rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity

Rebasing OpenSSL to 3.5

Browse Source 
Resolves: RHEL-80854
Resolves: RHEL-50208
Resolves: RHEL-50210
Resolves: RHEL-50211
Resolves: RHEL-85954
This commit is contained in:
Dmitry Belyavskiy 2025-04-16 13:28:56 +02:00
parent 5946116ede
commit b0cff60812
99 changed files with 6193 additions and 10379 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -57,3 +57,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.0.7.tar.gz
/openssl-3.2.1.tar.gz
/openssl-3.2.2.tar.gz
/openssl-3.5.0.tar.gz

23
0001-Aarch64-and-ppc64le-use-lib64.patch → 0001-RH-Aarch64-and-ppc64le-use-lib64.patch
View File

@ -1,18 +1,23 @@
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:01:41 +0200
Subject: Aarch64 and ppc64le use lib64
From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 01/50] RH: Aarch64 and ppc64le use lib64
(Was openssl-1.1.1-build.patch)
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
Patch-status: |
# # Patches exported from source git
# # Aarch64 and ppc64le use lib64
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
Configurations/10-main.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index d7580bf3e1..a7dbfd7f40 100644
index cba57b4127..3e327017ef 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -723,6 +723,7 @@ my %targets = (
@@ -726,6 +726,7 @@ my %targets = (
lib_cppflags => add("-DL_ENDIAN"),
asm_arch => 'ppc64',
perlasm_scheme => "linux64le",
@ -20,7 +25,7 @@ index d7580bf3e1..a7dbfd7f40 100644
},
"linux-armv4" => {
@@ -765,6 +766,7 @@ my %targets = (
@@ -768,6 +769,7 @@ my %targets = (
inherit_from => [ "linux-generic64" ],
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
@ -29,5 +34,5 @@ index d7580bf3e1..a7dbfd7f40 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
2.26.2
2.49.0

456
0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch Normal file
View File

@ -0,0 +1,456 @@
From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
Subject: [PATCH 02/50] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
because there are many assumptions about its configuration in
openssl upstream tests.
So we create a separate one to use to override the default on on
installation.
This config file differs from upstream for:
- CA directory tree paths
- Instructions about legacy provider
- Default certificate digest (set to sha256)
Signed-off-by: Simo Sorce <simo@redhat.com>
---
doc/man5/config.pod | 8 +
rh-openssl.cnf | 403 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 411 insertions(+)
create mode 100644 rh-openssl.cnf
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index e24ea0c595..39fa468320 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -284,6 +284,14 @@ Note this setting defaults to off if not provided
All parameters in the section as well as sub-sections are made
available to the provider.
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
=head3 Default provider and its activation
If no providers are activated explicitly, the default one is activated implicitly.
diff --git a/rh-openssl.cnf b/rh-openssl.cnf
new file mode 100644
index 0000000000..20f5962541
--- /dev/null
+++ b/rh-openssl.cnf
@@ -0,0 +1,403 @@
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more info.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for auto loading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 0
+
+# Extra OBJECT IDENTIFIER info:
+# oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+[openssl_init]
+providers = provider_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
+
+# Load default TLS policy configuration
+ssl_conf = ssl_module
+alg_section = evp_properties
+
+[ evp_properties ]
+#This section is intentionally added empty here
+#to be tuned on particular systems
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+##legacy = legacy_sect
+##
+[default_sect]
+activate = 1
+
+##[legacy_sect]
+##activate = 1
+
+#Place the third party provider configuration files into this folder
+.include /etc/pki/tls/openssl.d
+
+
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = /etc/pki/CA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = sha256 # use SHA-256 by default
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = XX
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+#stateOrProvinceName_default = Default Province
+
+localityName = Locality Name (eg, city)
+localityName_default = Default City
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Default Company Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = /etc/pki/CA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha256)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # potentially needed quirk
+unprotected_errors = 1 # potentially needed quirk
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = $insta::out_trusted # apps/insta.ca.crt
+
+# Client authentication
+secret = # disable PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
2.49.0

68
0002-Use-more-general-default-values-in-openssl.cnf.patch
View File

@ -1,68 +0,0 @@
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:03:40 +0200
Subject: Use more general default values in openssl.cnf
Also set sha256 as default hash, although that should not be
necessary anymore.
(was openssl-1.1.1-defaults.patch)
---
apps/openssl.cnf | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 97567a67be..eb25a0ac48 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
+default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -136,6 +136,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
+default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -158,17 +159,18 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
+localityName_default = Default City
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
--
2.26.2

20
0003-Do-not-install-html-docs.patch → 0003-RH-Do-not-install-html-docs.patch
View File

@ -1,18 +1,22 @@
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:05:55 +0200
Subject: Do not install html docs
From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 03/50] RH: Do not install html docs
(was openssl-1.1.1-no-html.patch)
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
Patch-status: |
# # Do not install html docs
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
Configurations/unix-Makefile.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 342e46d24d..9f369edf0e 100644
index e85763ccf8..8a829be037 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
@ -22,5 +26,5 @@ index 342e46d24d..9f369edf0e 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
2.26.2
2.49.0

