 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x34, 0x31, 0x31, 0x31, 0x34, -+ 0x31, 0x39, 0x35, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x35, 0x31, -+ 0x31, 0x31, 0x34, 0x31, 0x39, 0x35, 0x37, 0x5a, 0x30, 0x14, 0x31, 0x12, -+ 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x6c, 0x6f, 0x63, -+ 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, -+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, -+ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, -+ 0x01, 0x01, 0x00, 0xc3, 0x1f, 0x5c, 0x56, 0x46, 0x8d, 0x69, 0xb6, 0x48, -+ 0x3c, 0xbf, 0xe2, 0x0f, 0xa7, 0x4a, 0x44, 0x72, 0x74, 0x36, 0xfe, 0xe8, -+ 0x2f, 0x10, 0x4a, 0xe9, 0x46, 0x45, 0x72, 0x5e, 0x48, 0xdd, 0x75, 0xab, -+ 0xd9, 0x63, 0x91, 0x37, 0x93, 0x46, 0x28, 0x7e, 0x45, 0x94, 0x4b, 0x8a, -+ 0xd5, 0x05, 0x2b, 0x9a, 0x01, 0x96, 0x30, 0xde, 0xcc, 0x14, 0x2d, 0x06, -+ 0x09, 0x1b, 0x7d, 0x50, 0x14, 0x99, 0x36, 0x6b, 0x97, 0x6e, 0xc9, 0xb1, -+ 0x69, 0x70, 0xcd, 0x9b, 0x74, 0x24, 0x9a, 0xe2, 0xd4, 0xc0, 0x1e, 0xbc, -+ 0xec, 0xf6, 0x7a, 0xbb, 0xa0, 0x53, 0x93, 0xf8, 0x68, 0x9a, 0x18, 0xa1, -+ 0xa1, 0x5c, 0x47, 0x93, 0xd1, 0x4c, 0x36, 0x8c, 0x00, 0xb3, 0x66, 0xda, -+ 0xf1, 0x05, 0xb2, 0x3a, 0xad, 0x7e, 0x4b, 0xf3, 0xd3, 0x93, 0xfa, 0x59, -+ 0x09, 0x9c, 0x60, 0x37, 0x69, 0x61, 0xe8, 0x5a, 0x33, 0xc6, 0xb2, 0x1a, -+ 0xba, 0x36, 0xe2, 0xb3, 0x58, 0xe9, 0x73, 0x01, 0x2d, 0x36, 0x48, 0x36, -+ 0x94, 0xe4, 0xb2, 0xa4, 0x5b, 0xdf, 0x3d, 0x5f, 0x62, 0x9f, 0xd9, 0xf3, -+ 0x24, 0x0c, 0xf0, 0x2f, 0x71, 0x44, 0x79, 0x13, 0x70, 0x95, 0xa7, 0xbe, -+ 0xea, 0x0a, 0x08, 0x0a, 0xa6, 0x4b, 0xe9, 0x58, 0x6b, 0xa4, 0xc2, 0xed, -+ 0x74, 0x1e, 0xb0, 0x3b, 0x59, 0xd5, 0xe6, 0xdb, 0x8f, 0x58, 0x6a, 0xa3, -+ 0x7d, 0x52, 0x40, 0xec, 0x72, 0xb7, 0xba, 0x7e, 0x30, 0x9d, 0x12, 0x57, -+ 0xf2, 0x48, 0xae, 0x80, 0x0d, 0x0a, 0xf4, 0xfd, 0x24, 0xed, 0xd8, 0x05, -+ 0xb2, 0x96, 0x44, 0x02, 0x3e, 0x6e, 0x25, 0xb0, 0xc4, 0x93, 0xda, 0xfe, -+ 0x78, 0xd9, 0xbb, 0xd2, 0x71, 0x69, 0x70, 0x7f, 0xba, 0xf7, 0xb0, 0x4f, -+ 0x14, 0xf7, 0x98, 0x71, 0x01, 0x6c, 0xec, 0x6f, 0x76, 0x03, 0x59, 0xff, -+ 0xe2, 0xba, 0x8d, 0xd9, 0x21, 0x08, 0xb3, 0x02, 0x03, 0x01, 0x00, 0x01, -+ 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, -+ 0x16, 0x04, 0x14, 0x59, 0xb8, 0x6e, 0x1a, 0x72, 0xe9, 0x27, 0x1e, 0xbf, -+ 0x80, 0x87, 0x0f, 0xa9, 0xd0, 0x06, 0x6a, 0x11, 0x30, 0x77, 0x8e, 0x30, -+ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, -+ 0x59, 0xb8, 0x6e, 0x1a, 0x72, 0xe9, 0x27, 0x1e, 0xbf, 0x80, 0x87, 0x0f, -+ 0xa9, 0xd0, 0x06, 0x6a, 0x11, 0x30, 0x77, 0x8e, 0x30, 0x0f, 0x06, 0x03, -+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, -+ 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, -+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x98, 0x76, 0x9e, -+ 0x3c, 0xfc, 0x3f, 0x58, 0xe8, 0xf2, 0x1f, 0x2e, 0x11, 0xa2, 0x59, 0xfa, -+ 0x27, 0xb5, 0xec, 0x9d, 0x97, 0x05, 0x06, 0x2c, 0x95, 0xa5, 0x28, 0x88, -+ 0x86, 0xeb, 0x4e, 0x8a, 0x62, 0xe9, 0x87, 0x78, 0xd8, 0x18, 0x22, 0x4e, -+ 0xb1, 0x8d, 0x46, 0x4a, 0x4c, 0x6e, 0x7c, 0x53, 0x62, 0x2c, 0xf2, 0x7a, -+ 0x95, 0xa0, 0x1a, 0x30, 0x18, 0x6a, 0x31, 0x6f, 0x3f, 0x55, 0x25, 0x9f, -+ 0x67, 0x60, 0x68, 0x99, 0x0f, 0x41, 0x09, 0xc8, 0xe2, 0x04, 0x33, 0x22, -+ 0x1a, 0xe9, 0xf3, 0xae, 0xce, 0xb6, 0x83, 0x64, 0x78, 0x66, 0x14, 0xc9, -+ 0x54, 0xc8, 0x34, 0x70, 0x96, 0xaf, 0x16, 0xcd, 0xb8, 0xdf, 0x81, 0x7e, -+ 0xf0, 0xa6, 0x7d, 0xc1, 0x13, 0xb2, 0x76, 0x3a, 0xd5, 0x7e, 0x68, 0x8c, -+ 0xd5, 0x00, 0x70, 0x82, 0x23, 0x7e, 0x5e, 0xc9, 0x31, 0x2f, 0x33, 0x54, -+ 0xaa, 0xaf, 0xcd, 0xe9, 0x38, 0x9a, 0x23, 0x53, 0xad, 0x4e, 0x72, 0xa7, -+ 0x6f, 0x47, 0x60, 0xc9, 0xd3, 0x06, 0x9b, 0x7a, 0x21, 0xc6, 0xe9, 0xdb, -+ 0x3c, 0xaa, 0xc0, 0x21, 0x29, 0x5f, 0x44, 0x6a, 0x45, 0x90, 0x73, 0x5e, -+ 0x6d, 0x78, 0x82, 0xcb, 0x42, 0xe6, 0xba, 0x67, 0xb2, 0xe6, 0xa2, 0x15, -+ 0x04, 0xea, 0x69, 0xae, 0x3e, 0xc0, 0x0c, 0x10, 0x99, 0xec, 0xa9, 0xb0, -+ 0x7e, 0xe8, 0x94, 0xe2, 0xf3, 0xaf, 0xf7, 0x9f, 0x65, 0xe7, 0xd7, 0xe2, -+ 0x49, 0xfa, 0x52, 0x7d, 0xb5, 0xfd, 0xa0, 0xa5, 0xe0, 0x49, 0xa7, 0x3d, -+ 0x94, 0x20, 0x2d, 0xec, 0x8c, 0x22, 0xa5, 0xa4, 0x43, 0xfa, 0x7e, 0xd0, -+ 0x50, 0x21, 0xb8, 0x67, 0x18, 0x44, 0x69, 0x8f, 0xdd, 0x47, 0x41, 0xc6, -+ 0x35, 0xe0, 0xe9, 0x2e, 0x41, 0xa9, 0x6f, 0x41, 0xee, 0xb9, 0xbd, 0x45, -+ 0xf3, 0x88, 0xc1, 0x23, 0x35, 0x96, 0xba, 0xf8, 0xcd, 0x4b, 0x83, 0x73, -+ 0x5f -+}; -+ -+ char str1[] = "SubjectPublicKeyInfo", str2[] = "subjectpublickeyinfo"; -+ int res; -+ X509 *cert = NULL; -+ X509_PUBKEY *cert_pubkey = NULL; -+ const unsigned char *p = der_bytes; -+ -+ TEST_ptr(setlocale(LC_ALL, "")); -+ -+ res = strcasecmp(str1, str2); -+ TEST_note("Case-insensitive comparison via strcasecmp in current locale %s\n", res ? "failed" : "succeeded"); -+ -+ TEST_false(OPENSSL_strcasecmp(str1, str2)); -+ -+ cert = d2i_X509(NULL, &p, sizeof(der_bytes)); -+ if (!TEST_ptr(cert)) -+ return 0; -+ -+ cert_pubkey = X509_get_X509_PUBKEY(cert); -+ if (!TEST_ptr(cert_pubkey)) { -+ X509_free(cert); -+ return 0; -+ } -+ -+ if (!TEST_ptr(X509_PUBKEY_get0(cert_pubkey))) { -+ X509_free(cert); -+ return 0; -+ } -+ -+ X509_free(cert); -+ return 1; -+} -+ -+void cleanup_tests(void) -+{ -+} -diff --git a/test/params_conversion_test.c b/test/params_conversion_test.c -index 9422ef14734a..710c2a9a2e9f 100644 ---- a/test/params_conversion_test.c -+++ b/test/params_conversion_test.c -@@ -15,10 +15,6 @@ - /* On machines that dont support just disable the tests */ - #if !defined(OPENSSL_NO_INTTYPES_H) - --# ifdef OPENSSL_SYS_WINDOWS --# define strcasecmp _stricmp --# endif -- - # ifdef OPENSSL_SYS_VMS - # define strtoumax strtoull - # define strtoimax strtoll -@@ -62,7 +58,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - - for (i = 0; i < s->numpairs; i++, pp++) { - p = ""; -- if (strcasecmp(pp->key, "type") == 0) { -+ if (OPENSSL_strcasecmp(pp->key, "type") == 0) { - if (type != NULL) { - TEST_info("Line %d: multiple type lines", s->curr); - return 0; -@@ -72,48 +68,48 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - TEST_info("Line %d: unknown type line", s->curr); - return 0; - } -- } else if (strcasecmp(pp->key, "int32") == 0) { -+ } else if (OPENSSL_strcasecmp(pp->key, "int32") == 0) { - if (def_i32++) { - TEST_info("Line %d: multiple int32 lines", s->curr); - return 0; - } -- if (strcasecmp(pp->value, "invalid") != 0) { -+ if (OPENSSL_strcasecmp(pp->value, "invalid") != 0) { - pc->valid_i32 = 1; - pc->i32 = (int32_t)strtoimax(pp->value, &p, 10); - } -- } else if (strcasecmp(pp->key, "int64") == 0) { -+ } else if (OPENSSL_strcasecmp(pp->key, "int64") == 0) { - if (def_i64++) { - TEST_info("Line %d: multiple int64 lines", s->curr); - return 0; - } -- if (strcasecmp(pp->value, "invalid") != 0) { -+ if (OPENSSL_strcasecmp(pp->value, "invalid") != 0) { - pc->valid_i64 = 1; - pc->i64 = (int64_t)strtoimax(pp->value, &p, 10); - } -- } else if (strcasecmp(pp->key, "uint32") == 0) { -+ } else if (OPENSSL_strcasecmp(pp->key, "uint32") == 0) { - if (def_u32++) { - TEST_info("Line %d: multiple uint32 lines", s->curr); - return 0; - } -- if (strcasecmp(pp->value, "invalid") != 0) { -+ if (OPENSSL_strcasecmp(pp->value, "invalid") != 0) { - pc->valid_u32 = 1; - pc->u32 = (uint32_t)strtoumax(pp->value, &p, 10); - } -- } else if (strcasecmp(pp->key, "uint64") == 0) { -+ } else if (OPENSSL_strcasecmp(pp->key, "uint64") == 0) { - if (def_u64++) { - TEST_info("Line %d: multiple uint64 lines", s->curr); - return 0; - } -- if (strcasecmp(pp->value, "invalid") != 0) { -+ if (OPENSSL_strcasecmp(pp->value, "invalid") != 0) { - pc->valid_u64 = 1; - pc->u64 = (uint64_t)strtoumax(pp->value, &p, 10); - } -- } else if (strcasecmp(pp->key, "double") == 0) { -+ } else if (OPENSSL_strcasecmp(pp->key, "double") == 0) { - if (def_d++) { - TEST_info("Line %d: multiple double lines", s->curr); - return 0; - } -- if (strcasecmp(pp->value, "invalid") != 0) { -+ if (OPENSSL_strcasecmp(pp->value, "invalid") != 0) { - pc->valid_d = 1; - pc->d = strtod(pp->value, &p); - } -@@ -133,7 +129,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - return 0; - } - -- if (strcasecmp(type, "int32") == 0) { -+ if (OPENSSL_strcasecmp(type, "int32") == 0) { - if (!TEST_true(def_i32) || !TEST_true(pc->valid_i32)) { - TEST_note("errant int32 on line %d", s->curr); - return 0; -@@ -142,7 +138,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - pc->datum = &datum_i32; - pc->ref = &ref_i32; - pc->size = sizeof(ref_i32); -- } else if (strcasecmp(type, "int64") == 0) { -+ } else if (OPENSSL_strcasecmp(type, "int64") == 0) { - if (!TEST_true(def_i64) || !TEST_true(pc->valid_i64)) { - TEST_note("errant int64 on line %d", s->curr); - return 0; -@@ -151,7 +147,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - pc->datum = &datum_i64; - pc->ref = &ref_i64; - pc->size = sizeof(ref_i64); -- } else if (strcasecmp(type, "uint32") == 0) { -+ } else if (OPENSSL_strcasecmp(type, "uint32") == 0) { - if (!TEST_true(def_u32) || !TEST_true(pc->valid_u32)) { - TEST_note("errant uint32 on line %d", s->curr); - return 0; -@@ -160,7 +156,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - pc->datum = &datum_u32; - pc->ref = &ref_u32; - pc->size = sizeof(ref_u32); -- } else if (strcasecmp(type, "uint64") == 0) { -+ } else if (OPENSSL_strcasecmp(type, "uint64") == 0) { - if (!TEST_true(def_u64) || !TEST_true(pc->valid_u64)) { - TEST_note("errant uint64 on line %d", s->curr); - return 0; -@@ -169,7 +165,7 @@ static int param_conversion_load_stanza(PARAM_CONVERSION *pc, const STANZA *s) - pc->datum = &datum_u64; - pc->ref = &ref_u64; - pc->size = sizeof(ref_u64); -- } else if (strcasecmp(type, "double") == 0) { -+ } else if (OPENSSL_strcasecmp(type, "double") == 0) { - if (!TEST_true(def_d) || !TEST_true(pc->valid_d)) { - TEST_note("errant double on line %d", s->curr); - return 0; -diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t -new file mode 100644 -index 000000000000..1bccd57d4c63 ---- /dev/null -+++ b/test/recipes/02-test_localetest.t -@@ -0,0 +1,24 @@ -+#! /usr/bin/env perl -+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use OpenSSL::Test; -+use OpenSSL::Test::Utils; -+ -+setup("locale tests"); -+ -+plan skip_all => "Locale tests not available on Windows or VMS" -+ if $^O =~ /^(VMS|MSWin32)$/; -+ -+plan tests => 2; -+ -+$ENV{LANG} = "C"; -+ok(run(test(["localetest"])), "running localetest"); -+ -+$ENV{LANG} = "tr_TR.UTF-8"; -+ok(run(test(["localetest"])), "running localetest with Turkish locale"); -diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c -index b07b98062494..5fb54a3a2eb1 100644 ---- a/test/ssl_old_test.c -+++ b/test/ssl_old_test.c -@@ -216,7 +216,7 @@ static int servername_cb(SSL *s, int *ad, void *arg) - - if (servername) { - if (s_ctx2 != NULL && sn_server2 != NULL && -- !strcasecmp(servername, sn_server2)) { -+ !OPENSSL_strcasecmp(servername, sn_server2)) { - BIO_printf(bio_stdout, "Switching server context.\n"); - SSL_set_SSL_CTX(s, s_ctx2); - } -diff --git a/test/v3nametest.c b/test/v3nametest.c -index 06d713b2feb1..ce1f4949fef2 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -15,10 +15,6 @@ - #include "internal/nelem.h" - #include "testutil.h" - --#ifdef OPENSSL_SYS_WINDOWS --# define strcasecmp _stricmp --#endif -- - static const char *const names[] = { - "a", "b", ".", "*", "@", - ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..", -@@ -287,7 +283,7 @@ static int run_cert(X509 *crt, const char *nameincert, - int failed = 0; - - for (; *pname != NULL; ++pname) { -- int samename = strcasecmp(nameincert, *pname) == 0; -+ int samename = OPENSSL_strcasecmp(nameincert, *pname) == 0; - size_t namelen = strlen(*pname); - char *name = OPENSSL_malloc(namelen + 1); - int match, ret; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 10b4e57d7969..1b9b23878e83 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5425,3 +5425,5 @@ ASN1_item_d2i_ex 5552 3_0_0 EXIST::FUNCTION: +diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num +--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 ++++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 +@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex + EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: ++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: -+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: +diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c +--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100 ++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100 +@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char + #endif + } + +-int OPENSSL_strcasecmp(const char *s1, const char *s2) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strcasecmp(const char *s1, const char *s2) + { + int t; + +@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c + return t; + } + +-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) ++int ++#ifndef FIPS_MODULE ++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) + { + int t; + size_t i; +diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t +--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 ++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 +@@ -77,6 +80,7 @@ foreach my $libname (@libnames) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/SOURCES/0057-strcasecmp-fix.patch b/SOURCES/0057-strcasecmp-fix.patch deleted file mode 100644 index f5c59b5..0000000 --- a/SOURCES/0057-strcasecmp-fix.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 22 Apr 2022 18:16:56 +0200 -Subject: [PATCH 1/2] Ensure we initialized the locale before - evp_pkey_name2type - -Fixes #18158 ---- - crypto/evp/pmeth_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2b9c6c2351da..92d25de44532 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -27,6 +27,7 @@ - #ifndef FIPS_MODULE - # include "crypto/asn1.h" - #endif -+#include "crypto/ctype.h" - #include "crypto/evp.h" - #include "crypto/dh.h" - #include "crypto/ec.h" -@@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, - } - #ifndef FIPS_MODULE - if (keytype != NULL) { -+ ossl_init_casecmp(); - id = evp_pkey_name2type(keytype); - if (id == NID_undef) - id = -1; - -From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 22 Apr 2022 19:26:08 +0200 -Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without - preliminary init - ---- - test/build.info | 6 +++++- - test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++ - test/recipes/02-test_localetest.t | 4 +++- - 3 files changed, 22 insertions(+), 2 deletions(-) - create mode 100644 test/evp_pkey_ctx_new_from_name.c - -diff --git a/test/build.info b/test/build.info -index 14a84f00a258..ee059973d31a 100644 ---- a/test/build.info -+++ b/test/build.info -@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}] - sanitytest rsa_complex exdatatest bntest \ - ecstresstest gmdifftest pbelutest \ - destest mdc2test sha_test \ -- exptest pbetest localetest \ -+ exptest pbetest localetest evp_pkey_ctx_new_from_name\ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test evp_libctx_test ossl_store_test \ - v3nametest v3ext \ -@@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}] - INCLUDE[localetest]=../include ../apps/include - DEPEND[localetest]=../libcrypto libtestutil.a - -+ SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c -+ INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include -+ DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto -+ - SOURCE[pbetest]=pbetest.c - INCLUDE[pbetest]=../include ../apps/include - DEPEND[pbetest]=../libcrypto libtestutil.a -diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c -new file mode 100644 -index 000000000000..24063ea05ea5 ---- /dev/null -+++ b/test/evp_pkey_ctx_new_from_name.c -@@ -0,0 +1,14 @@ -+#include -+#include -+#include -+#include -+ -+int main(int argc, char *argv[]) -+{ -+ EVP_PKEY_CTX *pctx = NULL; -+ -+ pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL); -+ EVP_PKEY_CTX_free(pctx); -+ -+ return 0; -+} -diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t -index 1bccd57d4c63..77fba7d819ab 100644 ---- a/test/recipes/02-test_localetest.t -+++ b/test/recipes/02-test_localetest.t -@@ -15,7 +15,9 @@ setup("locale tests"); - plan skip_all => "Locale tests not available on Windows or VMS" - if $^O =~ /^(VMS|MSWin32)$/; - --plan tests => 2; -+plan tests => 3; -+ -+ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init"); - - $ENV{LANG} = "C"; - ok(run(test(["localetest"])), "running localetest"); diff --git a/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch b/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch index a4ea757..9991c5c 100644 --- a/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch +++ b/SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch @@ -567,554 +567,4 @@ index 8c52b637fc..ff75c5b6ec 100644 + } SKIP: { - skip "No IPv4 available on this machine", 1 -diff --git a/test/smime-certs/smdh.pem b/test/smime-certs/smdh.pem -index 7d66a6b421..894461f6da 100644 ---- a/test/smime-certs/smdh.pem -+++ b/test/smime-certs/smdh.pem -@@ -14,10 +14,10 @@ ta+9S7L4zNsvbg8RtJyH8i4CHQCY12PTXj6Ipxbqq4d1Q+AoUqnN/H9lAS46teXv - BB8CHQCGE6pxpX5lWcH6+TGLDoLo3T5L2/5KTd0tRNdj - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFljCCBH6gAwIBAgIUYmx57362u3KsYCqtKby2mYi+pLMwDQYJKoZIhvcNAQEL -+MIIFljCCBH6gAwIBAgIUMNF4DNf+H6AXGApe99UrJWFcAnwwDQYJKoZIhvcNAQEL - BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV --BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIxMDExNTEwMDk1MloXDTMwMTEy --NDEwMDk1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MzM0NloXDTMyMDMz -+MTE0MzM0NlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx - HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIERIICMxMIIDQjCCAjUGByqGSM4+AgEw - ggIoAoIBAQCCyx9ZhD6HY5xgusGDrJZJ+FdTe9OxD/p9DQNKqoLyJ10TAUXuycoz - VqDAD4v1wsOAPH0TDOX9Ns87PXgTbd6DpSJtF1ZLW+1pklZs2m0cLl4raOe8CZGH -@@ -38,10 +38,10 @@ Ixe06fY0eA9sfxx7+4lm2Jhw7XaIfguo8mgrfWjBzkkT2mcAHss/fdKcXNYrg+A+ - xgApPiyuy7S4YkQSsdV5Ns8UFttBCuojzEuWQ49fMZcv/rIHSHSxpbg2Sdka+d6h - wOQHK6NgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYE - FLG7SOccVVRWmPw87GRrYH/NCegTMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaI --qSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQA5r5k39ghJIgQKjOXSffhtAaBPT0Um --WtLjijp/iBUAowFpncDRIp+Ng7n/feJHDdnh59H0ZHGljWqZ3rgG3HjjArvG+iUm --6aaS4KdM6OwK60JTUXBQ/InISXzrZof2oZ5BjO6L6yV6cpaYOLlLo3QjU8HE54G9 --7UyR48NSvhwPw+vS1Abjib+K1En/ctnlm0CurHgP56LrJxguFZZP6+UjCnEy0wxm --VRr+y4+IgWikdOumMelJ+x9O9R7EPVfwQ9TYBtpo5hZQiGhSJ3Di9LZO5i0h2xjj --AhtR8zmzusFX2Ruh2dXQWeNx/dMEcYRJLU1P+IxUq2g1GUiCgq2Xc7ZY -+qSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQB9J2dIIbIAiB8ToXJcyO7HRPhdWC/Y -+TE8cqeL+JiWNvIMB9fl2gOx6gj2h+yEr3lCpK/XDoWOs576UScS/vvs6fOjFHfkb -+L4i9nHXD2KizXkM2hr9FzTRXd9c3XXLyB9t1z38qcpOMxoxAbnH8hWLQDPjFdArC -+KWIqK/Vqxz4ZcIveM9GcVf78FU2DbQF4pwHjO9TsG7AbXiV4PXyJK75W5okAbZmQ -+EmMmVXEJdXSOS4prP8DCW/LYJ5UddsVZba2BCHD3c1c2YTA4GsP3ZMoXvQoyj0L2 -+/xazs/AS373Of6H0s00itRTFABxve1I7kE5dQdc3oZjn6A/DbfjYUmr5 - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem -index b424f6704e..597d98f827 100644 ---- a/test/smime-certs/smdsa1.pem -+++ b/test/smime-certs/smdsa1.pem -@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ - TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x --EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV --86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE --DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp --O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit --1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO --xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx --d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3 --MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z --Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt --17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf --0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO -+MIIFmzCCBIOgAwIBAgIUWGMqmBZZ1ykguVDk2Whn+2uKMA0wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjA0OFoXDTMyMDMz -+MTE0MjA0OFowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMTCCA0YwggI5BgcqhkjOOAQB -+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw -+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs -+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4 -+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt -+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J -+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0 -+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3 -+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ -+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV -+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv -+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA -+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQAZdJAANu5E -+hkGOJDo2KTBmX7EQMR98gTRFZu/B/W19bHDhm9qc792PLPkV487QAgkMEItSOv0P -+faeSYgbUe7d1aBXzqSdCwzq4WIxLNj2eQkZk6UffDg0csTvymTvnFHWyDUwRmvjH -++35r95r1jgBeSUQMJxoe2kwZ4DHdkCpIp5z7NA44DvclY/X+BgcZ1jJNClC3BFOy -+HQaLmY452mgnS+k7zfFhsUJn5lkpfVFY6Ml7Y5AFG3Dvf2rWdGBrVUwsBP8sVJCx -+ITcg6nyGJZuOeK3VITqrcgjZr9odkf/Hg7OzN+a1B+Z6u3Ld5BKrduBqN/EKxxyd -+GNJst42JrNFIo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV -+HQ4EFgQU0dBhM47Fpn83rw6nGqMcq5q3DqwwHwYDVR0jBBgwFoAUyZFTCmN7FluL -+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBAC3W5L4plRWiaX03PncMHnaL -+sp48+2jJen4avzNpRZF/bTQ621x/KLWelbMzBTMxU6jtU1LwCvsiOTSenUZ6W5vq -+TGy6nwkMUrBN0nHmymVz5v40VBLtc2/5xF9UBZ1GMnmYko+d7VHBD6qu4hpi6OD1 -+3Z2kxCRaZ87y3IbVnl6zqdqxDxKCj4Ca+TT6AApm/MYVwpuvCVmuXrBBvJYTFFeZ -+2J90jHlQep2rAaZu41oiIlmQUEf9flV0iPYjj+Pqdzr9ovWVbqt7l1WKOBDYdzJW -+fQ8TvFSExkDQsDc0nkkLIfJBFUFuOpNmODvq+Ac8AGUBnl/Z3pAV4KVnnobIXHw= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem -index 648447fc89..a995f665bb 100644 ---- a/test/smime-certs/smdsa2.pem -+++ b/test/smime-certs/smdsa2.pem -@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ - TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E --h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt --tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa --LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn --3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0 --KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k --qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp --VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb --uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV --6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD --2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96 --GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I -+MIIFmzCCBIOgAwIBAgIUXgHGnvOCmrOH9biRq3yTCcDsliUwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjIyNloXDTMyMDMz -+MTE0MjIyNlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMjCCA0YwggI5BgcqhkjOOAQB -+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw -+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs -+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4 -+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt -+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J -+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0 -+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3 -+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ -+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV -+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv -+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA -+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQAi1CUW7S3s -+zDUcdE667AotL4SHZY01k/3owtBPKA5WWqBolj7WYkvO+X/nUssfph7NfS3z1nYO -+b/dI4kR02t1sgS21u7mvPKZfEWFzy5ohhkWFJPfyhDAk6MzzAWK0BARJ7r/0dmOR -+7EypKrH+vloQpNosGKeoDUElEjvZKjX/V2/w/30Vq88AN2PxXt8BxxF4oRAqd+fA -+DuaucP46UioUoWffAIaTxLDu1In2DqOAIj7MXCsqfbD7D6Ki386DGX3IwC0qYB3r -+z0gBmvkY8+9XbLQo6iAKJRiBJNJrBmGv6uPIVq98jl0FbMyri0rH/MCLown7qEYm -+MnyMehP0kA+Zo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV -+HQ4EFgQUZrHDTiSqm594ZkL5NMGrygydfKswHwYDVR0jBBgwFoAUyZFTCmN7FluL -+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBADhpm4d9pgdWTiX1ci4qxOat -+MK+eAc3y8dwjacwiTD94fFy+MFzItAI2msF+ILXDCYDUpFZpBjlCNRzMu/ETghJx -+53g4Hg6ioYmtLcYIAFQVIz4skdgV8npztK3ZQMSN3dcateZBf8KaEdP+cRtQs4IW -+Y+EAZ6Fve2j/kz1x/cmhSFQdWhhS+WzYUCY+FLWDXMuNLh7rDWy1t8VaRHLBU4TU -+q6W/qDaN2e6dKrzjEkqUstdGZ+JAkAZ+6CIABEnHeco1dEQUU5Atry7djeRhY68r -+us++ajRd6DLWXrD4KePyTYSPc7rAcbBBYSwe48cTxlPfKItTCrRXmWJHCCZ0UBA= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem -index 77acc5e46f..9f703e52f0 100644 ---- a/test/smime-certs/smdsa3.pem -+++ b/test/smime-certs/smdsa3.pem -@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+ - TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8 --uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS --7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS --wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1 --+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9 --Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D --AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb --0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu --g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4 --0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv --yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf --7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P --aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9 --msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf --zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7 --cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp --N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS --2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg --MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE --FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs --MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask --pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK --YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM --khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i --Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv --4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660 -+MIIFmzCCBIOgAwIBAgIUMMzeluWS9FTgzFM2PCI6rSt0++QwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjI0MloXDTMyMDMz -+MTE0MjI0MlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMzCCA0YwggI5BgcqhkjOOAQB -+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw -+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs -+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4 -+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt -+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J -+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0 -+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3 -+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ -+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV -+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv -+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA -+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQBxe+1+Il8h -+nTCAak3vZl4asn2axRc7GjDvDd8Ns/yvyd9WQE1t+FryvHR5jp9REVVnMg53wQcY -+rKlwfWBLp5k25x/OCwfWDmvlxFqExmaAZcEQGxauHYhoMbtVIq372CHPbsQqCMBA -+LPIdAvkUImBHanty/RXhJGqCIAZiUnX3WTZa0s6xV3yRf/+OPWXxNSATtOqm5ISl -+pLJDifMlE6llZmk3VHAWYJRFF7KQAFT83OKf/6tme9munxahdJcSrF4HiZKFFJof -+nvEWckKlHAonipLa6EBPMloofu+7reTcON+1tIFWH7fZhfC0dz4EaOzxLZoO0Jbc -+W0MDtnonwEjFo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV -+HQ4EFgQUwnFq0MQUIQUaXi6iJBDXTnQm71EwHwYDVR0jBBgwFoAUyZFTCmN7FluL -+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBAJNW/oEmpz6jZ7EjUkHhxDXR -+egsZVjBO+E2hPCciEoZaM6jIDYphrCVbdOOyy1RvLBv3SRblaECmInsRpCNwf5B5 -+OaGN3hdsvx23IKnLJ7EKDauIOGhkzCMWjO8tez48UL0Wgta0+TpuiOT+UBoKb9fw -+f0f4ab9wD9pED7ghMKlwI6/oppS4PrhwYS2nwYwGXpmgu6QZDln/cgoU7cQV7r3J -+deMCpKGPyS429B9mUxlggZYvvJOm35ZiI7UAcGhJWIUrdXBxqx3DQ3CSf75vGP87 -+2vn6ZoXRXSLfE48GpUtQzP6/gZti68vZrHdzKWTyZxMs4+PGoHrW5hbNDsghKDs= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem -index 75a862666b..05754f3963 100644 ---- a/test/smime-certs/smec1.pem -+++ b/test/smime-certs/smec1.pem -@@ -4,19 +4,19 @@ DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV - 3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I --iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi --ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg --MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK --Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy --WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt --7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV --FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y --S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1 --DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7 --qtcHJA== -+MIICqzCCAZOgAwIBAgIUZsuXIOmILju0nz1jVSgag5GrPyMwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjUyNFoXDTMyMDMz -+MTE0MjUyNFowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMxMFkwEwYHKoZIzj0CAQYIKoZI -+zj0DAQcDQgAEvkiI9hWNg6Lj0bjQ6fVlabKnn+fLVd4CMFdBDlf8cmE82Ybn2Yv2 -+gXF7oFkdce+fMeJx7rNrhLhBYtzK9yt/saNgMF4wDAYDVR0TAQH/BAIwADAOBgNV -+HQ8BAf8EBAMCBeAwHQYDVR0OBBYEFH/JvELYMj4nJ2HHUUyA9sxOYvNHMB8GA1Ud -+IwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQCp -+sSEupiqT7S6oPS/5qtRF6POyxmhkH/Eh+RJitOODutxneJh+NdDqAQAOCexqcsF9 -+1BH9hB/H6b3mS4CbcRG6R/EwzqMPUgy8OYXTrqWI9jzMKGyrBo59QFfGrwP1h8hj -+weVOVQU1iOloWPOfvMHehjX1Wt79/6BMMBvw+2qXXLAw2xpLFa4lU6HSoTiwoS5R -+mimrHnZ9tQZb54bsvdrW84kV3u1FIQ5G7jAduu97Wfr3eZGaJhW1MZLeoL7Z4Usy -+hRd2TJ6bZanb+wUJBcHOeW5ETj9MPtPsGIp8vETmY5XDm4UlX6tp4gAe4oeoIXFQ -+V5ASvNRiGWIJK5XF+zRY - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem -index 457297a760..7c502d8799 100644 ---- a/test/smime-certs/smec2.pem -+++ b/test/smime-certs/smec2.pem -@@ -5,19 +5,19 @@ uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8 - 6bQ= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+ --huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj --JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E --BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA --FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez --ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK --xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0 --uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P --rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq --IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0 --4ZdCllHZkhop -+MIICsDCCAZigAwIBAgIUWJSICrM9ZdmN6/jF/PoKng63XR0wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjgxOVoXDTMyMDMz -+MTE0MjgxOVowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMyMF4wEAYHKoZIzj0CAQYFK4EE -+ABADSgAEBds7Or6G5qE/jPj9vvS2e2rLxQTYu7gsy2Bf/I9UnJ/7KXM6Avbzc1YT -+cPi4O3Z4zS+BAyMmGS5exNL+vZbs278vquOP/Om0o2AwXjAMBgNVHRMBAf8EAjAA -+MA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUZ/5BJCWQ3bQ+w03vH6OZAgkENxcw -+HwYDVR0jBBgwFoAUyZFTCmN7FluLvUTwdoipJObltmwwDQYJKoZIhvcNAQELBQAD -+ggEBACMGL6tuV/1lfrnx7TN/CnWdLEp55AlmzJ3MT9dXSOO1/df/fO3uAiiBNMyQ -+Rcf4vOeBZEk/Xq6GIaAbuuT5ECg50uopEGjUDR9sRWC5yiw2CRQ5ZWTcqMapv+E5 -+7/1/tpaVHy+ZkJpbTV6O9gogEPy6uoft+tsel6NFoAj9ulkjuX9TortkVGPTfedd -+oevI32G3z4L4Gv1PCZvFMwEIiAuFDZBbD86gw7rH4BNihRujJRhpnxeRu8zJYB60 -+cNeR2N7humdUy5uZnj6YHy3g2j0EDKOITHydIvL1KkSlihQrxEX5kMRr9RWRyFXJ -+/UfNk+5Y3g5Mm642MLvjBEUqurw= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smec3.pem b/test/smime-certs/smec3.pem -index 90eac867d0..5110e2984b 100644 ---- a/test/smime-certs/smec3.pem -+++ b/test/smime-certs/smec3.pem -@@ -4,19 +4,19 @@ zSy+knGorGWZBGG5p//ke0WUSbqhRANCAARH8uHBHkuOfuyXgJj7V3lNqUEPiQNo - xG8ntGjVmKRHfywdUoQJ1PgfbkCEsBk334rRFmja1r+MYyqn/A9ARiGB - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIICoDCCAYigAwIBAgIJAPaEOllWs/pjMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xNzA4MTAxNTQyMDhaFw0yNzA2MTkxNTQyMDhaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBFRSBFQyAjMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEfy --4cEeS45+7JeAmPtXeU2pQQ+JA2jEbye0aNWYpEd/LB1ShAnU+B9uQISwGTffitEW --aNrWv4xjKqf8D0BGIYGjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg --MB0GA1UdDgQWBBQLR+H9CmAY/KDyXWdVUM9FP766WzAfBgNVHSMEGDAWgBT3YQTy --KJTdSIrnOcPj3pm5oVNtazANBgkqhkiG9w0BAQsFAAOCAQEAmMRuf8Iz5fr9f0GA --HaNiOM5S7AIfZ6W7zzdeF63EF1j9HqP1DJsUW4y5b9azWmpp62kKuNaM4CGPUVvm --diLKJVlrDcc+6lW9oROpnBsskhjqFMTjTANPQSAKZeKiG2W3U8Q103VQpuYvE4Nj --OU9JT+5e4RZS7wxYk/IsvnyF/DkoF1FTMHo9/3Wiw4V4KRhpJIPnqojWNcfipmhM --UDpbw0Oyj5fE7x6wvaoOUr8GNJE5NudtV/5QDh9REkjyKUdVYsuUrWwKqn3NT8EI --OLl8wx3RqA8htRg/W+SoESx87rvW1saPGvfypBp4cl18B1IzTlC+FMbHFJvZqQn8 --Ci1l4Q== -+MIICqzCCAZOgAwIBAgIUSG5MT0bOz48OfBayRWfoQwUcA50wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0Mjg1MloXDTMyMDMz -+MTE0Mjg1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMzMFkwEwYHKoZIzj0CAQYIKoZI -+zj0DAQcDQgAER/LhwR5Ljn7sl4CY+1d5TalBD4kDaMRvJ7Ro1ZikR38sHVKECdT4 -+H25AhLAZN9+K0RZo2ta/jGMqp/wPQEYhgaNgMF4wDAYDVR0TAQH/BAIwADAOBgNV -+HQ8BAf8EBAMCBeAwHQYDVR0OBBYEFAtH4f0KYBj8oPJdZ1VQz0U/vrpbMB8GA1Ud -+IwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQBY -+xXTNWQz38q37bRjyl6FWMdIaVRkle1Qzjo0bAVHsrYNwY36PBnJpfZE8aJS6WwD2 -+PUHWVLc0zd50pXbAa41FlquOdP5FNa8wOc+jHIiyWaE8SEdt0jsxPRTJ9kElXuJ5 -+wFx7icmRde7DWLG32SWwR1pFi4R/aDOOxpTzUuYvKuawfAUVQtQyCz8sahbmI8EW -+H0KDuiyuncq1YjvHfaUR7QKijMJ0eBRsjUls0HeMjkehBkTrz78u7TJBWKE/BCiB -+HzuZeMqHpSXtK6ZCRtQXTLv0HyenFmbdVSDiOFSnvdL5lyLT3aFQ19DVtGFCAUwZ -+HQdD3KNn4i073Z7Ia2Xa - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem -index d1a253f409..f62a54e2a3 100644 ---- a/test/smime-certs/smroot.pem -+++ b/test/smime-certs/smroot.pem -@@ -27,23 +27,23 @@ vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ - KfvPCYimQwBjVrEnSntLPR0= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU --ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC --ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT --JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+ --LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E --J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/ --MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe --untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb --i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G --A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB --AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb --Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl --zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt --9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C --7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt --Emsny2ah6fU2z7PztrUy/A80 -+MIIDeTCCAmGgAwIBAgIUF/2lFo3fH3uYuFalQVSIFqcYtd4wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDE1MloXDTMyMDUy -+MDE0MDE1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MIIBIjANBgkqhkiG9w0BAQEF -+AAOCAQ8AMIIBCgKCAQEAsskFxA+R8lVsKp18s5mN9e8jFCayH7Cr0RBtguvdXSTR -+4DYPqKubI7f385MkvOAL3ToonALGqOHGCw7pbYWi6Wwu5rBAYb8AIpdBTW+YNxEb -+qXtSrk3VFdVLg/4uktlaGjV1AQZ9aw/VnAQXNJZ8f+FrfdnkEyOvduabe2Rz0MNj -+pae00AxJcouaj8QnpuLk9IN822bFqpprCDF27vit3RKa86gNbnCl28VJmTZDMFbN -+lwppS8a0VI/At/8xDbR9ex1gs54UfyFXFZICLpJZHog7BIW1r1ELplV0e6D4fwj2 -+QG4xqquZlbnh0h66e26wVWSh2b6FJGtvEC1oratVuQIDAQABo2MwYTAdBgNVHQ4E -+FgQUyZFTCmN7FluLvUTwdoipJObltmwwHwYDVR0jBBgwFoAUyZFTCmN7FluLvUTw -+doipJObltmwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -+hvcNAQELBQADggEBAFUbNCqSA5JTIk4wkLiDxs6sGVgSGS/XyFurT5WtyLwR6eiN -+r1Osq3DrF1805xzOjFfk3yYk2ctMMMXVEfXZavfNWgGSyUi6GrS+X1+y5snMpP7Z -+tFlb7iXxiSn5lUE1IS3y9bAlWUwTnOwdX2RuALVAzQ6oAvGIIOhb7FTkMqwsQBDx -+kBA9sgdCKv4d7zgFGdDMh1PGuia7+ZPWS9Nt3+WfRKzy4cf2p8+FTWkv1z7PtCSo -+bZySoXgav6WYGdA0VZY29HzVWC5d/LwSkeJr7pw09UjXBPnrDHbJRa+4JpwwsMT2 -+b1E+cp36aagmQW97e8dCf3VzZWcD2bNJ9QM59d8= - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem -index d0d0b9e66b..7eb331e2c9 100644 ---- a/test/smime-certs/smrsa1.pem -+++ b/test/smime-certs/smrsa1.pem -@@ -27,23 +27,23 @@ iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST - zQpuMJliRlrq/5JkIbH6SA== - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK --2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt --+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF --Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe --bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM --kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o --E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK --WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp --lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT --GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu --9Hjq6s316fk4Ne0EUF3PbA== -+MIIDdzCCAl+gAwIBAgIUNrEw2I4NEV0Nbo7AVOF9z4mPBiYwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDczN1oXDTMyMDMz -+MTE0MDczN1owRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMTCCASIwDQYJKoZIhvcNAQEB -+BQADggEPADCCAQoCggEBANev27MH/bRBcoLGGR82cm+XbGXWHN05ytCYCqj4AABw -+D8Pj0ia4kNVBForZtyPnhcHbqLWRe46vEgPf961RvzK51/Hw4BXCHwbTFUDjOGvy -+5dbzlba0Gvi/Qu35bqVJ3oeZ+uTgaYT0tNT+/OX0dQ9bpJlKE3UbSdjqh5Re8uLS -+9qwRQq/drnVPokViDhzuq3lEKT/DyTCtDQOitDAJ2Q48QiILhv6c9K0XXZJWblvH -+yttjOKjG5j891J5u+3QA96qBHFKkLGpicewKg14fNKsZdw/QI7MV5Q7Pa12uGYfT -+0ktsZmziduiM/EySOklK/f96QMbYIdjFdIdfGkmy3FkCAwEAAaNgMF4wDAYDVR0T -+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFOaNz6WtNC5jH9UE4EaM -+y+59qO+EMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBMz3Ef3U0blTGhfP9HIBq09fWCgUN3aDDLZ/B6biFfWM87wlAm -+CdIuy2jhiEt8Ld8U9y8dbO7c2gzHBGc9FhScBkfQInrbhSctXL/r/wOc0divK9rq -+oXL2cL/CFfzcYPWNN3w6JAJyOhkhWnqF+/0T8+NdiRLE3a9NfX3a83GpfBVccYKQ -+kKKeVIw2K1dYbtlSo1HwOckxqUzN00IPs3xC8U9KNXKy7o0kdetKhk70DzXQ64j0 -+EcmXxqPaCkgo3fl9z9nzKlWhg/qIi/1Bd1bpMP8IXAPEURDqhi0KI0w9GPCQRjfY -+7NwXrLEayBoL8TNxcJ3FwdI20+bmhhILBZgO - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem -index 2f17cb2978..4262742176 100644 ---- a/test/smime-certs/smrsa2.pem -+++ b/test/smime-certs/smrsa2.pem -@@ -27,23 +27,23 @@ hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n - yrLyf+8hjm6H6zkjqiOkHAl+ - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF --AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp --cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS --0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1 --NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0 --EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47 --Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv --/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c --XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv --6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i --NzYzLAPBkHCMY0Is3KKIBw== -+MIIDdzCCAl+gAwIBAgIUdWyHziJTdWjooy8SanPMwLxNsPEwDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDkyNVoXDTMyMDMz -+MTE0MDkyNVowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMjCCASIwDQYJKoZIhvcNAQEB -+BQADggEPADCCAQoCggEBANxgLi1LZS+fVnaIOC1+QkDm0CqBs3pfjIrTZG1UfnF6 -+RX37r55O3/1L6IUDMCfCpH9QHVHrsROuxapXy73EuDl8cjAiSa73/o/fVRT1yCE7 -+snWVyuEe+igdoWlxd6k9ZBpym4GrZW9wpEOUN9WZ0znPp5Ld1Jk9M4ww//GTieFk -+HyZzDbuqJxw+J5LQ9n0RkHrdPWCbBorVF3lT3g+XT7OkOqFWK5eYF+IgNaOPPQHM -+ecdLPlGDhLehcXU1yiOGm0hbIjSvt2Cfknc3ELiSAp2PPKzGjqJZ3ScuDPuHSNR2 -+Pv0Q6Kzh+D0bh/QQVbJB/uIPEZoD3dj148Em/mIVlVkCAwEAAaNgMF4wDAYDVR0T -+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFPRqunJgwdcM9Uvsy/MT -+6XHvUvuyMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBz02v4hd+EjW5NaMubkqPbgUTDRKdRq1RZM+C6m1MTMKy+8zTD -+QSKRCFf0UmSPMsdTArry9x15fmHIJW21F3bw4ISeVXRyzBhOnrGKXUt2Lg9c2MLa -+9C394ex0vw4ZGSNkrIARbM3084Chegs4PLMWLFam1H5J6wpvH8iXXYvhESW98luv -+i3HVQzqLXw7/9XHxf8RnrRcy/WhAA+KegAQMGHTo5KPLliXtypYdCxBHNcmOwJlR -+pSOp6fxhiRKN5DzcBPHOE/brZc4aNGgBHZgGg1g1Wb2lAylopgJrbyNkhEEwHVNM -+1uLCnXKV1nX+EiMKkhSV761ozdhMGljYb+GE - -----END CERTIFICATE----- -diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem -index 14c27f64aa..f7dca3a004 100644 ---- a/test/smime-certs/smrsa3.pem -+++ b/test/smime-certs/smrsa3.pem -@@ -27,23 +27,23 @@ yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF - RvOAi5wVkYylDxV4238MAZIq - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- --MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV --BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv --TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx --CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU --ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK --AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC --FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF --STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW --m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha --v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p --1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD --VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV --HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA --JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp --sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa --VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr --O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7 --tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY --CscFo2Z2pYROGtZDmYqhRw== -+MIIDdzCCAl+gAwIBAgIUAKvI4FWjFLx8iBGifOW3mG/xkT0wDQYJKoZIhvcNAQEL -+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV -+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MTEwNloXDTMyMDMz -+MTE0MTEwNlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx -+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMzCCASIwDQYJKoZIhvcNAQEB -+BQADggEPADCCAQoCggEBALIr4FMA4komOOI6FjrQ15mPMYZnEQF8KbrafSbCTO6x -+b9X97re7CPq45UIWhUHPl2gx/czpAhLaMvcDDpCzn69y4sDSAeuojCNhDPVRnkRM -+sosptDDpg4hV+wVJPHK1RWl9wHKu5taIspfre2F4bX8hWiQMr/3+TnYrK37BwKO5 -+FvsAlAWPY4sNG5ab+Bq+jOQrXTeBD51SrgddqZky1OrUSFA59zQhR4I4QvrHPiPO -+Ucd/Mt2S9vsSeFq/axcN86Zmn8Nh/0ipLuW8WSQg09VtgUFN7Fo9mUXCakZGOSaj -+If/D4mVynOz7DqnV2JZGlpKfrZtuRE3j2PovZ1Vv4N8CAwEAAaNgMF4wDAYDVR0T -+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFDoKRbmxroesGxa+4868 -+yPIvkCewMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBfCCzWyZzIvq/ci6E74ovJ8mMel5Z9MU9EcvY0k7pJSUbpCg3c -+P48CiAzt8r8Em4AymADfK1pYvvpTNVpU/USbdKR1hyxZjqWrYdsY7tlVuvZ92oFs -+s3komuKHCx2SQAe5b+LWjC1Bf8JUFx+XTjYb/BBg7nQRwi3TkYVVmW7hXLYvf4Jn -+Uyu0x02pDzUu+62jeYbNIVJnYwSU0gLHEo81QmNs06RLjnAhbneUZ6P6YuJOdDo7 -+xMw/ywijZM0FxsWxRSsCBwavhabg1Kb1lO//pbgcSa9T0D7ax1XoMni3RJnHj6gu -+r0Mi3QjgZaxghR3TPh83dQLilECYDuD0uTzf - -----END CERTIFICATE----- --- -2.35.3 - + skip "No IPv4 available on this machine", 4 diff --git a/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch index 6d368d8..d2e9b0a 100644 --- a/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch +++ b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch @@ -325,7 +325,7 @@ index de391ce067..1cfd71c5cf 100644 { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, { NULL, NULL, NULL } @@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) { - freelocale(loc); + return NULL; } +const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) { diff --git a/SOURCES/0063-CVE-2022-1473.patch b/SOURCES/0063-CVE-2022-1473.patch deleted file mode 100644 index b4b12dc..0000000 --- a/SOURCES/0063-CVE-2022-1473.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c -index 2a574fbfe6aa..16f482db68a9 100644 ---- a/crypto/lhash/lhash.c -+++ b/crypto/lhash/lhash.c -@@ -100,6 +100,8 @@ void OPENSSL_LH_flush(OPENSSL_LHASH *lh) - } - lh->b[i] = NULL; - } -+ -+ lh->num_items = 0; - } - - void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data) diff --git a/SOURCES/0064-CVE-2022-1343.diff b/SOURCES/0064-CVE-2022-1343.diff deleted file mode 100644 index d473597..0000000 --- a/SOURCES/0064-CVE-2022-1343.diff +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c -index 7a4a45d537..3c5f48ec0a 100644 ---- a/crypto/ocsp/ocsp_vfy.c -+++ b/crypto/ocsp/ocsp_vfy.c -@@ -59,9 +59,10 @@ static int ocsp_verify_signer(X509 *signer, int response, - - ret = X509_verify_cert(ctx); - if (ret <= 0) { -- ret = X509_STORE_CTX_get_error(ctx); -+ int err = X509_STORE_CTX_get_error(ctx); -+ - ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR, -- "Verify error: %s", X509_verify_cert_error_string(ret)); -+ "Verify error: %s", X509_verify_cert_error_string(err)); - goto end; - } - if (chain != NULL) -diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t -index d42030cb89..34fdfcbccc 100644 ---- a/test/recipes/80-test_ocsp.t -+++ b/test/recipes/80-test_ocsp.t -@@ -35,6 +35,7 @@ sub test_ocsp { - $untrusted = $CAfile; - } - my $expected_exit = shift; -+ my $nochecks = shift; - my $outputfile = basename($inputfile, '.ors') . '.dat'; - - run(app(["openssl", "base64", "-d", -@@ -45,7 +46,8 @@ sub test_ocsp { - "-partial_chain", @check_time, - "-CAfile", catfile($ocspdir, $CAfile), - "-verify_other", catfile($ocspdir, $untrusted), -- "-no-CApath", "-no-CAstore"])), -+ "-no-CApath", "-no-CAstore", -+ $nochecks ? "-no_cert_checks" : ()])), - $title); }); - } - -@@ -55,143 +57,149 @@ subtest "=== VALID OCSP RESPONSES ===" => sub { - plan tests => 7; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "ND1.ors", "ND1_Issuer_ICA.pem", "", 0); -+ "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "ND2.ors", "ND2_Issuer_Root.pem", "", 0); -+ "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "ND3.ors", "ND3_Issuer_Root.pem", "", 0); -+ "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0); - test_ocsp("NON-DELEGATED; 3-level CA hierarchy", -- "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0); -+ "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "D1.ors", "D1_Issuer_ICA.pem", "", 0); -+ "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "D2.ors", "D2_Issuer_Root.pem", "", 0); -+ "D2.ors", "D2_Issuer_Root.pem", "", 0, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "D3.ors", "D3_Issuer_Root.pem", "", 0); -+ "D3.ors", "D3_Issuer_Root.pem", "", 0, 0); - }; - - subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); -+ "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1); -+ "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1); -+ "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); -+ "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1); -+ "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1); -+ "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); -+ "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); -+ "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); -+ "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); -+ "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); -+ "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); -+ "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { - plan tests => 3; - - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { -- plan tests => 3; -+ plan tests => 6; - - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); -+ "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0); -+ test_ocsp("DELEGATED; Root CA -> Intermediate CA", -+ "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0); -+ test_ocsp("DELEGATED; Root CA -> EE", -+ "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0); -+ test_ocsp("DELEGATED; Intermediate CA -> EE", -+ "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); -+ "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1); - test_ocsp("DELEGATED; Root CA -> EE", -- "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); -+ "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1); - }; - - subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1); -+ "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1); -+ "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1); -+ "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1); -+ "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1); -+ "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1); -+ "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { - plan tests => 6; - - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1); -+ "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1); -+ "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1); -+ "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1); -+ "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1); -+ "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1); -+ "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0); - }; - - subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { -@@ -199,17 +207,17 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { - - # Expect success, because we're explicitly trusting the issuer certificate. - test_ocsp("NON-DELEGATED; Intermediate CA -> EE", -- "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0); -+ "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0); - test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", -- "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0); -+ "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0); - test_ocsp("NON-DELEGATED; Root CA -> EE", -- "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0); -+ "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0); - test_ocsp("DELEGATED; Intermediate CA -> EE", -- "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0); -+ "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0); - test_ocsp("DELEGATED; Root CA -> Intermediate CA", -- "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0); -+ "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0); - test_ocsp("DELEGATED; Root CA -> EE", -- "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0); -+ "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0); - }; - - subtest "=== OCSP API TESTS===" => sub { diff --git a/SOURCES/0065-CVE-2022-1292.patch b/SOURCES/0065-CVE-2022-1292.patch deleted file mode 100644 index 5531fb3..0000000 --- a/SOURCES/0065-CVE-2022-1292.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index d51d8856d7..a630773a02 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; diff --git a/SOURCES/0066-replace-expired-certs.patch b/SOURCES/0066-replace-expired-certs.patch deleted file mode 100644 index adc9460..0000000 --- a/SOURCES/0066-replace-expired-certs.patch +++ /dev/null @@ -1,212 +0,0 @@ -diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem -index 1fa449d5a098..6aa9455f09ed 100644 ---- a/test/certs/embeddedSCTs1_issuer.pem -+++ b/test/certs/embeddedSCTs1_issuer.pem -@@ -1,18 +1,18 @@ - -----BEGIN CERTIFICATE----- --MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk -+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk - MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX --YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw --MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu --c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf --MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 --jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP --KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL --svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk --tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG --A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO --MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB --/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt --OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy --f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP --OwqULg== -+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw -+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy -+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w -+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG -+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 -+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG -+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw -+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw -+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB -+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD -+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq -++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo -+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c -+Doud4XrO - -----END CERTIFICATE----- -diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem -index 5677ac6c9f6a..70ce71e43091 100644 ---- a/test/certs/sm2-ca-cert.pem -+++ b/test/certs/sm2-ca-cert.pem -@@ -1,14 +1,14 @@ - -----BEGIN CERTIFICATE----- --MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT -+MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT - AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl --c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe --Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw --CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn --MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG --SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU --5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW --BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU --5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI --ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X --YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3 -+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg -+Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x -+CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP -+cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH -+KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+ -+ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O -+BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp -+SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1 -+A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC -+WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu - -----END CERTIFICATE----- -diff --git a/test/certs/sm2-root.crt b/test/certs/sm2-root.crt -index 5677ac6c9f6a..70ce71e43091 100644 ---- a/test/certs/sm2-root.crt -+++ b/test/certs/sm2-root.crt -@@ -1,14 +1,14 @@ - -----BEGIN CERTIFICATE----- --MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT -+MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT - AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl --c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe --Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw --CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn --MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG --SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU --5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW --BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU --5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI --ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X --YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3 -+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg -+Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x -+CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP -+cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH -+KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+ -+ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O -+BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp -+SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1 -+A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC -+WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu - -----END CERTIFICATE----- -diff --git a/test/certs/sm2.pem b/test/certs/sm2.pem -index 189abb137625..daf12926aff9 100644 ---- a/test/certs/sm2.pem -+++ b/test/certs/sm2.pem -@@ -1,13 +1,14 @@ - -----BEGIN CERTIFICATE----- --MIIB6DCCAY6gAwIBAgIJAKH2BR6ITHZeMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT --AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl --c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe --Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMG8xCzAJBgNVBAYTAkNOMQsw --CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn --MRAwDgYDVQQLDAdUZXN0IE9VMRswGQYDVQQDDBJUZXN0IFNNMiBTaWduIENlcnQw --WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE --TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/MlcaoxowGDAJ --BgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA9edBnAqT --TNuGIUIvXsj6/nP+AzXA9HGtAIY4nrqW8LkCIHyZzhRTlxYtgfqkDl0OK5QQRCZH --OZOfmtx613VyzXwc -+MIICNDCCAdugAwIBAgIUOMbsiFLCy2BCPtfHQSdG4R1+3BowCgYIKoEcz1UBg3Uw -+aDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzER -+MA8GA1UECgwIVGVzdCBPcmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rl -+c3QgU00yIENBMCAXDTIyMDYwMjE1NTU0OFoYDzIxMjIwNTA5MTU1NTQ4WjBvMQsw -+CQYDVQQGEwJDTjELMAkGA1UECAwCTE4xETAPBgNVBAcMCFNoZW55YW5nMREwDwYD -+VQQKDAhUZXN0IE9yZzEQMA4GA1UECwwHVGVzdCBPVTEbMBkGA1UEAwwSVGVzdCBT -+TTIgU2lnbiBDZXJ0MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMKnjZFqe34rt -+SmZ7g5ALnKTPKYhMxEy9cpq3Kzgb7/JoTTZHm9tGrG1oBUCNszq0jPff7Fxp/azN -+v7rDPzJXGqNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFNPl -+u8JjXkhQPiJ5bYrrq+voqBUlMB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIpSVTlXHj/ -+Rbl0MAoGCCqBHM9VAYN1A0cAMEQCIG3gG1D7T7ltn6Gz1UksBZahgBE6jmkQ9Sp9 -+/3aY5trlAiB5adxiK0avV0LEKfbzTdff9skoZpd7vje1QTW0l0HaGg== - -----END CERTIFICATE----- -diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh -index 12e8a7305402..109b9c4abc28 100644 ---- a/test/smime-certs/mksmime-certs.sh -+++ b/test/smime-certs/mksmime-certs.sh -@@ -15,23 +15,23 @@ export OPENSSL_CONF - - # Root CA: create certificate directly - CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \ -- -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650 -+ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501 - - # EE RSA certificates: create request first - CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa1.pem -out req.pem -newkey rsa:2048 - # Sign request: end entity extensions --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem - - CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa2.pem -out req.pem -newkey rsa:2048 --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem - - CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ - -keyout smrsa3.pem -out req.pem -newkey rsa:2048 --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem - - # Create DSA parameters -@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048 - - CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem - CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem - CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \ - -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem - - # Create EC parameters -@@ -58,16 +58,17 @@ $OPENSSL ecparam -out ecp2.pem -name K-283 - - CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smec1.pem -out req.pem -newkey ec:ecp.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem - CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \ - -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem --CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ -- -keyout smec3.pem -out req.pem -newkey ec:ecp.pem --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -- -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem -+# Do not renew this cert as it is used for legacy data decrypt test -+#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ -+# -keyout smec3.pem -out req.pem -newkey ec:ecp.pem -+#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -+# -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem - # Create X9.42 DH parameters. - $OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem - # Generate X9.42 DH key. -@@ -77,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem - CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \ - -keyout smtmp.pem -out req.pem -newkey rsa:2048 - # Sign request but force public key to DH --$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ - -force_pubkey dhpub.pem \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem - # Remove temp files. diff --git a/SOURCES/0067-fix-ppc64-montgomery.patch b/SOURCES/0067-fix-ppc64-montgomery.patch deleted file mode 100644 index a572ef8..0000000 --- a/SOURCES/0067-fix-ppc64-montgomery.patch +++ /dev/null @@ -1,662 +0,0 @@ -diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl -index 56df89dc27da..e69de29bb2d1 100755 ---- a/crypto/bn/asm/ppc64-mont-fixed.pl -+++ b/crypto/bn/asm/ppc64-mont-fixed.pl -@@ -1,581 +0,0 @@ --#! /usr/bin/env perl --# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. --# --# Licensed under the Apache License 2.0 (the "License"). You may not use --# this file except in compliance with the License. You can obtain a copy --# in the file LICENSE in the source distribution or at --# https://www.openssl.org/source/license.html -- --# ==================================================================== --# Written by Amitay Isaacs , Martin Schwenke --# & Alastair D'Silva for --# the OpenSSL project. --# ==================================================================== -- --# --# Fixed length (n=6), unrolled PPC Montgomery Multiplication --# -- --# 2021 --# --# Although this is a generic implementation for unrolling Montgomery --# Multiplication for arbitrary values of n, this is currently only --# used for n = 6 to improve the performance of ECC p384. --# --# Unrolling allows intermediate results to be stored in registers, --# rather than on the stack, improving performance by ~7% compared to --# the existing PPC assembly code. --# --# The ISA 3.0 implementation uses combination multiply/add --# instructions (maddld, maddhdu) to improve performance by an --# additional ~10% on Power 9. --# --# Finally, saving non-volatile registers into volatile vector --# registers instead of onto the stack saves a little more. --# --# On a Power 9 machine we see an overall improvement of ~18%. --# -- --use strict; --use warnings; -- --my ($flavour, $output, $dir, $xlate); -- --# $output is the last argument if it looks like a file (it has an extension) --# $flavour is the first argument if it doesn't look like a file --$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; --$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -- --$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; --( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or --( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or --die "can't locate ppc-xlate.pl"; -- --open STDOUT,"| $^X $xlate $flavour \"$output\"" -- or die "can't call $xlate: $!"; -- --if ($flavour !~ /64/) { -- die "bad flavour ($flavour) - only ppc64 permitted"; --} -- --my $SIZE_T= 8; -- --# Registers are global so the code is remotely readable -- --# Parameters for Montgomery multiplication --my $sp = "r1"; --my $toc = "r2"; --my $rp = "r3"; --my $ap = "r4"; --my $bp = "r5"; --my $np = "r6"; --my $n0 = "r7"; --my $num = "r8"; -- --my $i = "r9"; --my $c0 = "r10"; --my $bp0 = "r11"; --my $bpi = "r11"; --my $bpj = "r11"; --my $tj = "r12"; --my $apj = "r12"; --my $npj = "r12"; --my $lo = "r14"; --my $c1 = "r14"; -- --# Non-volatile registers used for tp[i] --# --# 12 registers are available but the limit on unrolling is 10, --# since registers from $tp[0] to $tp[$n+1] are used. --my @tp = ("r20" .. "r31"); -- --# volatile VSRs for saving non-volatile GPRs - faster than stack --my @vsrs = ("v32" .. "v46"); -- --package Mont; -- --sub new($$) --{ -- my ($class, $n) = @_; -- -- if ($n > 10) { -- die "Can't unroll for BN length ${n} (maximum 10)" -- } -- -- my $self = { -- code => "", -- n => $n, -- }; -- bless $self, $class; -- -- return $self; --} -- --sub add_code($$) --{ -- my ($self, $c) = @_; -- -- $self->{code} .= $c; --} -- --sub get_code($) --{ -- my ($self) = @_; -- -- return $self->{code}; --} -- --sub get_function_name($) --{ -- my ($self) = @_; -- -- return "bn_mul_mont_fixed_n" . $self->{n}; --} -- --sub get_label($$) --{ -- my ($self, $l) = @_; -- -- return "L" . $l . "_" . $self->{n}; --} -- --sub get_labels($@) --{ -- my ($self, @labels) = @_; -- -- my %out = (); -- -- foreach my $l (@labels) { -- $out{"$l"} = $self->get_label("$l"); -- } -- -- return \%out; --} -- --sub nl($) --{ -- my ($self) = @_; -- -- $self->add_code("\n"); --} -- --sub copy_result($) --{ -- my ($self) = @_; -- -- my ($n) = $self->{n}; -- -- for (my $j = 0; $j < $n; $j++) { -- $self->add_code(<<___); -- std $tp[$j],`$j*$SIZE_T`($rp) --___ -- } -- --} -- --sub mul_mont_fixed($) --{ -- my ($self) = @_; -- -- my ($n) = $self->{n}; -- my $fname = $self->get_function_name(); -- my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); -- -- $self->add_code(<<___); -- --.globl .${fname} --.align 5 --.${fname}: -- --___ -- -- $self->save_registers(); -- -- $self->add_code(<<___); -- ld $n0,0($n0) -- -- ld $bp0,0($bp) -- -- ld $apj,0($ap) --___ -- -- $self->mul_c_0($tp[0], $apj, $bp0, $c0); -- -- for (my $j = 1; $j < $n - 1; $j++) { -- $self->add_code(<<___); -- ld $apj,`$j*$SIZE_T`($ap) --___ -- $self->mul($tp[$j], $apj, $bp0, $c0); -- } -- -- $self->add_code(<<___); -- ld $apj,`($n-1)*$SIZE_T`($ap) --___ -- -- $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); -- -- $self->add_code(<<___); -- li $tp[$n+1],0 -- --___ -- -- $self->add_code(<<___); -- li $i,0 -- mtctr $num -- b $label->{"enter"} -- --.align 4 --$label->{"outer"}: -- ldx $bpi,$bp,$i -- -- ld $apj,0($ap) --___ -- -- $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); -- -- for (my $j = 1; $j < $n; $j++) { -- $self->add_code(<<___); -- ld $apj,`$j*$SIZE_T`($ap) --___ -- $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); -- } -- -- $self->add_code(<<___); -- addc $tp[$n],$tp[$n],$c0 -- addze $tp[$n+1],$tp[$n+1] --___ -- -- $self->add_code(<<___); --.align 4 --$label->{"enter"}: -- mulld $bpi,$tp[0],$n0 -- -- ld $npj,0($np) --___ -- -- $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); -- -- for (my $j = 1; $j < $n; $j++) { -- $self->add_code(<<___); -- ld $npj,`$j*$SIZE_T`($np) --___ -- $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); -- } -- -- $self->add_code(<<___); -- addc $tp[$n-1],$tp[$n],$c0 -- addze $tp[$n],$tp[$n+1] -- -- addi $i,$i,$SIZE_T -- bdnz $label->{"outer"} -- -- and. $tp[$n],$tp[$n],$tp[$n] -- bne $label->{"sub"} -- -- cmpld $tp[$n-1],$npj -- blt $label->{"copy"} -- --$label->{"sub"}: --___ -- -- # -- # Reduction -- # -- -- $self->add_code(<<___); -- ld $bpj,`0*$SIZE_T`($np) -- subfc $c1,$bpj,$tp[0] -- std $c1,`0*$SIZE_T`($rp) -- --___ -- for (my $j = 1; $j < $n - 1; $j++) { -- $self->add_code(<<___); -- ld $bpj,`$j*$SIZE_T`($np) -- subfe $c1,$bpj,$tp[$j] -- std $c1,`$j*$SIZE_T`($rp) -- --___ -- } -- -- $self->add_code(<<___); -- subfe $c1,$npj,$tp[$n-1] -- std $c1,`($n-1)*$SIZE_T`($rp) -- --___ -- -- $self->add_code(<<___); -- addme. $tp[$n],$tp[$n] -- beq $label->{"end"} -- --$label->{"copy"}: --___ -- -- $self->copy_result(); -- -- $self->add_code(<<___); -- --$label->{"end"}: --___ -- -- $self->restore_registers(); -- -- $self->add_code(<<___); -- li r3,1 -- blr --.size .${fname},.-.${fname} --___ -- --} -- --package Mont::GPR; -- --our @ISA = ('Mont'); -- --sub new($$) --{ -- my ($class, $n) = @_; -- -- return $class->SUPER::new($n); --} -- --sub save_registers($) --{ -- my ($self) = @_; -- -- my $n = $self->{n}; -- -- $self->add_code(<<___); -- std $lo,-8($sp) --___ -- -- for (my $j = 0; $j <= $n+1; $j++) { -- $self->{code}.=<<___; -- std $tp[$j],-`($j+2)*8`($sp) --___ -- } -- -- $self->add_code(<<___); -- --___ --} -- --sub restore_registers($) --{ -- my ($self) = @_; -- -- my $n = $self->{n}; -- -- $self->add_code(<<___); -- ld $lo,-8($sp) --___ -- -- for (my $j = 0; $j <= $n+1; $j++) { -- $self->{code}.=<<___; -- ld $tp[$j],-`($j+2)*8`($sp) --___ -- } -- -- $self->{code} .=<<___; -- --___ --} -- --# Direct translation of C mul() --sub mul($$$$$) --{ -- my ($self, $r, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $lo,$a,$w -- addc $r,$lo,$c -- mulhdu $c,$a,$w -- addze $c,$c -- --___ --} -- --# Like mul() but $c is ignored as an input - an optimisation to save a --# preliminary instruction that would set input $c to 0 --sub mul_c_0($$$$$) --{ -- my ($self, $r, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $r,$a,$w -- mulhdu $c,$a,$w -- --___ --} -- --# Like mul() but does not to the final addition of CA into $c - an --# optimisation to save an instruction --sub mul_last($$$$$$) --{ -- my ($self, $r1, $r2, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $lo,$a,$w -- addc $r1,$lo,$c -- mulhdu $c,$a,$w -- -- addze $r2,$c --___ --} -- --# Like C mul_add() but allow $r_out and $r_in to be different --sub mul_add($$$$$$) --{ -- my ($self, $r_out, $r_in, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $lo,$a,$w -- addc $lo,$lo,$c -- mulhdu $c,$a,$w -- addze $c,$c -- addc $r_out,$r_in,$lo -- addze $c,$c -- --___ --} -- --# Like mul_add() but $c is ignored as an input - an optimisation to save a --# preliminary instruction that would set input $c to 0 --sub mul_add_c_0($$$$$$) --{ -- my ($self, $r_out, $r_in, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $lo,$a,$w -- addc $r_out,$r_in,$lo -- mulhdu $c,$a,$w -- addze $c,$c -- --___ --} -- --package Mont::GPR_300; -- --our @ISA = ('Mont::GPR'); -- --sub new($$) --{ -- my ($class, $n) = @_; -- -- my $mont = $class->SUPER::new($n); -- -- return $mont; --} -- --sub get_function_name($) --{ -- my ($self) = @_; -- -- return "bn_mul_mont_300_fixed_n" . $self->{n}; --} -- --sub get_label($$) --{ -- my ($self, $l) = @_; -- -- return "L" . $l . "_300_" . $self->{n}; --} -- --# Direct translation of C mul() --sub mul($$$$$) --{ -- my ($self, $r, $a, $w, $c, $last) = @_; -- -- $self->add_code(<<___); -- maddld $r,$a,$w,$c -- maddhdu $c,$a,$w,$c -- --___ --} -- --# Save the last carry as the final entry --sub mul_last($$$$$) --{ -- my ($self, $r1, $r2, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- maddld $r1,$a,$w,$c -- maddhdu $r2,$a,$w,$c -- --___ --} -- --# Like mul() but $c is ignored as an input - an optimisation to save a --# preliminary instruction that would set input $c to 0 --sub mul_c_0($$$$$) --{ -- my ($self, $r, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- mulld $r,$a,$w -- mulhdu $c,$a,$w -- --___ --} -- --# Like C mul_add() but allow $r_out and $r_in to be different --sub mul_add($$$$$$) --{ -- my ($self, $r_out, $r_in, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- maddld $lo,$a,$w,$c -- maddhdu $c,$a,$w,$c -- addc $r_out,$r_in,$lo -- addze $c,$c -- --___ --} -- --# Like mul_add() but $c is ignored as an input - an optimisation to save a --# preliminary instruction that would set input $c to 0 --sub mul_add_c_0($$$$$$) --{ -- my ($self, $r_out, $r_in, $a, $w, $c) = @_; -- -- $self->add_code(<<___); -- maddld $lo,$a,$w,$r_in -- maddhdu $c,$a,$w,$r_in --___ -- -- if ($r_out ne $lo) { -- $self->add_code(<<___); -- mr $r_out,$lo --___ -- } -- -- $self->nl(); --} -- -- --package main; -- --my $code; -- --$code.=<<___; --.machine "any" --.text --___ -- --my $mont; -- --$mont = new Mont::GPR(6); --$mont->mul_mont_fixed(); --$code .= $mont->get_code(); -- --$mont = new Mont::GPR_300(6); --$mont->mul_mont_fixed(); --$code .= $mont->get_code(); -- --$code =~ s/\`([^\`]*)\`/eval $1/gem; -- --$code.