78
0004-Override-default-paths-for-the-CA-directory-tree.patch
View File

@ -1,78 +0,0 @@
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:17:26 +0200
Subject: Override default paths for the CA directory tree
Also add default section to load crypto-policies configuration
for TLS.
It needs to be reverted before running tests.
(was openssl-1.1.1-conf-paths.patch)
---
apps/CA.pl.in | 2 +-
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c0afb96716..d6a5fabd16 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
my $PKCS12 = "$openssl pkcs12";
# Default values for various configuration settings.
-my $CATOP = "./demoCA";
+my $CATOP = "/etc/pki/CA";
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
+alg_section = evp_properties
+
+[ evp_properties ]
+#This section is intentionally added empty here
+#to be tuned on particular systems
# List of providers to load
[provider_sect]
@@ -64,6 +66,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
[ tsa_config1 ]
# These are used by the TSA reply generation only.
-dir = ./demoCA # TSA root directory
+dir = /etc/pki/CA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate

22
0005-apps-ca-fix-md-option-help-text.patch → 0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
View File

@ -1,20 +1,22 @@
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:27:18 +0200
Subject: apps/ca: fix md option help text
From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 04/50] RH: apps ca fix md option help text.patch - DROP?
upstreamable
(was openssl-1.1.1-apps-dgst.patch)
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
Patch-status: |
# # apps/ca: fix md option help text
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/ca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/ca.c b/apps/ca.c
index 0f21b4fa1c..3d4b2c1673 100755
index 6d1d1c0a6e..a7553ba609 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
@@ -216,7 +216,7 @@ const OPTIONS ca_options[] = {
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
OPT_SECTION("Signing"),
@ -24,5 +26,5 @@ index 0f21b4fa1c..3d4b2c1673 100755
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
--
2.26.2
2.49.0

21
0006-Disable-signature-verification-with-totally-unsafe-h.patch → 0005-RH-Disable-signature-verification-with-bad-digests-R.patch
View File

@ -1,18 +1,23 @@
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:51:34 +0200
Subject: Disable signature verification with totally unsafe hash algorithms
From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 05/50] RH: Disable signature verification with bad digests -
REVIEW
(was openssl-1.1.1-no-weak-verify.patch)
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
Patch-id: 6
Patch-status: |
# # Disable signature verification with totally unsafe hash algorithms
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/asn1/a_verify.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index b7eed914b0..af62f0ef08 100644
index f6cac80962..fbc6ce6e30 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
if (ret <= 1)
goto err;
@ -25,5 +30,5 @@ index b7eed914b0..af62f0ef08 100644
const EVP_MD *type = NULL;
--
2.26.2
2.49.0

115
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch → 0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
View File

@ -1,24 +1,29 @@
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 10:16:46 +0200
Subject: Add support for PROFILE=SYSTEM system default cipherlist
From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 06/50] RH: Add support for PROFILE SYSTEM system default
cipher
(was openssl-1.1.1-system-cipherlist.patch)
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch-id: 7
Patch-status: |
# # Add support for PROFILE=SYSTEM system default cipherlist
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 11 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++----
ssl/ssl_ciph.c | 83 +++++++++++++++++++++++++++----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
7 files changed, 109 insertions(+), 13 deletions(-)
7 files changed, 105 insertions(+), 14 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 9f369edf0e..c52389f831 100644
index 8a829be037..ba1266659a 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -29,7 +34,7 @@ index 9f369edf0e..c52389f831 100644
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@ -38,7 +43,7 @@ index 9f369edf0e..c52389f831 100644
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff --git a/Configure b/Configure
index cca1ac8d16..2ae1cd0bc2 100755
index 15054f9403..7945d6b750 100755
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
@ -61,7 +66,7 @@ index cca1ac8d16..2ae1cd0bc2 100755
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -394,6 +398,7 @@ $config{prefix}="";
@@ -408,6 +412,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@ -69,7 +74,7 @@ index cca1ac8d16..2ae1cd0bc2 100755
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -1047,6 +1052,10 @@ while (@argvcopy)
@@ -1104,6 +1109,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
@ -81,10 +86,10 @@ index cca1ac8d16..2ae1cd0bc2 100755
{
$banner = $1 . "\n";
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index b4ed3e51d5..2122e6bdfd 100644
index 69195bcdcb..a6e0ede570 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
@@ -189,6 +189,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -101,7 +106,7 @@ index b4ed3e51d5..2122e6bdfd 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index f9a61609e4..c6f95fed3f 100644
index b342079968..0b2232b01c 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
@ -117,17 +122,24 @@ index f9a61609e4..c6f95fed3f 100644
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b1d3f7919e..f7cc7fed48 100644
index 6127cb7a4b..19420d6c6a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -9,6 +9,7 @@
* https://www.openssl.org/source/license.html
*/
+#define _GNU_SOURCE
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
@@ -1421,6 +1422,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
+#ifdef SYSTEM_CIPHERS_FILE
+static char *load_system_str(const char *suffix)
+{
+ FILE *fp;
+ char buf[1024];
+ char *new_rules;
+ const char *ciphers_path;
@ -135,29 +147,26 @@ index b1d3f7919e..f7cc7fed48 100644
+
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
+ ciphers_path = SYSTEM_CIPHERS_FILE;
+ fp = fopen(ciphers_path, "r");
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+ /* cannot open or file is empty */
+ ERR_set_mark();
+ if (access(ciphers_path, R_OK) == 0) {
+ CONF *conf = NCONF_new_ex(NULL, NCONF_default());
+ char *value = NULL;
+
+ if (NCONF_load(conf, ciphers_path, NULL) > 0)
+ value = NCONF_get_string(conf, "global", "CipherString");
+
+ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
+
+ NCONF_free(conf);
+ } else {
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
+ }
+
+ if (fp)
+ fclose(fp);
+
+ ERR_pop_to_mark();
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len - 1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len - 1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = OPENSSL_malloc(len + slen + 1);
+ if (new_rules == 0)
+ new_rules = OPENSSL_zalloc(len + slen + 1);
+ if (new_rules == NULL)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
@ -174,7 +183,7 @@ index b1d3f7919e..f7cc7fed48 100644
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1435,15 +1479,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -182,7 +191,7 @@ index b1d3f7919e..f7cc7fed48 100644
+ char *new_rules = NULL;
+
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
+ char *p = rule_str + 14;
+ const char *p = rule_str + 14;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
@ -202,7 +211,7 @@ index b1d3f7919e..f7cc7fed48 100644
/*
* To reduce the work to do we only want to process the compiled
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1465,7 +1519,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
@ -211,7 +220,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1531,8 +1585,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -221,16 +230,17 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1576,8 +1629,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
OPENSSL_free(co_list);
- OPENSSL_free(co_list);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1603,8 +1655,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -240,7 +250,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1612,10 +1663,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -256,7 +266,7 @@ index b1d3f7919e..f7cc7fed48 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1667,6 +1721,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;
return cipherstack;
@ -267,15 +277,14 @@ index b1d3f7919e..f7cc7fed48 100644
+ OPENSSL_free(new_rules);
+#endif
+ return NULL;
+
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d14d5819ba..48d491219a 100644
index 4c7b62e142..7af3f29cd8 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -284,7 +293,7 @@ index d14d5819ba..48d491219a 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -294,10 +303,10 @@ index d14d5819ba..48d491219a 100644
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 380f0727fc..6922a87c30 100644
index c46e431b00..19d05e860b 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -244,7 +244,9 @@ end:
@@ -261,7 +261,9 @@ end:
int setup_tests(void)
{
@ -308,5 +317,5 @@ index 380f0727fc..6922a87c30 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
2.26.2
2.49.0

40
0008-Add-FIPS_mode-compatibility-macro.patch → 0007-RH-Add-FIPS_mode-compatibility-macro.patch
View File

@ -1,20 +1,22 @@
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 26 Nov 2020 14:00:16 +0100
Subject: Add FIPS_mode() compatibility macro
From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 07/50] RH: Add FIPS_mode compatibility macro
The macro calls EVP_default_properties_is_fips_enabled() on the
default context.
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
Patch-status: |
# # Add FIPS_mode() compatibility macro
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
include/openssl/crypto.h.in | 1 +
include/openssl/fips.h | 25 +++++++++++++++++++++++++
test/property_test.c | 13 +++++++++++++
3 files changed, 39 insertions(+)
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
test/property_test.c | 14 ++++++++++++++
2 files changed, 40 insertions(+)
create mode 100644 include/openssl/fips.h
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..c64f0f8e8f
index 0000000000..4162cbf88e
--- /dev/null
+++ b/include/openssl/fips.h
@@ -0,0 +1,26 @@
@ -44,13 +46,14 @@ index 0000000000..c64f0f8e8f
+}
+# endif
+#endif
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
@@ -488,6 +488,19 @@ static int test_property_list_to_string(
diff --git a/test/property_test.c b/test/property_test.c
index 18f8cc8740..6864b1a3c1 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i)
return ret;
}
+#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
@ -67,7 +70,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -500,6 +512,7 @@ int setup_tests(void)
@@ -700,6 +713,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
@ -75,3 +78,6 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
return 1;
}
--
2.49.0

92
0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch Normal file
View File

@ -0,0 +1,92 @@
From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 08/50] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
Patch-status: |
# # Add check to see if fips flag is enabled in kernel
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/context.c | 35 +++++++++++++++++++++++++++++++++++
include/internal/provider.h | 3 +++
2 files changed, 38 insertions(+)
diff --git a/crypto/context.c b/crypto/context.c
index f15bc3d755..614c8a2c88 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -7,6 +7,7 @@
* https://www.openssl.org/source/license.html
*/
+#define _GNU_SOURCE /* needed for secure_getenv */
#include "crypto/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/trace.h>
@@ -19,6 +20,38 @@
#include "crypto/decoder.h"
#include "crypto/context.h"
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <openssl/evp.h>
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static int kernel_fips_flag;
+
+static void read_kernel_fips_flag(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+}
+
+int ossl_get_kernel_fips_flag()
+{
+ return kernel_fips_flag;
+}
+
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock;
OSSL_EX_DATA_GLOBAL global;
@@ -393,6 +426,8 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
+ read_kernel_fips_flag();
+
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 6909a1919c..9d2e355251 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
# ifdef __cplusplus
}
# endif
--
2.49.0