=<<___; --.asciz "Montgomery Multiplication for PPC by , " --___ -- --print $code; --close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c -index 1e9421bee213..3ee76ea96574 100644 ---- a/crypto/bn/bn_ppc.c -+++ b/crypto/bn/bn_ppc.c -@@ -19,12 +19,6 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); -- int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -- const BN_ULONG *bp, const BN_ULONG *np, -- const BN_ULONG *n0, int num); -- int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -- const BN_ULONG *bp, const BN_ULONG *np, -- const BN_ULONG *n0, int num); - - if (num < 4) - return 0; -@@ -40,14 +34,5 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - * no opportunity to figure it out... - */ - --#if defined(_ARCH_PPC64) -- if (num == 6) { -- if (OPENSSL_ppccap_P & PPC_MADD300) -- return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); -- else -- return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); -- } --#endif -- - return bn_mul_mont_int(rp, ap, bp, np, n0, num); - } -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index 987a70ae263b..4f8d0689b5ea 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] - - $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s - $BNDEF_ppc32=OPENSSL_BN_ASM_MONT -- $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s -+ $BNASM_ppc64=$BNASM_ppc32 - $BNDEF_ppc64=$BNDEF_ppc32 - - $BNASM_c64xplus=asm/bn-c64xplus.asm -@@ -173,7 +173,6 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl - GENERATE[bn-ppc.s]=asm/ppc.pl - GENERATE[ppc-mont.s]=asm/ppc-mont.pl - GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl --GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl - - GENERATE[alpha-mont.S]=asm/alpha-mont.pl - -diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -index f36982845db4..1543ed9f7534 100644 ---- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -@@ -97,6 +97,18 @@ Key = P-256-PUBLIC - Input = "Hello World" - Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862 - -+PublicKey=P-384-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAES/TlL5WEJ+u1kV+4yVlVUbTTo/2rZ7rd -+nWwwk/QlukNjDfcfQvDrfOqpTZ9kSKhd0wMxWIJJ/S/cCzCex+2EgbwW8ngAwT19 -+twD8guGxyFRaoMDTtW47/nifwYqRaIfC -+-----END PUBLIC KEY----- -+ -+DigestVerify = SHA384 -+Key = P-384-PUBLIC -+Input = "123400" -+Output = 304d0218389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68b023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52970 -+ - # Oneshot tests - OneShotDigestVerify = SHA256 - Key = P-256-PUBLIC diff --git a/SOURCES/0067-ppc64le-Montgomery-multiply.patch b/SOURCES/0067-ppc64le-Montgomery-multiply.patch new file mode 100644 index 0000000..36c0222 --- /dev/null +++ b/SOURCES/0067-ppc64le-Montgomery-multiply.patch @@ -0,0 +1,703 @@ +From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Mon, 27 Jun 2022 12:14:55 +1000 +Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC + Montgomery Multiplication"" + +This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e. +--- + crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++ + crypto/bn/bn_ppc.c | 15 + + crypto/bn/build.info | 3 +- + 3 files changed, 598 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl +index e69de29bb2d1..0fb397bc5f12 100755 +--- a/crypto/bn/asm/ppc64-mont-fixed.pl ++++ b/crypto/bn/asm/ppc64-mont-fixed.pl +@@ -0,0 +1,581 @@ ++#! /usr/bin/env perl ++# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ==================================================================== ++# Written by Amitay Isaacs , Martin Schwenke ++# & Alastair D'Silva for ++# the OpenSSL project. ++# ==================================================================== ++ ++# ++# Fixed length (n=6), unrolled PPC Montgomery Multiplication ++# ++ ++# 2021 ++# ++# Although this is a generic implementation for unrolling Montgomery ++# Multiplication for arbitrary values of n, this is currently only ++# used for n = 6 to improve the performance of ECC p384. ++# ++# Unrolling allows intermediate results to be stored in registers, ++# rather than on the stack, improving performance by ~7% compared to ++# the existing PPC assembly code. ++# ++# The ISA 3.0 implementation uses combination multiply/add ++# instructions (maddld, maddhdu) to improve performance by an ++# additional ~10% on Power 9. ++# ++# Finally, saving non-volatile registers into volatile vector ++# registers instead of onto the stack saves a little more. ++# ++# On a Power 9 machine we see an overall improvement of ~18%. ++# ++ ++use strict; ++use warnings; ++ ++my ($flavour, $output, $dir, $xlate); ++ ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++if ($flavour !~ /64/) { ++ die "bad flavour ($flavour) - only ppc64 permitted"; ++} ++ ++my $SIZE_T= 8; ++ ++# Registers are global so the code is remotely readable ++ ++# Parameters for Montgomery multiplication ++my $sp = "r1"; ++my $toc = "r2"; ++my $rp = "r3"; ++my $ap = "r4"; ++my $bp = "r5"; ++my $np = "r6"; ++my $n0 = "r7"; ++my $num = "r8"; ++ ++my $i = "r9"; ++my $c0 = "r10"; ++my $bp0 = "r11"; ++my $bpi = "r11"; ++my $bpj = "r11"; ++my $tj = "r12"; ++my $apj = "r12"; ++my $npj = "r12"; ++my $lo = "r14"; ++my $c1 = "r14"; ++ ++# Non-volatile registers used for tp[i] ++# ++# 12 registers are available but the limit on unrolling is 10, ++# since registers from $tp[0] to $tp[$n+1] are used. ++my @tp = ("r20" .. "r31"); ++ ++# volatile VSRs for saving non-volatile GPRs - faster than stack ++my @vsrs = ("v32" .. "v46"); ++ ++package Mont; ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ if ($n > 10) { ++ die "Can't unroll for BN length ${n} (maximum 10)" ++ } ++ ++ my $self = { ++ code => "", ++ n => $n, ++ }; ++ bless $self, $class; ++ ++ return $self; ++} ++ ++sub add_code($$) ++{ ++ my ($self, $c) = @_; ++ ++ $self->{code} .= $c; ++} ++ ++sub get_code($) ++{ ++ my ($self) = @_; ++ ++ return $self->{code}; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_" . $self->{n}; ++} ++ ++sub get_labels($@) ++{ ++ my ($self, @labels) = @_; ++ ++ my %out = (); ++ ++ foreach my $l (@labels) { ++ $out{"$l"} = $self->get_label("$l"); ++ } ++ ++ return \%out; ++} ++ ++sub nl($) ++{ ++ my ($self) = @_; ++ ++ $self->add_code("\n"); ++} ++ ++sub copy_result($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ ++ for (my $j = 0; $j < $n; $j++) { ++ $self->add_code(<<___); ++ std $tp[$j],`$j*$SIZE_T`($rp) ++___ ++ } ++ ++} ++ ++sub mul_mont_fixed($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ my $fname = $self->get_function_name(); ++ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); ++ ++ $self->add_code(<<___); ++ ++.globl .${fname} ++.align 5 ++.${fname}: ++ ++___ ++ ++ $self->save_registers(); ++ ++ $self->add_code(<<___); ++ ld $n0,0($n0) ++ ++ ld $bp0,0($bp) ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_c_0($tp[0], $apj, $bp0, $c0); ++ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul($tp[$j], $apj, $bp0, $c0); ++ } ++ ++ $self->add_code(<<___); ++ ld $apj,`($n-1)*$SIZE_T`($ap) ++___ ++ ++ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); ++ ++ $self->add_code(<<___); ++ li $tp[$n+1],0 ++ ++___ ++ ++ $self->add_code(<<___); ++ li $i,0 ++ mtctr $num ++ b $label->{"enter"} ++ ++.align 4 ++$label->{"outer"}: ++ ldx $bpi,$bp,$i ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n],$tp[$n],$c0 ++ addze $tp[$n+1],$tp[$n+1] ++___ ++ ++ $self->add_code(<<___); ++.align 4 ++$label->{"enter"}: ++ mulld $bpi,$tp[0],$n0 ++ ++ ld $npj,0($np) ++___ ++ ++ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $npj,`$j*$SIZE_T`($np) ++___ ++ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n-1],$tp[$n],$c0 ++ addze $tp[$n],$tp[$n+1] ++ ++ addi $i,$i,$SIZE_T ++ bdnz $label->{"outer"} ++ ++ and. $tp[$n],$tp[$n],$tp[$n] ++ bne $label->{"sub"} ++ ++ cmpld $tp[$n-1],$npj ++ blt $label->{"copy"} ++ ++$label->{"sub"}: ++___ ++ ++ # ++ # Reduction ++ # ++ ++ $self->add_code(<<___); ++ ld $bpj,`0*$SIZE_T`($np) ++ subfc $c1,$bpj,$tp[0] ++ std $c1,`0*$SIZE_T`($rp) ++ ++___ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $bpj,`$j*$SIZE_T`($np) ++ subfe $c1,$bpj,$tp[$j] ++ std $c1,`$j*$SIZE_T`($rp) ++ ++___ ++ } ++ ++ $self->add_code(<<___); ++ subfe $c1,$npj,$tp[$n-1] ++ std $c1,`($n-1)*$SIZE_T`($rp) ++ ++___ ++ ++ $self->add_code(<<___); ++ addme. $tp[$n],$tp[$n] ++ beq $label->{"end"} ++ ++$label->{"copy"}: ++___ ++ ++ $self->copy_result(); ++ ++ $self->add_code(<<___); ++ ++$label->{"end"}: ++___ ++ ++ $self->restore_registers(); ++ ++ $self->add_code(<<___); ++ li r3,1 ++ blr ++.size .${fname},.-.${fname} ++___ ++ ++} ++ ++package Mont::GPR; ++ ++our @ISA = ('Mont'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ return $class->SUPER::new($n); ++} ++ ++sub save_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ std $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ std $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->add_code(<<___); ++ ++___ ++} ++ ++sub restore_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ ld $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ ld $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->{code} .=<<___; ++ ++___ ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like mul() but does not to the final addition of CA into $c - an ++# optimisation to save an instruction ++sub mul_last($$$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r1,$lo,$c ++ mulhdu $c,$a,$w ++ ++ addze $r2,$c ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $lo,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r_out,$r_in,$lo ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++package Mont::GPR_300; ++ ++our @ISA = ('Mont::GPR'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ my $mont = $class->SUPER::new($n); ++ ++ return $mont; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_300_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_300_" . $self->{n}; ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c, $last) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ ++___ ++} ++ ++# Save the last carry as the final entry ++sub mul_last($$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r1,$a,$w,$c ++ maddhdu $r2,$a,$w,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$r_in ++ maddhdu $c,$a,$w,$r_in ++___ ++ ++ if ($r_out ne $lo) { ++ $self->add_code(<<___); ++ mr $r_out,$lo ++___ ++ } ++ ++ $self->nl(); ++} ++ ++ ++package main; ++ ++my $code; ++ ++$code.=<<___; ++.machine "any" ++.text ++___ ++ ++my $mont; ++ ++$mont = new Mont::GPR(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$mont = new Mont::GPR_300(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++ ++$code.=<<___; ++.asciz "Montgomery Multiplication for PPC by , " ++___ ++ ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c +index 3ee76ea96574..1e9421bee213 100644 +--- a/crypto/bn/bn_ppc.c ++++ b/crypto/bn/bn_ppc.c +@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); ++ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); ++ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); + + if (num < 4) + return 0; +@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + * no opportunity to figure it out... + */ + ++#if defined(_ARCH_PPC64) && !defined(__ILP32__) ++ if (num == 6) { ++ if (OPENSSL_ppccap_P & PPC_MADD300) ++ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); ++ else ++ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); ++ } ++#endif ++ + return bn_mul_mont_int(rp, ap, bp, np, n0, num); + } +diff --git a/crypto/bn/build.info b/crypto/bn/build.info +index 4f8d0689b5ea..987a70ae263b 100644 +--- a/crypto/bn/build.info ++++ b/crypto/bn/build.info +@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] + + $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s + $BNDEF_ppc32=OPENSSL_BN_ASM_MONT +- $BNASM_ppc64=$BNASM_ppc32 ++ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s + $BNDEF_ppc64=$BNDEF_ppc32 + + $BNASM_c64xplus=asm/bn-c64xplus.asm +@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl + GENERATE[bn-ppc.s]=asm/ppc.pl + GENERATE[ppc-mont.s]=asm/ppc-mont.pl + GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl ++GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl + + GENERATE[alpha-mont.S]=asm/alpha-mont.pl + + +From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Thu, 30 Jun 2022 16:21:06 +1000 +Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9 + +In the reference C implementation in bn_asm.c, tp[num + 1] contains the +carry bit for accumulations into tp[num]. tp[num + 1] is only ever +assigned, never itself incremented. +--- + crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl +index 0fb397bc5f12..e27d0ad93d85 100755 +--- a/crypto/bn/asm/ppc64-mont-fixed.pl ++++ b/crypto/bn/asm/ppc64-mont-fixed.pl +@@ -63,6 +63,7 @@ + # Registers are global so the code is remotely readable + + # Parameters for Montgomery multiplication ++my $ze = "r0"; + my $sp = "r1"; + my $toc = "r2"; + my $rp = "r3"; +@@ -192,6 +193,7 @@ ($) + $self->save_registers(); + + $self->add_code(<<___); ++ li $ze,0 + ld $n0,0($n0) + + ld $bp0,0($bp) +@@ -242,7 +244,7 @@ ($) + + $self->add_code(<<___); + addc $tp[$n],$tp[$n],$c0 +- addze $tp[$n+1],$tp[$n+1] ++ addze $tp[$n+1],$ze + ___ + + $self->add_code(<<___); +@@ -272,7 +274,7 @@ ($) + and. $tp[$n],$tp[$n],$tp[$n] + bne $label->{"sub"} + +- cmpld $tp[$n-1],$npj ++ cmpld $tp[$n-1],$npj + blt $label->{"copy"} + + $label->{"sub"}: diff --git a/SOURCES/0068-CVE-2022-2068.patch b/SOURCES/0068-CVE-2022-2068.patch deleted file mode 100644 index c4dd7f2..0000000 --- a/SOURCES/0068-CVE-2022-2068.patch +++ /dev/null @@ -1,174 +0,0 @@ -diff -up openssl-3.0.1/tools/c_rehash.in.cve20222068 openssl-3.0.1/tools/c_rehash.in ---- openssl-3.0.1/tools/c_rehash.in.cve20222068 2022-06-22 13:15:57.347421765 +0200 -+++ openssl-3.0.1/tools/c_rehash.in 2022-06-22 13:16:14.797576250 +0200 -@@ -104,18 +104,41 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -+ my $dir = shift; - my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { -- print "unlink $_" if $verbose; -+ print "unlink $_\n" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } -@@ -130,13 +153,16 @@ sub hash_dir { - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } -+ -+ chdir $pwd; - } - - sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; -- open IN, $fname; -- while() { -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -@@ -148,7 +174,7 @@ sub check_file { - } - } - } -- close IN; -+ close $in; - return ($is_cert, $is_crl); - } - -@@ -177,76 +203,49 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form .r - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, - "-fingerprint", "-noout", - "-in", $fname); - chomp $hash; -+ $hash =~ s/^.*=// if !$is_cert; - chomp $fprint; - return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; - return; - } - $suffix++; - } -- $hash .= ".r$suffix"; -+ $hash .= ".$crlmark$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); - } - $hashlist{$hash} = $fprint; - } diff --git a/SOURCES/0069-CVE-2022-2097.patch b/SOURCES/0069-CVE-2022-2097.patch deleted file mode 100644 index 47fcaa5..0000000 --- a/SOURCES/0069-CVE-2022-2097.patch +++ /dev/null @@ -1,151 +0,0 @@ -From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c) -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93] ---- - crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl -index 4245fe34e17e..7cf838db170b 100644 ---- a/crypto/aes/asm/aesni-x86.pl -+++ b/crypto/aes/asm/aesni-x86.pl -@@ -2025,7 +2025,7 @@ sub aesni_generate6 - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2451,7 +2451,7 @@ sub aesni_generate6 - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:02:37 +1000 -Subject: [PATCH] AES OCB test vectors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be) -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8] ---- - .../30-test_evp_data/evpciph_aes_ocb.txt | 50 +++++++++++++++++++ - 1 file changed, 50 insertions(+) - -diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt -index e58ee34b6b3f..de098905230b 100644 ---- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt -+++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt -@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021 - Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486 - Operation = DECRYPT - Result = CIPHERFINAL_ERROR -+ -+#Test vectors generated to validate aesni_ocb_encrypt on x86 -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = C14DFF7D62A13C4A3422456207453190 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 41970D13737B7BD1B5FBF49ED4412CA5 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = BE0228651ED4E48A11BDED68D953F3A0 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 17BC6E10B16E5FDC52836E7D589518C7 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = E84AAC18666116990A3A37B3A5FC55BD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 3E5EA7EE064FE83B313E28D411E91EAD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C diff --git a/SOURCES/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch b/SOURCES/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch deleted file mode 100644 index 5a16ae7..0000000 --- a/SOURCES/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch +++ /dev/null @@ -1,56 +0,0 @@ -From edceec7fe0c9a5534ae155c8398c63dd7dd95483 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 5 May 2022 08:11:24 +0200 -Subject: [PATCH] EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init - strcasecmp - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/18247) - -(cherry picked from commit b807c2fbab2128cf3746bb2ebd51cbe3bb6914a9) - -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483] ---- - crypto/evp/evp_lib.