86
0009-Add-Kernel-FIPS-mode-flag-support.patch
View File

@ -1,86 +0,0 @@
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
Patch-status: |
# Add check to see if fips flag is enabled in kernel
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
include/internal/provider.h | 3 +++
2 files changed, 39 insertions(+)
diff --git a/crypto/context.c b/crypto/context.c
index e294ea1512..51002ba79a 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -16,6 +16,41 @@
#include "crypto/decoder.h"
#include "crypto/context.h"
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <openssl/evp.h>
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static int kernel_fips_flag;
+
+static void read_kernel_fips_flag(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+
+ return;
+}
+
+int ossl_get_kernel_fips_flag()
+{
+ return kernel_fips_flag;
+}
+
+
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
OSSL_EX_DATA_GLOBAL global;
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
+ read_kernel_fips_flag();
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 18937f84c7..1446bf7afb 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
# ifdef __cplusplus
}
# endif
--
2.41.0

327
0010-Add-changes-to-ectest-and-eccurve.patch → 0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
View File

@ -1,21 +1,74 @@
From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001
From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 09/50] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
Patch-status: |
# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# that new modifications made to these files by upstream are not lost.
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/ec/ec_curve.c | 844 -------------------------------------------
test/ectest.c | 174 +--------
2 files changed, 8 insertions(+), 1010 deletions(-)
# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# # that new modifications made to these files by upstream are not lost.
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
commit #2:
Patch-name: 0011-Remove-EC-curves.patch
Patch-id: 11
Patch-status: |
# # remove unsupported EC curves
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/speed.c | 8 +-
crypto/ec/ec_curve.c | 844 ------------------
crypto/evp/ec_support.c | 87 --
test/acvp_test.inc | 9 -
test/ecdsatest.h | 17 -
test/ectest.c | 174 +---
test/recipes/15-test_genec.t | 27 -
test/recipes/30-test_evp_data/evppkey_ecc.txt | 1 +
8 files changed, 10 insertions(+), 1157 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index f52f2c839d..1edf9b8485 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
#endif /* OPENSSL_NO_DH */
enum ec_curves_t {
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
#ifndef OPENSSL_NO_EC2M
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
@@ -415,8 +415,6 @@ enum ec_curves_t {
};
/* list of ecdsa curves */
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
- {"ecdsap160", R_EC_P160},
- {"ecdsap192", R_EC_P192},
{"ecdsap224", R_EC_P224},
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
@@ -449,8 +447,6 @@ enum {
};
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
- {"ecdhp160", R_EC_P160},
- {"ecdhp192", R_EC_P192},
{"ecdhp224", R_EC_P224},
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
@@ -1966,8 +1962,6 @@ int speed_main(int argc, char **argv)
*/
static const EC_CURVE ec_curves[EC_NUM] = {
/* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
index b5b2f3342d..d32a768fe6 100644
index f46aac5d33..8c5ba5b839 100644
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
@@ -30,38 +30,6 @@ typedef struct {
@ -244,8 +297,8 @@ index b5b2f3342d..d32a768fe6 100644
-
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 32 * 6];
@@ -421,294 +208,6 @@ static const struct {
unsigned char data[20 + 32 * 8];
@@ -429,294 +216,6 @@ static const struct {
#ifndef FIPS_MODULE
/* the secg prime curves (minus the nist and x9.62 prime curves) */
@ -540,7 +593,7 @@ index b5b2f3342d..d32a768fe6 100644
static const struct {
EC_CURVE_DATA h;
unsigned char data[0 + 32 * 6];
@@ -745,102 +244,6 @@ static const struct {
@@ -753,102 +252,6 @@ static const struct {
}
};
@ -643,7 +696,7 @@ index b5b2f3342d..d32a768fe6 100644
#endif /* FIPS_MODULE */
#ifndef OPENSSL_NO_EC2M
@@ -2236,198 +1639,6 @@ static const struct {
@@ -2244,198 +1647,6 @@ static const struct {
*/
#ifndef FIPS_MODULE
@ -842,7 +895,7 @@ index b5b2f3342d..d32a768fe6 100644
static const struct {
EC_CURVE_DATA h;
unsigned char data[0 + 32 * 6];
@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = {
@@ -2864,8 +2075,6 @@ static const ec_list_element curve_list[] = {
"NIST/SECG curve over a 521 bit prime field"},
/* X9.62 curves */
@ -851,7 +904,7 @@ index b5b2f3342d..d32a768fe6 100644
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
# if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = {
@@ -2909,25 +2118,6 @@ static const ec_list_element curve_list[] = {
static const ec_list_element curve_list[] = {
/* prime field curves */
/* secg curves */
@ -877,7 +930,7 @@ index b5b2f3342d..d32a768fe6 100644
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
"NIST/SECG curve over a 224 bit prime field"},
@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = {
@@ -2957,18 +2147,6 @@ static const ec_list_element curve_list[] = {
# endif
"NIST/SECG curve over a 521 bit prime field"},
/* X9.62 curves */
@ -896,7 +949,7 @@ index b5b2f3342d..d32a768fe6 100644
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
# if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = {
@@ -3065,22 +2243,12 @@ static const ec_list_element curve_list[] = {
{NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0,
"X9.62 curve over a 163 bit binary field"},
# endif
@ -919,7 +972,7 @@ index b5b2f3342d..d32a768fe6 100644
# ifndef OPENSSL_NO_EC2M
/* IPSec curves */
{NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0,
@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = {
@@ -3091,18 +2259,6 @@ static const ec_list_element curve_list[] = {
"\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
# endif
/* brainpool curves */
@ -938,8 +991,177 @@ index b5b2f3342d..d32a768fe6 100644
{NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0,
"RFC 5639 curve over a 256 bit prime field"},
{NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0,
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
index 1ec10143d2..82b95294b4 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
static const EC_NAME2NID curve_list[] = {
/* prime field curves */
/* secg curves */
- {"secp112r1", NID_secp112r1 },
- {"secp112r2", NID_secp112r2 },
- {"secp128r1", NID_secp128r1 },
- {"secp128r2", NID_secp128r2 },
- {"secp160k1", NID_secp160k1 },
- {"secp160r1", NID_secp160r1 },
- {"secp160r2", NID_secp160r2 },
- {"secp192k1", NID_secp192k1 },
- {"secp224k1", NID_secp224k1 },
{"secp224r1", NID_secp224r1 },
{"secp256k1", NID_secp256k1 },
{"secp384r1", NID_secp384r1 },
{"secp521r1", NID_secp521r1 },
/* X9.62 curves */
- {"prime192v1", NID_X9_62_prime192v1 },
- {"prime192v2", NID_X9_62_prime192v2 },
- {"prime192v3", NID_X9_62_prime192v3 },
- {"prime239v1", NID_X9_62_prime239v1 },
- {"prime239v2", NID_X9_62_prime239v2 },
- {"prime239v3", NID_X9_62_prime239v3 },
{"prime256v1", NID_X9_62_prime256v1 },
/* characteristic two field curves */
/* NIST/SECG curves */
- {"sect113r1", NID_sect113r1 },
- {"sect113r2", NID_sect113r2 },
- {"sect131r1", NID_sect131r1 },
- {"sect131r2", NID_sect131r2 },
- {"sect163k1", NID_sect163k1 },
- {"sect163r1", NID_sect163r1 },
- {"sect163r2", NID_sect163r2 },
- {"sect193r1", NID_sect193r1 },
- {"sect193r2", NID_sect193r2 },
- {"sect233k1", NID_sect233k1 },
- {"sect233r1", NID_sect233r1 },
- {"sect239k1", NID_sect239k1 },
- {"sect283k1", NID_sect283k1 },
- {"sect283r1", NID_sect283r1 },
- {"sect409k1", NID_sect409k1 },
- {"sect409r1", NID_sect409r1 },
- {"sect571k1", NID_sect571k1 },
- {"sect571r1", NID_sect571r1 },
- /* X9.62 curves */
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
- /*
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
- * from X9.62]
- */
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
- /* IPSec curves */
- {"Oakley-EC2N-3", NID_ipsec3 },
- {"Oakley-EC2N-4", NID_ipsec4 },
/* brainpool curves */
- {"brainpoolP160r1", NID_brainpoolP160r1 },
- {"brainpoolP160t1", NID_brainpoolP160t1 },
- {"brainpoolP192r1", NID_brainpoolP192r1 },
- {"brainpoolP192t1", NID_brainpoolP192t1 },
- {"brainpoolP224r1", NID_brainpoolP224r1 },
- {"brainpoolP224t1", NID_brainpoolP224t1 },
{"brainpoolP256r1", NID_brainpoolP256r1 },
{"brainpoolP256t1", NID_brainpoolP256t1 },
{"brainpoolP320r1", NID_brainpoolP320r1 },
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
{"brainpoolP384t1", NID_brainpoolP384t1 },
{"brainpoolP512r1", NID_brainpoolP512r1 },
{"brainpoolP512t1", NID_brainpoolP512t1 },
- /* SM2 curve */
- {"SM2", NID_sm2 },
};
const char *OSSL_EC_curve_nid2name(int nid)
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
/* Functions to translate between common NIST curve names and NIDs */
static const EC_NAME2NID nist_curves[] = {
- {"B-163", NID_sect163r2},
- {"B-233", NID_sect233r1},
- {"B-283", NID_sect283r1},
- {"B-409", NID_sect409r1},
- {"B-571", NID_sect571r1},
- {"K-163", NID_sect163k1},
- {"K-233", NID_sect233k1},
- {"K-283", NID_sect283k1},
- {"K-409", NID_sect409k1},
- {"K-571", NID_sect571k1},
- {"P-192", NID_X9_62_prime192v1},
{"P-224", NID_secp224r1},
{"P-256", NID_X9_62_prime256v1},
{"P-384", NID_secp384r1},
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index 67787f3740..97ec1ff3e5 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -217,15 +217,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
0xB1, 0xAC,
};
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
- {
- "SHA-1",
- "P-192",
- ITM(ecdsa_sigver_msg0),
- ITM(ecdsa_sigver_pub0),
- ITM(ecdsa_sigver_r0),
- ITM(ecdsa_sigver_s0),
- PASS,
- },
{
"SHA2-512",
"P-521",
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
index 63fe319025..06b5c0aac5 100644
--- a/test/ecdsatest.h
+++ b/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
- /* prime KATs from X9.62 */
- {NID_X9_62_prime192v1, NID_sha1,
- "616263", /* "abc" */
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
- "5ca5c0d69716dfcb3474373902",
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
- {NID_X9_62_prime239v1, NID_sha1,
- "616263", /* "abc" */
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/ectest.c b/test/ectest.c
index afef85b0e6..4890b0555e 100644
index 70df89ee2f..0ddbba3b98 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -175,184 +175,26 @@ static int prime_field_tests(void)
@ -1134,7 +1356,7 @@ index afef85b0e6..4890b0555e 100644
"FFFFFFFF000000000000000000000001"))
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
@@ -3015,7 +2857,7 @@ int setup_tests(void)
@@ -3128,7 +2970,7 @@ int setup_tests(void)
ADD_TEST(parameter_test);
ADD_TEST(ossl_parameter_test);
@ -1143,6 +1365,65 @@ index afef85b0e6..4890b0555e 100644
ADD_ALL_TESTS(cardinality_test, crv_len);
ADD_TEST(prime_field_tests);
#ifndef OPENSSL_NO_EC2M
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
index 4d5090fa39..0a90a602d8 100644
--- a/test/recipes/15-test_genec.t
+++ b/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384
diff --git a/test/recipes/30-test_evp_data/evppkey_ecc.txt b/test/recipes/30-test_evp_data/evppkey_ecc.txt
index e6a2c9eb59..861c01e177 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecc.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecc.txt
@@ -4561,3 +4561,4 @@ KeyName = ec3
Ctrl = group:P-192
Unapproved = 1
Ctrl = key-check:0
+Result = KEYGEN_GENERATE_ERROR
--
2.41.0
2.49.0

79
0012-Disable-explicit-ec.patch → 0010-RH-Disable-explicit-ec-curves.patch
View File

@ -1,7 +1,27 @@
diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c
--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100
+++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100
@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
From 325f426bdeb49dd36868e009e99abb641300af96 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 10/50] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
Patch-status: |
# # Disable explicit EC curves
# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/ec/ec_asn1.c | 11 ++++++++++
crypto/ec/ec_lib.c | 6 +++++
test/ectest.c | 22 ++++++++++---------
test/endecode_test.c | 20 ++++++++---------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
5 files changed, 39 insertions(+), 32 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 643d2d8d7b..5895606176 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
group->decoded_from_explicit_params = 1;
@ -14,7 +34,7 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry
if (a) {
EC_GROUP_free(*a);
*a = group;
@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
goto err;
}
@ -27,10 +47,10 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry
if (priv_key->privateKey) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index a84e088c19..6c37bf78ae 100644
index b55677fb1f..dcfdef408e 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
if (named_group == group) {
@ -42,7 +62,7 @@ index a84e088c19..6c37bf78ae 100644
/*
* If we did not find a named group then the encoding should be explicit
* if it was specified
@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
@ -51,10 +71,10 @@ index a84e088c19..6c37bf78ae 100644
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
index 4890b0555e..e11aec5b3b 100644
index 0ddbba3b98..f736d13feb 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
@ -68,7 +88,7 @@ index 4890b0555e..e11aec5b3b 100644
/*- Check that all the set values are retrievable -*/
/* There should be no match to a group name since the generator changed */
@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
#endif
)
goto err;
@ -76,7 +96,7 @@ index 4890b0555e..e11aec5b3b 100644
ret = 1;
err:
BN_free(order_out);
@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
@@ -2826,21 +2828,21 @@ static int custom_params_test(int id)
/* Compute keyexchange in both directions */
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
@ -105,7 +125,7 @@ index 4890b0555e..e11aec5b3b 100644
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
@@ -2892,7 +2894,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
@ -114,10 +134,11 @@ index 4890b0555e..e11aec5b3b 100644
ret = 1;
err:
diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c
--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100
+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100
@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL;
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 028deb4ed1..85c84f6592 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL;
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
static OSSL_PARAM_BLD *bld_prime = NULL;
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
@ -126,7 +147,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
@ -139,7 +160,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
@@ -1318,7 +1318,7 @@ int setup_tests(void)
@@ -1445,7 +1445,7 @@ int setup_tests(void)
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|| !create_ec_explicit_prime_params(bld_prime)
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
@ -148,7 +169,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
@@ -1346,7 +1346,7 @@ int setup_tests(void)
@@ -1473,7 +1473,7 @@ int setup_tests(void)
TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
@ -157,7 +178,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
@@ -1389,8 +1389,8 @@ int setup_tests(void)
@@ -1553,8 +1553,8 @@ int setup_tests(void)
ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
@ -168,7 +189,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
@@ -1427,7 +1427,7 @@ void cleanup_tests(void)
@@ -1631,7 +1631,7 @@ void cleanup_tests(void)
{
#ifndef OPENSSL_NO_EC
OSSL_PARAM_free(ec_explicit_prime_params_nc);
@ -177,7 +198,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
OSSL_PARAM_BLD_free(bld_prime_nc);
OSSL_PARAM_BLD_free(bld_prime);
# ifndef OPENSSL_NO_EC2M
@@ -1449,7 +1449,7 @@ void cleanup_tests(void)
@@ -1653,7 +1653,7 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC
FREE_DOMAIN_KEYS(EC);
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
@ -186,10 +207,11 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100
@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index 54b143bead..06ec905be0 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
-----END PRIVATE KEY-----
@ -208,3 +230,6 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_e
PrivateKey = B-163
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
2.49.0