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c -index 3fe4743761..d9b8c0af41 100644 ---- a/crypto/evp/evp_lib.c -+++ b/crypto/evp/evp_lib.c -@@ -24,6 +24,7 @@ - #include - #include - #include "crypto/evp.h" -+#include "crypto/cryptlib.h" - #include "internal/provider.h" - #include "evp_local.h" - -@@ -1094,6 +1095,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags) - return (ctx->flags & flags); - } - -+#if !defined(FIPS_MODULE) -+ - int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name) - { - OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; -@@ -1169,6 +1172,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, - - va_start(args, type); - -+ OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL); -+ - if (OPENSSL_strcasecmp(type, "RSA") == 0) { - bits = va_arg(args, size_t); - params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits); -@@ -1189,3 +1194,5 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq, - va_end(args); - return ret; - } -+ -+#endif /* !defined(FIPS_MODULE) */ --- -2.35.3 - diff --git a/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch b/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch index 527b901..e5e7f9b 100644 --- a/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch +++ b/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch @@ -1311,7 +1311,7 @@ index c12cb9c..2a819b2 100644 $CHACHAASM_c64xplus=chacha-c64xplus.s @@ -29,6 +29,7 @@ SOURCE[../../libcrypto]=$CHACHAASM - GENERATE[chacha-x86.s]=asm/chacha-x86.pl + GENERATE[chacha-x86.S]=asm/chacha-x86.pl GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl +GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl diff --git a/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch index 27f86f5..eeafbfa 100644 --- a/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -136,10 +136,17 @@ diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.i index 4e30ec56dd..0103c87528 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc -@@ -1294,9 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = { +@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ST_KAT_PARAM_END() }; +-/*- +- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the +- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient +- * HP/UX PA-RISC compilers. +- */ +-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; +- +/*- + * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient @@ -153,8 +160,7 @@ index 4e30ec56dd..0103c87528 100644 +}; + static const ST_KAT_PARAM rsa_enc_params[] = { -- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, -- OSSL_PKEY_RSA_PAD_MODE_NONE), +- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), + ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), + ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, + oaep_fixed_seed), diff --git a/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch index c7e4731..0b6a9fb 100644 --- a/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -149,14 +149,14 @@ index db1a1d7bc3..c94c3c53bd 100644 if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen, - (siglen == NULL) ? 0 : *siglen); + sigret == NULL ? 0 : *siglen); +#ifndef FIPS_MODULE dctx = EVP_PKEY_CTX_dup(pctx); if (dctx == NULL) return 0; @@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, sigret, siglen, - (siglen == NULL) ? 0 : *siglen); + *siglen); EVP_PKEY_CTX_free(dctx); +#endif /* defined(FIPS_MODULE) */ return r; diff --git a/SOURCES/0076-FIPS-140-3-DRBG.patch b/SOURCES/0076-FIPS-140-3-DRBG.patch index 0d91598..8f97a6a 100644 --- a/SOURCES/0076-FIPS-140-3-DRBG.patch +++ b/SOURCES/0076-FIPS-140-3-DRBG.patch @@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3 /* Reseed using our sources in addition */ entropylen = get_entropy(drbg, &entropy, drbg->strength, drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 +++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 diff --git a/SOURCES/0079-CVE-2022-3602.patch b/SOURCES/0079-CVE-2022-3602.patch deleted file mode 100644 index 4f935e4..0000000 --- a/SOURCES/0079-CVE-2022-3602.patch +++ /dev/null @@ -1,399 +0,0 @@ -diff --git a/crypto/punycode.c b/crypto/punycode.c -index 385b4b1df4..b9b4e3d785 100644 ---- a/crypto/punycode.c -+++ b/crypto/punycode.c -@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - unsigned int bias = initial_bias; - size_t processed_in = 0, written_out = 0; - unsigned int max_out = *pout_length; -- - unsigned int basic_count = 0; - unsigned int loop; - -@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - n = n + i / (written_out + 1); - i %= (written_out + 1); - -- if (written_out > max_out) -+ if (written_out >= max_out) - return 0; - - memmove(pDecoded + i + 1, pDecoded + i, -- (written_out - i) * sizeof *pDecoded); -+ (written_out - i) * sizeof(*pDecoded)); - pDecoded[i] = n; - i++; - written_out++; -@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - */ - char *outptr = out; - const char *inptr = in; -- size_t size = 0; -+ size_t size = 0, maxsize; - int result = 1; -- -+ unsigned int i, j; - unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ -- if (out == NULL) -+ -+ if (out == NULL) { - result = 0; -+ maxsize = 0; -+ } else { -+ maxsize = *outlen; -+ } -+ -+#define PUSHC(c) \ -+ do \ -+ if (size++ < maxsize) \ -+ *outptr++ = c; \ -+ else \ -+ result = 0; \ -+ while (0) - - while (1) { - char *tmpptr = strchr(inptr, '.'); -- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr); -+ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); - - if (strncmp(inptr, "xn--", 4) != 0) { -- size += delta + 1; -- -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, inptr, delta + 1); -- outptr += delta + 1; -- } -+ for (i = 0; i < delta + 1; i++) -+ PUSHC(inptr[i]); - } else { - unsigned int bufsize = LABEL_BUF_SIZE; -- unsigned int i; - - if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) - return -1; -@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - for (i = 0; i < bufsize; i++) { - unsigned char seed[6]; - size_t utfsize = codepoint2utf8(seed, buf[i]); -+ - if (utfsize == 0) - return -1; - -- size += utfsize; -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, seed, utfsize); -- outptr += utfsize; -- } -+ for (j = 0; j < utfsize; j++) -+ PUSHC(seed[j]); - } - -- if (tmpptr != NULL) { -- *outptr = '.'; -- outptr++; -- size++; -- if (size >= *outlen - 1) -- result = 0; -- } -+ PUSHC(tmpptr != NULL ? '.' : '\0'); - } - - if (tmpptr == NULL) -@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - inptr = tmpptr + 1; - } -+#undef PUSHC - -+ *outlen = size; - return result; - } - -@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - int ossl_a2ucompare(const char *a, const char *u) - { -- char a_ulabel[LABEL_BUF_SIZE]; -+ char a_ulabel[LABEL_BUF_SIZE + 1]; - size_t a_size = sizeof(a_ulabel); - -- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) { -+ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) - return -1; -- } - -- return (strcmp(a_ulabel, u) == 0) ? 0 : 1; -+ return strcmp(a_ulabel, u) != 0; - } -diff --git a/test/build.info b/test/build.info -index 9d2d41e417..638f215da6 100644 ---- a/test/build.info -+++ b/test/build.info -@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}] - exptest pbetest localetest evp_pkey_ctx_new_from_name\ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test evp_libctx_test ossl_store_test \ -- v3nametest v3ext \ -+ v3nametest v3ext punycode_test \ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test v3nametest v3ext \ - crltest danetest bad_dtls_test lhash_test sparse_array_test \ -@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}] - INCLUDE[pkcs7_test]=../include ../apps/include - DEPEND[pkcs7_test]=../libcrypto libtestutil.a - -+ SOURCE[punycode_test]=punycode_test.c -+ INCLUDE[punycode_test]=../include ../apps/include -+ DEPEND[punycode_test]=../libcrypto.a libtestutil.a -+ - SOURCE[stack_test]=stack_test.c - INCLUDE[stack_test]=../include ../apps/include - DEPEND[stack_test]=../libcrypto libtestutil.a -diff --git a/test/punycode_test.c b/test/punycode_test.c -new file mode 100644 -index 0000000000..285ead6966 ---- /dev/null -+++ b/test/punycode_test.c -@@ -0,0 +1,219 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+ -+#include "crypto/punycode.h" -+#include "internal/nelem.h" -+#include "testutil.h" -+ -+ -+static const struct puny_test { -+ unsigned int raw[50]; -+ const char *encoded; -+} puny_cases[] = { -+ /* Test cases from RFC 3492 */ -+ { /* Arabic (Egyptian) */ -+ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, -+ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F -+ }, -+ "egbpdaj6bu4bxfgehfvwxn" -+ }, -+ { /* Chinese (simplified) */ -+ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587 -+ }, -+ "ihqwcrb4cv8a8dqg056pqjye" -+ }, -+ { /* Chinese (traditional) */ -+ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587 -+ }, -+ "ihqwctvzc91f659drss3x8bo0yb" -+ }, -+ { /* Czech: Proprostnemluvesky */ -+ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, -+ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, -+ 0x0065, 0x0073, 0x006B, 0x0079 -+ }, -+ "Proprostnemluvesky-uyb24dma41a" -+ }, -+ { /* Hebrew */ -+ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, -+ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, -+ 0x05D1, 0x05E8, 0x05D9, 0x05EA -+ }, -+ "4dbcagdahymbxekheh6e0a7fei0b" -+ }, -+ { /* Hindi (Devanagari) */ -+ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, -+ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, -+ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, -+ 0x0939, 0x0948, 0x0902 -+ }, -+ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd" -+ }, -+ { /* Japanese (kanji and hiragana) */ -+ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, -+ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B -+ }, -+ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa" -+ }, -+ { /* Korean (Hangul syllables) */ -+ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, -+ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, -+ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C -+ }, -+ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c" -+ }, -+ { /* Russian (Cyrillic) */ -+ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, -+ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, -+ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, -+ 0x0438 -+ }, -+ "b1abfaaepdrnnbgefbaDotcwatmq2g4l" -+ }, -+ { /* Spanish */ -+ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, -+ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, -+ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, -+ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, -+ 0x0061, 0x00F1, 0x006F, 0x006C -+ }, -+ "PorqunopuedensimplementehablarenEspaol-fmd56a" -+ }, -+ { /* Vietnamese */ -+ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, -+ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, -+ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, -+ 0x0056, 0x0069, 0x1EC7, 0x0074 -+ }, -+ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g" -+ }, -+ { /* Japanese: 3B */ -+ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }, -+ "3B-ww4c5e180e575a65lsy2b" -+ }, -+ { /* Japanese: -with-SUPER-MONKEYS */ -+ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, -+ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, -+ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053 -+ }, -+ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n" -+ }, -+ { /* Japanese: Hello-Another-Way- */ -+ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, -+ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, -+ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240 -+ }, -+ "Hello-Another-Way--fc4qua05auwb3674vfr0b" -+ }, -+ { /* Japanese: 2 */ -+ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032 -+ }, -+ "2-u9tlzr9756bt3uc0v" -+ }, -+ { /* Japanese: MajiKoi5 */ -+ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, -+ 0x308B, 0x0035, 0x79D2, 0x524D -+ }, -+ "MajiKoi5-783gue6qz075azm5e" -+ }, -+ { /* Japanese: de */ -+ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0 -+ }, -+ "de-jg4avhby1noc0d" -+ }, -+ { /* Japanese: */ -+ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067 -+ }, -+ "d9juau41awczczp" -+ }, -+ { /* -> $1.00 <- */ -+ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, -+ 0x003C, 0x002D -+ }, -+ "-> $1.00 <--" -+ } -+}; -+ -+static int test_punycode(int n) -+{ -+ const struct puny_test *tc = puny_cases + n; -+ unsigned int buffer[50]; -+ unsigned int bsize = OSSL_NELEM(buffer); -+ size_t i; -+ -+ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), -+ buffer, &bsize))) -+ return 0; -+ for (i = 0; i < sizeof(tc->raw); i++) -+ if (tc->raw[i] == 0) -+ break; -+ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), -+ tc->raw, i * sizeof(*tc->raw))) -+ return 0; -+ return 1; -+} -+ -+static int test_a2ulabel(void) -+{ -+ char out[50]; -+ size_t outlen; -+ -+ /* -+ * Test that no buffer correctly returns the true length. -+ * The punycode being passed in and parsed is malformed but we're not -+ * verifying that behaviour here. -+ */ -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) -+ return 0; -+ /* Test that a short input length returns the true length */ -+ outlen = 1; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ /* Test for an off by one on the buffer size works */ -+ outlen = 6; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ return 1; -+} -+ -+static int test_puny_overrun(void) -+{ -+ static const unsigned int out[] = { -+ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }; -+ static const char *in = "3B-ww4c5e180e575a65lsy2b"; -+ unsigned int buf[OSSL_NELEM(out)]; -+ unsigned int bsize = OSSL_NELEM(buf) - 1; -+ -+ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { -+ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) -+ TEST_error("CRITICAL: buffer overrun detected!"); -+ return 0; -+ } -+ return 1; -+} -+ -+int setup_tests(void) -+{ -+ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); -+ ADD_TEST(test_a2ulabel); -+ ADD_TEST(test_puny_overrun); -+ return 1; -+} -diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t -new file mode 100644 -index 0000000000..de213c7e15 ---- /dev/null -+++ b/test/recipes/04-test_punycode.t -@@ -0,0 +1,11 @@ -+#! /usr/bin/env perl -+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use OpenSSL::Test::Simple; -+ -+simple_test("test_punycode", "punycode_test"); diff --git a/SOURCES/0086-avoid-bio-memleak.patch b/SOURCES/0086-avoid-bio-memleak.patch deleted file mode 100644 index 865cd98..0000000 --- a/SOURCES/0086-avoid-bio-memleak.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 3d046c4d047a55123beeceffe9f8bae09159445e Mon Sep 17 00:00:00 2001 -From: yangyangtiantianlonglong -Date: Wed, 19 Jan 2022 11:19:52 +0800 -Subject: [PATCH] Fix the same BIO_FLAGS macro definition - -Also add comment to the public header to avoid -making another conflict in future. - -Fixes #17545 - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17546) - -(cherry picked from commit e278f18563dd3dd67c00200ee30402f48023c6ef) ---- - include/internal/bio.h | 2 +- - include/openssl/bio.h.in | 2 ++ - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/include/internal/bio.h b/include/internal/bio.h -index 2d36a7b980f2..02f7222ab4f1 100644 ---- a/include/internal/bio.h -+++ b/include/internal/bio.h -@@ -48,9 +48,9 @@ int bread_conv(BIO *bio, char *data, size_t datal, size_t *read); - * BIO_FLAGS_KTLS_TX_CTRL_MSG means we are about to send a ctrl message next. - * BIO_FLAGS_KTLS_RX means we are using ktls with this BIO for receiving. - */ --# define BIO_FLAGS_KTLS_TX 0x800 - # define BIO_FLAGS_KTLS_TX_CTRL_MSG 0x1000 - # define BIO_FLAGS_KTLS_RX 0x2000 -+# define BIO_FLAGS_KTLS_TX 0x4000 - - /* KTLS related controls and flags */ - # define BIO_set_ktls_flag(b, is_tx) \ -diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in -index 2c65b7e1a79b..686dad3099b7 100644 ---- a/include/openssl/bio.h.in -+++ b/include/openssl/bio.h.in -@@ -209,6 +209,8 @@ extern "C" { - # define BIO_FLAGS_NONCLEAR_RST 0x400 - # define BIO_FLAGS_IN_EOF 0x800 - -+/* the BIO FLAGS values 0x1000 to 0x4000 are reserved for internal KTLS flags */ -+ - typedef union bio_addr_st BIO_ADDR; - typedef struct bio_addrinfo_st BIO_ADDRINFO; - diff --git a/SOURCES/0087-FIPS-RSA-selftest-params.patch b/SOURCES/0087-FIPS-RSA-selftest-params.patch deleted file mode 100644 index 6d47742..0000000 --- a/SOURCES/0087-FIPS-RSA-selftest-params.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 34e3cbf99f2113ca01b460cf37b56460262979af Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 26 Oct 2022 11:10:50 +1000 -Subject: [PATCH] Use RSA CRT parameters in FIPS self tests. - -Fixes #19488 - -Use the correct OSSL_PKEY_PARAM_RSA CRT names fior the self tests. -The invalid names cause CRT parameters to be silently ignored. - -Reviewed-by: Tim Hudson -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19501) - -(cherry picked from commit c7424fe68c65aa2187a8e4028d7dea742b95d81a) -(cherry picked from commit 4215d649e92bc4c42997ec4a1e65beba1055bbe1) ---- - providers/fips/self_test_data.inc | 10 +++++----- - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 5f057d5679f1..8ae8cd6f4a5a 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -1270,11 +1270,11 @@ static const ST_KAT_PARAM rsa_crt_key[] = { - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_N, rsa_n), - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_E, rsa_e), - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_D, rsa_d), -- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR, rsa_p), -- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR, rsa_q), -- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT, rsa_dp), -- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT, rsa_dq), -- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_COEFFICIENT, rsa_qInv), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR1, rsa_p), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR2, rsa_q), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT1, rsa_dp), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT2, rsa_dq), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, rsa_qInv), - ST_KAT_PARAM_END() - }; - diff --git a/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch b/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch index 0021d88..efe7751 100644 --- a/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch +++ b/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch @@ -48,7 +48,7 @@ index 61ec53d424..e69a98d116 100644 return NULL; @@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) return NULL; - if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) + if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) return NULL; - if (saltlen == -1) { + if (saltlen == RSA_PSS_SALTLEN_DIGEST) { diff --git a/SOURCES/0092-provider-improvements.patch b/SOURCES/0092-provider-improvements.patch new file mode 100644 index 0000000..b850fc3 --- /dev/null +++ b/SOURCES/0092-provider-improvements.patch @@ -0,0 +1,705 @@ +From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 10 Nov 2022 10:46:32 -0500 +Subject: [PATCH 1/3] Propagate selection all the way on key export + +EVP_PKEY_eq() is used to check, among other things, if a certificate +public key corresponds to a private key. When the private key belongs to +a provider that does not allow to export private keys this currently +fails as the internal functions used to import/export keys ignored the +selection given (which specifies that only the public key needs to be +considered) and instead tries to export everything. + +This patch allows to propagate the selection all the way down including +adding it in the cache so that a following operation actually looking +for other selection parameters does not mistakenly pick up an export +containing only partial information. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c +index b06730dc7a..2d0238ee27 100644 +--- a/crypto/evp/keymgmt_lib.c ++++ b/crypto/evp/keymgmt_lib.c +@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + export_cb, export_cbarg); + } + +-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) ++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection) + { + struct evp_keymgmt_util_try_import_data_st import_data; + OP_CACHE_ELEM *op; +@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + */ + if (pk->dirty_cnt == pk->dirty_cnt_copy) { + /* If this key is already exported to |keymgmt|, no more to do */ +- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); + if (op != NULL && op->keymgmt != NULL) { + void *ret = op->keydata; + +@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + /* Setup for the export callback */ + import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */ + import_data.keymgmt = keymgmt; +- import_data.selection = OSSL_KEYMGMT_SELECT_ALL; ++ import_data.selection = selection; + + /* + * The export function calls the callback (evp_keymgmt_util_try_import), + * which does the import for us. If successful, we're done. + */ +- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, ++ if (!evp_keymgmt_util_export(pk, selection, + &evp_keymgmt_util_try_import, &import_data)) + /* If there was an error, bail out */ + return NULL; +@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + return NULL; + } + /* Check to make sure some other thread didn't get there first */ +- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); + if (op != NULL && op->keydata != NULL) { + void *ret = op->keydata; + +@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) + evp_keymgmt_util_clear_operation_cache(pk, 0); + + /* Add the new export to the operation cache */ +- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { ++ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata, ++ selection)) { + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(keymgmt, import_data.keydata); + return NULL; +@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) + } + + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt) ++ EVP_KEYMGMT *keymgmt, ++ int selection) + { + int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); + OP_CACHE_ELEM *p; +@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, + */ + for (i = 0; i < end; i++) { + p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); +- if (keymgmt == p->keymgmt) ++ if (keymgmt == p->keymgmt && (p->selection & selection) == selection) + return p; + } + return NULL; + } + +-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata) ++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection) + { + OP_CACHE_ELEM *p = NULL; + +@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, + return 0; + p->keydata = keydata; + p->keymgmt = keymgmt; ++ p->selection = selection; + + if (!EVP_KEYMGMT_up_ref(keymgmt)) { + OPENSSL_free(p); +@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) + ok = 1; + if (keydata1 != NULL) { + tmp_keydata = +- evp_keymgmt_util_export_to_provider(pk1, keymgmt2); ++ evp_keymgmt_util_export_to_provider(pk1, keymgmt2, ++ selection); + ok = (tmp_keydata != NULL); + } + if (ok) { +@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) + ok = 1; + if (keydata2 != NULL) { + tmp_keydata = +- evp_keymgmt_util_export_to_provider(pk2, keymgmt1); ++ evp_keymgmt_util_export_to_provider(pk2, keymgmt1, ++ selection); + ok = (tmp_keydata != NULL); + } + if (ok) { +diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c +index 70d17ec37e..905e9c9ce4 100644 +--- a/crypto/evp/p_lib.c ++++ b/crypto/evp/p_lib.c +@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + { + EVP_KEYMGMT *allocated_keymgmt = NULL; + EVP_KEYMGMT *tmp_keymgmt = NULL; ++ int selection = OSSL_KEYMGMT_SELECT_ALL; + void *keydata = NULL; + int check; + +@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { + if (!CRYPTO_THREAD_read_lock(pk->lock)) + goto end; +- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, ++ selection); + + /* + * If |tmp_keymgmt| is present in the operation cache, it means +@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ + + /* Check to make sure some other thread didn't get there first */ +- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); ++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection); + if (op != NULL && op->keymgmt != NULL) { + void *tmp_keydata = op->keydata; + +@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + } + + /* Add the new export to the operation cache */ +- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { ++ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata, ++ selection)) { + CRYPTO_THREAD_unlock(pk->lock); + evp_keymgmt_freedata(tmp_keymgmt, keydata); + keydata = NULL; +@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, + } + #endif /* FIPS_MODULE */ + +- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt); ++ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection); + + end: + /* +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index f601b72807..dbbdcccbda 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, + typedef struct { + EVP_KEYMGMT *keymgmt; + void *keydata; ++ int selection; + } OP_CACHE_ELEM; + + DEFINE_STACK_OF(OP_CACHE_ELEM) +@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); + + int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + OSSL_CALLBACK *export_cb, void *export_cbarg); +-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); ++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection); + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt); ++ EVP_KEYMGMT *keymgmt, ++ int selection); + int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); +-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata); ++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection); + void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); + void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, + int selection, const OSSL_PARAM params[]); +-- +2.38.1 + +From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 10 Nov 2022 16:58:28 -0500 +Subject: [PATCH 2/3] Update documentation for keymgmt export utils + +Change function prototypes and explain how to use the selection +argument. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +index 1fee9f6ff9..7099e44964 100644 +--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod ++++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +@@ -20,12 +20,14 @@ OP_CACHE_ELEM + + int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, + OSSL_CALLBACK *export_cb, void *export_cbarg); +- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); ++ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ int selection); + OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt); ++ EVP_KEYMGMT *keymgmt, ++ int selection); + int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); +- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, +- EVP_KEYMGMT *keymgmt, void *keydata); ++ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, ++ void *keydata, int selection); + void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); + void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, + int selection, const OSSL_PARAM params[]); +@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a + given key I via a B interface. This is used as a + helper for L. + ++In all functions that take a I argument, the selection is used to ++constraint the information requested on export. It is also used in the cache ++so that key data is guaranteed to contain all the information requested in ++the selection. ++ + =head1 RETURN VALUES + + evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() +-- +2.38.1 + +From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 11 Nov 2022 12:18:26 -0500 +Subject: [PATCH 3/3] Add test for EVP_PKEY_eq + +This tests that the comparison work even if a provider can only return +a public key. + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19648) + +diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c +index d556551bb6..5e92e72d4b 100644 +--- a/test/fake_rsaprov.c ++++ b/test/fake_rsaprov.c +@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; + static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; + static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; + static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; ++static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export; ++static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes; + static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load; + + static int has_selection; + static int imptypes_selection; ++static int exptypes_selection; + static int query_id; + ++struct fake_rsa_keydata { ++ int selection; ++ int status; ++}; ++ + static void *fake_rsa_keymgmt_new(void *provctx) + { +- unsigned char *keydata = OPENSSL_zalloc(1); ++ struct fake_rsa_keydata *key; + +- TEST_ptr(keydata); ++ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata)))) ++ return NULL; + + /* clear test globals */ + has_selection = 0; + imptypes_selection = 0; ++ exptypes_selection = 0; + query_id = 0; + +- return keydata; ++ return key; + } + + static void fake_rsa_keymgmt_free(void *keydata) +@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id) + static int fake_rsa_keymgmt_import(void *keydata, int selection, + const OSSL_PARAM *p) + { +- unsigned char *fake_rsa_key = keydata; ++ struct fake_rsa_keydata *fake_rsa_key = keydata; + + /* key was imported */ +- *fake_rsa_key = 1; ++ fake_rsa_key->status = 1; + + return 1; + } + ++static unsigned char fake_rsa_n[] = ++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" ++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" ++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" ++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" ++ "\xF5"; ++ ++static unsigned char fake_rsa_e[] = "\x11"; ++ ++static unsigned char fake_rsa_d[] = ++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" ++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" ++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" ++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; ++ ++static unsigned char fake_rsa_p[] = ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D"; ++ ++static unsigned char fake_rsa_q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89"; ++ ++static unsigned char fake_rsa_dmp1[] = ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; ++ ++static unsigned char fake_rsa_dmq1[] = ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51"; ++ ++static unsigned char fake_rsa_iqmp[] = ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; ++ ++OSSL_PARAM *fake_rsa_key_params(int priv) ++{ ++ if (priv) { ++ OSSL_PARAM params[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, ++ sizeof(fake_rsa_n) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, ++ sizeof(fake_rsa_e) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d, ++ sizeof(fake_rsa_d) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p, ++ sizeof(fake_rsa_p) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q, ++ sizeof(fake_rsa_q) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1, ++ sizeof(fake_rsa_dmp1) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1, ++ sizeof(fake_rsa_dmq1) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp, ++ sizeof(fake_rsa_iqmp) -1), ++ OSSL_PARAM_END ++ }; ++ return OSSL_PARAM_dup(params); ++ } else { ++ OSSL_PARAM params[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, ++ sizeof(fake_rsa_n) -1), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, ++ sizeof(fake_rsa_e) -1), ++ OSSL_PARAM_END ++ }; ++ return OSSL_PARAM_dup(params); ++ } ++} ++ ++static int fake_rsa_keymgmt_export(void *keydata, int selection, ++ OSSL_CALLBACK *param_callback, void *cbarg) ++{ ++ OSSL_PARAM *params = NULL; ++ int ret; ++ ++ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) ++ return 0; ++ ++ if (!TEST_ptr(params = fake_rsa_key_params(0))) ++ return 0; ++ ++ ret = param_callback(params, cbarg); ++ OSSL_PARAM_free(params); ++ return ret; ++} ++ + static const OSSL_PARAM fake_rsa_import_key_types[] = { + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), + OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), +@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) + return fake_rsa_import_key_types; + } + ++static const OSSL_PARAM fake_rsa_export_key_types[] = { ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), ++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), ++ OSSL_PARAM_END ++}; ++ ++static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection) ++{ ++ /* record global for checking */ ++ exptypes_selection = selection; ++ ++ return fake_rsa_export_key_types; ++} ++ + static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) + { +- unsigned char *key = NULL; ++ struct fake_rsa_keydata *key = NULL; + +- if (reference_sz != sizeof(key)) ++ if (reference_sz != sizeof(*key)) + return NULL; + +- key = *(unsigned char **)reference; +- if (*key != 1) ++ key = *(struct fake_rsa_keydata **)reference; ++ if (key->status != 1) + return NULL; + + /* detach the reference */ +- *(unsigned char **)reference = NULL; ++ *(struct fake_rsa_keydata **)reference = NULL; + + return key; + } +@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + { + unsigned char *gctx = genctx; + static const unsigned char inited[] = { 1 }; +- unsigned char *keydata; ++ struct fake_rsa_keydata *keydata; + + if (!TEST_ptr(gctx) + || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited))) +@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) + return NULL; + +- *keydata = 2; ++ keydata->status = 2; + return keydata; + } + +@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, + (void (*)(void))fake_rsa_keymgmt_imptypes }, ++ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export }, ++ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, ++ (void (*)(void))fake_rsa_keymgmt_exptypes }, + { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load }, + { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init }, + { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen }, +@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey, + const OSSL_PARAM params[]) + { + unsigned char *sigctx = ctx; +- unsigned char *keydata = provkey; ++ struct fake_rsa_keydata *keydata = provkey; + + /* we must have a ctx */ + if (!TEST_ptr(sigctx)) + return 0; + + /* we must have some initialized key */ +- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) ++ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0)) + return 0; + + /* record that sign init was called */ +@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx, + unsigned char *storectx = loaderctx; + OSSL_PARAM params[4]; + int object_type = OSSL_OBJECT_PKEY; +- void *key = NULL; ++ struct fake_rsa_keydata *key = NULL; + int rv = 0; + + switch (*storectx) { +@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx, + /* The address of the key becomes the octet string */ + params[2] = + OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, +- &key, sizeof(key)); ++ &key, sizeof(*key)); + params[3] = OSSL_PARAM_construct_end(); + rv = object_cb(params, object_cbarg); + *storectx = 1; +diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h +index 57de1ecf8d..190c46a285 100644 +--- a/test/fake_rsaprov.h ++++ b/test/fake_rsaprov.h +@@ -12,3 +12,4 @@ + /* Fake RSA provider implementation */ + OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); + void fake_rsa_finish(OSSL_PROVIDER *p); ++OSSL_PARAM *fake_rsa_key_params(int priv); +diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c +index 5c398398f4..3b190baa5e 100644 +--- a/test/provider_pkey_test.c ++++ b/test/provider_pkey_test.c +@@ -176,6 +176,67 @@ end: + return ret; + } + ++static int test_pkey_eq(void) ++{ ++ OSSL_PROVIDER *deflt = NULL; ++ OSSL_PROVIDER *fake_rsa = NULL; ++ EVP_PKEY *pkey_fake = NULL; ++ EVP_PKEY *pkey_dflt = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM *params = NULL; ++ int ret = 0; ++ ++ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) ++ return 0; ++ ++ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) ++ goto end; ++ ++ /* Construct a public key for fake-rsa */ ++ if (!TEST_ptr(params = fake_rsa_key_params(0)) ++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", ++ "provider=fake-rsa")) ++ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) ++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, ++ params)) ++ || !TEST_ptr(pkey_fake)) ++ goto end; ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ OSSL_PARAM_free(params); ++ params = NULL; ++ ++ /* Construct a public key for default */ ++ if (!TEST_ptr(params = fake_rsa_key_params(0)) ++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", ++ "provider=default")) ++ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) ++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY, ++ params)) ++ || !TEST_ptr(pkey_dflt)) ++ goto end; ++ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ OSSL_PARAM_free(params); ++ params = NULL; ++ ++ /* now test for equality */ ++ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1)) ++ goto end; ++ ++ ret = 1; ++end: ++ fake_rsa_finish(fake_rsa); ++ OSSL_PROVIDER_unload(deflt); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey_fake); ++ EVP_PKEY_free(pkey_dflt); ++ OSSL_PARAM_free(params); ++ return ret; ++} ++ + static int test_pkey_store(int idx) + { + OSSL_PROVIDER *deflt = NULL; +@@ -235,6 +296,7 @@ int setup_tests(void) + + ADD_TEST(test_pkey_sig); + ADD_TEST(test_alternative_keygen_init); ++ ADD_TEST(test_pkey_eq); + ADD_ALL_TESTS(test_pkey_store, 2); + + return 1; +-- +2.38.1 + +From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 14 Nov 2022 10:25:15 -0500 +Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay + +The providers indication should always indicate that this is not a +legacy request. +This makes a check for engines redundant as the default return is that +legacy is ok if there are no explicit providers. + +Fixes #19662 + +Signed-off-by: Simo Sorce + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19671) +--- + apps/lib/apps.c | 8 -------- + test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 8 deletions(-) + create mode 100755 test/recipes/20-test_legacy_okay.t + +diff --git a/apps/lib/apps.c b/apps/lib/apps.c +index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644 +--- a/apps/lib/apps.c ++++ b/apps/lib/apps.c +@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void) + { + int provider_options = opt_provider_option_given(); + int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; +-#ifndef OPENSSL_NO_ENGINE +- ENGINE *e = ENGINE_get_first(); +- +- if (e != NULL) { +- ENGINE_free(e); +- return 1; +- } +-#endif + /* + * Having a provider option specified or a custom library context or + * property query, is a sure sign we're not using legacy. +diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t +new file mode 100755 +index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56 +--- /dev/null ++++ b/test/recipes/20-test_legacy_okay.t +@@ -0,0 +1,23 @@ ++#! /usr/bin/env perl ++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use OpenSSL::Test; ++ ++setup("test_legacy"); ++ ++plan tests => 3; ++ ++ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file"); ++ ++ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest"); ++ ++ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1', ++ 'rand.txt'])), "Fail to generate a digest"); +-- +2.38.1 + diff --git a/SOURCES/0094-ibmca-engine-compat.patch b/SOURCES/0094-ibmca-engine-compat.patch deleted file mode 100644 index 8f82ae1..0000000 --- a/SOURCES/0094-ibmca-engine-compat.patch +++ /dev/null @@ -1,82 +0,0 @@ -From b00f2cab6b8dfc4ffb23fd50b049b4a443910946 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Wed, 5 Oct 2022 13:57:21 +0200 -Subject: [PATCH] Add translation for ECX group parameter - -Legacy EVP_PKEY_CTX objects did not support the "group" parameter for X25519 -and X448. The translation of this parameter resulted in an error. This -caused errors for legacy keys and engines. - -Fix this situation by adding a translation that simply checks that the correct -parameter is to be set, but does not actually set anything. This is correct -since the group name is anyway optional for these two curves. - -Fixes #19313 - -Signed-off-by: Juergen Christ ---- - crypto/evp/ctrl_params_translate.c | 37 +++++++++++++++++++++++++++++- - 1 file changed, 36 insertions(+), 1 deletion(-) - -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index ffea7b108b6f..47a935ce9cca 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -1955,6 +1955,32 @@ IMPL_GET_RSA_PAYLOAD_COEFFICIENT(7) - IMPL_GET_RSA_PAYLOAD_COEFFICIENT(8) - IMPL_GET_RSA_PAYLOAD_COEFFICIENT(9) - -+static int fix_group_ecx(enum state state, -+ const struct translation_st *translation, -+ struct translation_ctx_st *ctx) -+{ -+ const char *value = NULL; -+ -+ switch (state) { -+ case PRE_PARAMS_TO_CTRL: -+ if (!EVP_PKEY_CTX_IS_GEN_OP(ctx->pctx)) -+ return 0; -+ ctx->action_type = NONE; -+ return 1; -+ case POST_PARAMS_TO_CTRL: -+ if (OSSL_PARAM_get_utf8_string_ptr(ctx->params, &value) == 0 || -+ OPENSSL_strcasecmp(ctx->pctx->keytype, value) != 0) { -+ ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); -+ ctx->p1 = 0; -+ return 0; -+ } -+ ctx->p1 = 1; -+ return 1; -+ default: -+ return 0; -+ } -+} -+ - /*- - * The translation table itself - * ============================ -@@ -2274,6 +2300,15 @@ static const struct translation_st evp_pkey_ctx_translations[] = { - { GET, -1, -1, EVP_PKEY_OP_TYPE_SIG, - EVP_PKEY_CTRL_GET_MD, NULL, NULL, - OSSL_SIGNATURE_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, -+ -+ /*- -+ * ECX -+ * === -+ */ -+ { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, -+ OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, -+ { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL, -+ OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx }, - }; - - static const struct translation_st evp_pkey_translations[] = { -@@ -2692,7 +2727,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, - - ret = fixup(PRE_PARAMS_TO_CTRL, translation, &ctx); - -- if (ret > 0 && action_type != NONE) -+ if (ret > 0 && ctx.action_type != NONE) - ret = EVP_PKEY_CTX_ctrl(pctx, keytype, optype, - ctx.ctrl_cmd, ctx.p1, ctx.p2); - diff --git a/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch b/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch index 6b6fa25..7d86395 100644 --- a/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch +++ b/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch @@ -27,15 +27,15 @@ index f9ff80162a..85c47fb627 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - goto end; - } - BIO_read(headerB, *header, headerlen); + + out_free: + pem_free(*header, flags, 0); ++ *header = NULL; + pem_free(*data, flags, 0); ++ *data = NULL; + end: + EVP_ENCODE_CTX_free(ctx); + pem_free(name, flags, 0); -- 2.39.1 diff --git a/SOURCES/0106-CVE-2023-0217-dsa.patch b/SOURCES/0106-CVE-2023-0217-dsa.patch index 47b09ee..d2db996 100644 --- a/SOURCES/0106-CVE-2023-0217-dsa.patch +++ b/SOURCES/0106-CVE-2023-0217-dsa.patch @@ -138,8 +138,8 @@ index 58a5fd009f..c2d87b4a7f 100644 + /* a key without parameters is meaningless */ + ok = ok && ossl_dh_params_fromdata(dh, params); - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_dh_key_fromdata(dh, params); + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c index 100e917167..881680c085 100644 --- a/providers/implementations/keymgmt/dsa_kmgmt.c @@ -153,9 +153,9 @@ index 100e917167..881680c085 100644 + /* a key without parameters is meaningless */ + ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); + - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) - ok = ok && ossl_dsa_key_fromdata(dsa, params); - + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { + int include_private = + selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; -- 2.39.1 @@ -252,16 +252,11 @@ Reviewed-by: Paul Dale create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der ---- openssl-3.0.1/test/recipes/91-test_pkey_check.t 2023-02-08 13:43:56.228487948 +0100 -+++ openssl-3.0.7/test/recipes/91-test_pkey_check.t 2023-02-08 12:47:13.531027540 +0100 -@@ -1,5 +1,5 @@ - #! /usr/bin/env perl --# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the Apache License 2.0 (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -11,24 +11,37 @@ +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index 612a3e3d6c..015d7805db 100644 +--- a/test/recipes/91-test_pkey_check.t ++++ b/test/recipes/91-test_pkey_check.t +@@ -11,19 +11,24 @@ use strict; use warnings; use File::Spec; @@ -269,35 +264,34 @@ Reviewed-by: Paul Dale +use OpenSSL::Test qw/:DEFAULT data_file with/; use OpenSSL::Test::Utils; --sub check_key { -+sub pkey_check { + sub pkey_check { my $f = shift; + my $pubcheck = shift; + my @checkopt = ('-check'); -+ -+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck; - return run(app(['openssl', 'pkey', '-check', '-text', ++ @checkopt = ('-pubcheck', '-pubin') if $pubcheck; ++ + return run(app(['openssl', 'pkey', @checkopt, '-text', '-in', $f])); } --sub check_key_notok { -+sub check_key { + sub check_key { my $f = shift; -- my $str = "$f should fail validation"; -+ my $should_fail = shift; + my $should_fail = shift; + my $pubcheck = shift; -+ my $str; -+ -+ -+ $str = "$f should fail validation" if $should_fail; -+ $str = "$f should pass validation" unless $should_fail; + my $str; + +@@ -33,11 +38,10 @@ sub check_key { $f = data_file($f); if ( -s $f ) { -- ok(!check_key($f), $str); +- if ($should_fail) { +- ok(!pkey_check($f), $str); +- } else { +- ok(pkey_check($f), $str); +- } + with({ exit_checker => sub { return shift == $should_fail; } }, + sub { + ok(pkey_check($f, $pubcheck), $str); @@ -305,30 +299,10 @@ Reviewed-by: Paul Dale } else { fail("Missing file $f"); } -@@ -36,26 +49,54 @@ +@@ -66,15 +70,37 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); - setup("test_pkey_check"); - --my @tests = (); -+my @negative_tests = (); - --push(@tests, ( -+push(@negative_tests, ( - # For EC keys the range for the secret scalar `k` is `1 <= k <= n-1` - "ec_p256_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) - "ec_p256_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) - )) unless disabled("ec"); - --push(@tests, ( -+push(@negative_tests, ( - # For SM2 keys the range for the secret scalar `k` is `1 <= k < n-1` - "sm2_bad_neg1.pem", # `k` set to `n-1` (invalid, because SM2 range) - "sm2_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) - "sm2_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) - )) unless disabled("sm2"); - -+my @positive_tests = (); -+ +my @negative_pubtests = (); + +push(@negative_pubtests, ( @@ -342,28 +316,28 @@ Reviewed-by: Paul Dale + )) unless disabled("dsa"); + plan skip_all => "No tests within the current enabled feature set" -- unless @tests; +- unless @negative_tests && @positive_tests; + unless @negative_tests && @positive_tests + && @negative_pubtests && @positive_pubtests; -+ + +-plan tests => scalar(@negative_tests) + scalar(@positive_tests); +plan tests => scalar(@negative_tests) + scalar(@positive_tests) + + scalar(@negative_pubtests) + scalar(@positive_pubtests); -+ -+foreach my $t (@negative_tests) { + + foreach my $t (@negative_tests) { +- check_key($t, 1); + check_key($t, 1, 0); -+} -+ -+foreach my $t (@positive_tests) { + } + + foreach my $t (@positive_tests) { +- check_key($t, 0); + check_key($t, 0, 0); +} - --plan tests => scalar(@tests); ++ +foreach my $t (@negative_pubtests) { + check_key($t, 1, 1); +} - --foreach my $t (@tests) { -- check_key_notok($t); ++ +foreach my $t (@positive_pubtests) { + check_key($t, 0, 1); } diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 07fe0e4..6499d56 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -28,13 +28,13 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.1 -Release: 47%{?dist} +Version: 3.0.7 +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.xz +Source: openssl-%{version}-hobbled.tar.gz Source1: hobble-openssl Source2: Makefile.certificate Source3: genpatches @@ -70,12 +70,6 @@ Patch11: 0011-Remove-EC-curves.patch # Disable explicit EC curves # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch -# https://github.com/openssl/openssl/pull/17981 -Patch13: 0013-FIPS-provider-explicit-ec.patch -# https://github.com/openssl/openssl/pull/17998 -Patch14: 0014-FIPS-disable-explicit-ec.patch -# https://github.com/openssl/openssl/pull/18609 -Patch15: 0015-FIPS-decoded-from-explicit.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch # Tmp: test name change @@ -92,12 +86,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch Patch44: 0044-FIPS-140-3-keychecks.patch # Minimize fips services Patch45: 0045-FIPS-services-minimize.patch -# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486 -Patch46: 0046-FIPS-s390x-hardening.patch # Execute KATS before HMAC verification Patch47: 0047-FIPS-early-KATS.patch -# Backport of correctly handle 2^14 byte long records #17538 -Patch48: 0048-correctly-handle-records.patch # Selectively disallow SHA1 signatures Patch49: 0049-Selectively-disallow-SHA1-signatures.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2049265 @@ -106,16 +96,12 @@ Patch50: 0050-FIPS-enable-pkcs12-mac.patch Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch -# CVE 2022-0778 -Patch53: 0053-CVE-2022-0778.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 -Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch -# https://github.com/openssl/openssl/pull/17324 -Patch55: 0055-nonlegacy-fetch-null-deref.patch -# https://github.com/openssl/openssl/pull/18103 +# Originally from https://github.com/openssl/openssl/pull/18103 +# As we rebased to 3.0.7 and used the version of the function +# not matching the upstream one, we have to use aliasing. +# When we eliminate this patch, the `-Wl,--allow-multiple-definition` +# should also be removed Patch56: 0056-strcasecmp.patch -# https://github.com/openssl/openssl/pull/18175 -Patch57: 0057-strcasecmp-fix.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 Patch58: 0058-FIPS-limit-rsa-encrypt.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2069235 @@ -123,25 +109,9 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Patch62: 0062-fips-Expose-a-FIPS-indicator.patch -# https://github.com/openssl/openssl/pull/18141 -Patch63: 0063-CVE-2022-1473.patch -# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a -Patch64: 0064-CVE-2022-1343.diff -# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 -Patch65: 0065-CVE-2022-1292.patch -# https://github.com/openssl/openssl/pull/18444 -# https://github.com/openssl/openssl/pull/18467 -Patch66: 0066-replace-expired-certs.patch -# https://github.com/openssl/openssl/pull/18512 -Patch67: 0067-fix-ppc64-montgomery.patch -#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa -#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739 -Patch68: 0068-CVE-2022-2068.patch -# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93 -# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 -Patch69: 0069-CVE-2022-2097.patch -# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483 -Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2130708 +# https://github.com/openssl/openssl/pull/18883 +Patch67: 0067-ppc64le-Montgomery-multiply.patch # https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c # https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd Patch71: 0071-AES-GCM-performance-optimization.patch @@ -162,8 +132,6 @@ Patch76: 0076-FIPS-140-3-DRBG.patch Patch77: 0077-FIPS-140-3-zeroization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch -#https://bugzilla.redhat.com/show_bug.cgi?id=2137723 -Patch79: 0079-CVE-2022-3602.patch #https://bugzilla.redhat.com/show_bug.cgi?id=2141748 Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142131 @@ -176,10 +144,6 @@ Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch #https://bugzilla.redhat.com/show_bug.cgi?id=2142121 Patch85: 0085-FIPS-RSA-disable-shake.patch -#https://github.com/openssl/openssl/pull/17546 -Patch86: 0086-avoid-bio-memleak.patch -#https://github.com/openssl/openssl/pull/19501 -Patch87: 0087-FIPS-RSA-selftest-params.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142087 Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142087 @@ -188,9 +152,8 @@ Patch89: 0089-PSS-salt-length-from-provider.patch Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2144561 Patch91: 0091-FIPS-RSA-encapsulate.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2149010 -#https://github.com/openssl/openssl/pull/19348 -Patch94: 0094-ibmca-engine-compat.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2142517 +Patch92: 0092-provider-improvements.patch # OpenSSL 3.0.8 CVEs Patch101: 0101-CVE-2022-4203-nc-match.patch @@ -228,7 +191,6 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Requires: crypto-policies >= 20180730 -Recommends: openssl-pkcs11%{?_isa} %description libs OpenSSL is a toolkit for supporting cryptography. The openssl-libs @@ -344,7 +306,8 @@ export HASHBANGPERL=/usr/bin/perl zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ - shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ + -Wl,--allow-multiple-definition # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -531,7 +494,11 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog -* Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.1-47 +* Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 +- Fixes RNG slowdown in FIPS mode + Resolves: rhbz#2168224 + +* Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.7-5 - Fixed X.509 Name Constraints Read Buffer Overflow Resolves: CVE-2022-4203 - Fixed Timing Oracle in RSA Decryption @@ -549,20 +516,34 @@ install -m644 %{SOURCE9} \ - Fixed NULL dereference during PKCS7 data verification Resolves: CVE-2023-0401 -* Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.1-46 -- Refactor OpenSSL fips module MAC verification - Resolves: rhbz#2158412 +* Wed Jan 11 2023 Clemens Lang - 1:3.0.7-4 - Disallow SHAKE in RSA-OAEP decryption in FIPS mode - Resolves: rhbz#2144010 + Resolves: rhbz#2142121 -* Mon Nov 28 2022 Dmitry Belyavskiy - 1:3.0.1-45 -- Add support of X25519 and X448 "group" parameter in EVP_PKEY_CTX objects - Resolves: rhbz#2149010 +* Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-3 +- Refactor OpenSSL fips module MAC verification + Resolves: rhbz#2157965 + +* Thu Nov 24 2022 Dmitry Belyavskiy - 1:3.0.7-2 +- Various provider-related imrovements necessary for PKCS#11 provider correct operations + Resolves: rhbz#2142517 +- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream + Resolves: rhbz#2133809 +- Removed recommended package for openssl-libs + Resolves: rhbz#2093804 +- Adjusting include for the FIPS_mode macro + Resolves: rhbz#2083879 +- Backport of ppc64le Montgomery multiply enhancement + Resolves: rhbz#2130708 - Fix explicit indicator for PSS salt length in FIPS mode when used with negative magic values - Resolves: rhbz#2144012 + Resolves: rhbz#2142087 - Update change to default PSS salt length with patch state from upstream - Related: rhbz#2144012 + Related: rhbz#2142087 + +* Tue Nov 22 2022 Dmitry Belyavskiy - 1:3.0.7-1 +- Rebasing to OpenSSL 3.0.7 + Resolves: rhbz#2129063 * Mon Nov 14 2022 Dmitry Belyavskiy - 1:3.0.1-44 - SHAKE-128/256 are not allowed with RSA in FIPS mode