82
0011-RH-skipped-tests-EC-curves.patch Normal file
View File

@ -0,0 +1,82 @@
From ec22400267e5accaacb24eec8fd6be5e73f1833d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 11/50] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
Patch-status: |
# # Skipped tests from former 0011-Remove-EC-curves.patch
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
test/recipes/15-test_ec.t | 2 +-
.../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 12 ------------
test/recipes/65-test_cmp_protect.t | 2 +-
test/recipes/65-test_cmp_vfy.t | 2 +-
4 files changed, 3 insertions(+), 15 deletions(-)
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index c953fad9f1..906769a12e 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -94,7 +94,7 @@ SKIP: {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
- if $no_fips;
+ if 1; #Red Hat specific, original value is $no_fips;
plan tests => 2;
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
index 7c339c272b..0ff482e4e8 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
@@ -132,18 +132,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
-----END PRIVATE KEY-----
-PrivateKey = EC_EXPLICIT
------BEGIN PRIVATE KEY-----
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
------END PRIVATE KEY-----
-
PrivateKey = B-163
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
index 92c91d8b88..294491fff4 100644
--- a/test/recipes/65-test_cmp_protect.t
+++ b/test/recipes/65-test_cmp_protect.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a shared library build on Windows"
if $^O eq 'MSWin32' && !disabled("shared");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_protect_test",
data_file("prot_RSA.pem"),
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
index f722800e27..26a01786bb 100644
--- a/test/recipes/65-test_cmp_vfy.t
+++ b/test/recipes/65-test_cmp_vfy.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a no-ec build"
if disabled("ec");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.49.0

279
0011-Remove-EC-curves.patch
View File

@ -1,279 +0,0 @@
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 11:46:40 +0200
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
Patch-name: 0011-Remove-EC-curves.patch
Patch-id: 11
Patch-status: |
# remove unsupported EC curves
---
apps/speed.c | 8 +---
crypto/evp/ec_support.c | 87 ------------------------------------
test/acvp_test.inc | 9 ----
test/ecdsatest.h | 17 -------
test/recipes/15-test_genec.t | 27 -----------
5 files changed, 1 insertion(+), 147 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index cace25eda1..d527f12f18 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
#endif /* OPENSSL_NO_DH */
enum ec_curves_t {
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
#ifndef OPENSSL_NO_EC2M
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
@@ -395,8 +395,6 @@ enum ec_curves_t {
};
/* list of ecdsa curves */
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
- {"ecdsap160", R_EC_P160},
- {"ecdsap192", R_EC_P192},
{"ecdsap224", R_EC_P224},
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
};
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
- {"ecdhp160", R_EC_P160},
- {"ecdhp192", R_EC_P192},
{"ecdhp224", R_EC_P224},
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
*/
static const EC_CURVE ec_curves[EC_NUM] = {
/* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
index 1ec10143d2..82b95294b4 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
static const EC_NAME2NID curve_list[] = {
/* prime field curves */
/* secg curves */
- {"secp112r1", NID_secp112r1 },
- {"secp112r2", NID_secp112r2 },
- {"secp128r1", NID_secp128r1 },
- {"secp128r2", NID_secp128r2 },
- {"secp160k1", NID_secp160k1 },
- {"secp160r1", NID_secp160r1 },
- {"secp160r2", NID_secp160r2 },
- {"secp192k1", NID_secp192k1 },
- {"secp224k1", NID_secp224k1 },
{"secp224r1", NID_secp224r1 },
{"secp256k1", NID_secp256k1 },
{"secp384r1", NID_secp384r1 },
{"secp521r1", NID_secp521r1 },
/* X9.62 curves */
- {"prime192v1", NID_X9_62_prime192v1 },
- {"prime192v2", NID_X9_62_prime192v2 },
- {"prime192v3", NID_X9_62_prime192v3 },
- {"prime239v1", NID_X9_62_prime239v1 },
- {"prime239v2", NID_X9_62_prime239v2 },
- {"prime239v3", NID_X9_62_prime239v3 },
{"prime256v1", NID_X9_62_prime256v1 },
/* characteristic two field curves */
/* NIST/SECG curves */
- {"sect113r1", NID_sect113r1 },
- {"sect113r2", NID_sect113r2 },
- {"sect131r1", NID_sect131r1 },
- {"sect131r2", NID_sect131r2 },
- {"sect163k1", NID_sect163k1 },
- {"sect163r1", NID_sect163r1 },
- {"sect163r2", NID_sect163r2 },
- {"sect193r1", NID_sect193r1 },
- {"sect193r2", NID_sect193r2 },
- {"sect233k1", NID_sect233k1 },
- {"sect233r1", NID_sect233r1 },
- {"sect239k1", NID_sect239k1 },
- {"sect283k1", NID_sect283k1 },
- {"sect283r1", NID_sect283r1 },
- {"sect409k1", NID_sect409k1 },
- {"sect409r1", NID_sect409r1 },
- {"sect571k1", NID_sect571k1 },
- {"sect571r1", NID_sect571r1 },
- /* X9.62 curves */
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
- /*
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
- * from X9.62]
- */
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
- /* IPSec curves */
- {"Oakley-EC2N-3", NID_ipsec3 },
- {"Oakley-EC2N-4", NID_ipsec4 },
/* brainpool curves */
- {"brainpoolP160r1", NID_brainpoolP160r1 },
- {"brainpoolP160t1", NID_brainpoolP160t1 },
- {"brainpoolP192r1", NID_brainpoolP192r1 },
- {"brainpoolP192t1", NID_brainpoolP192t1 },
- {"brainpoolP224r1", NID_brainpoolP224r1 },
- {"brainpoolP224t1", NID_brainpoolP224t1 },
{"brainpoolP256r1", NID_brainpoolP256r1 },
{"brainpoolP256t1", NID_brainpoolP256t1 },
{"brainpoolP320r1", NID_brainpoolP320r1 },
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
{"brainpoolP384t1", NID_brainpoolP384t1 },
{"brainpoolP512r1", NID_brainpoolP512r1 },
{"brainpoolP512t1", NID_brainpoolP512t1 },
- /* SM2 curve */
- {"SM2", NID_sm2 },
};
const char *OSSL_EC_curve_nid2name(int nid)
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
/* Functions to translate between common NIST curve names and NIDs */
static const EC_NAME2NID nist_curves[] = {
- {"B-163", NID_sect163r2},
- {"B-233", NID_sect233r1},
- {"B-283", NID_sect283r1},
- {"B-409", NID_sect409r1},
- {"B-571", NID_sect571r1},
- {"K-163", NID_sect163k1},
- {"K-233", NID_sect233k1},
- {"K-283", NID_sect283k1},
- {"K-409", NID_sect409k1},
- {"K-571", NID_sect571k1},
- {"P-192", NID_X9_62_prime192v1},
{"P-224", NID_secp224r1},
{"P-256", NID_X9_62_prime256v1},
{"P-384", NID_secp384r1},
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1e..894a0bff9d 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
0xB1, 0xAC,
};
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
- {
- "SHA-1",
- "P-192",
- ITM(ecdsa_sigver_msg0),
- ITM(ecdsa_sigver_pub0),
- ITM(ecdsa_sigver_r0),
- ITM(ecdsa_sigver_s0),
- PASS,
- },
{
"SHA2-512",
"P-521",
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
index 63fe319025..06b5c0aac5 100644
--- a/test/ecdsatest.h
+++ b/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
- /* prime KATs from X9.62 */
- {NID_X9_62_prime192v1, NID_sha1,
- "616263", /* "abc" */
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
- "5ca5c0d69716dfcb3474373902",
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
- {NID_X9_62_prime239v1, NID_sha1,
- "616263", /* "abc" */
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
index 2dfed387ca..c733b68f83 100644
--- a/test/recipes/15-test_genec.t
+++ b/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384
--
2.41.0

37
0115-skip-quic-pairwise.patch → 0012-RH-skip-quic-pairwise.patch
View File

@ -1,7 +1,7 @@
From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
From 2f327785a69b62eac55a94d49441994cbaf941d5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
Subject: [PATCH 12/50] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 41cf0fc7a8..0fb7492700 100644
index 38dd42c184..b2e18522ab 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -2139,7 +2139,9 @@ int setup_tests(void)
@@ -2761,7 +2761,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@ -28,8 +28,20 @@ index 41cf0fc7a8..0fb7492700 100644
#endif
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
index 222b1886ae..7e2f65cccb 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
if (@duplicates) {
note "Duplicates:";
note join('\n', @duplicates);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index c837d48fb4..6291c08c49 100644
index a101a26fb1..43e5396766 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
@ -41,18 +53,7 @@ index c837d48fb4..6291c08c49 100644
use OpenSSL::Test::Utils;
BEGIN {
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config"
SKIP: {
skip "Skip RSA test because of no rsa in this build", 1
if disabled("rsa");
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
+ sub {
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "rsa"])),
"fips provider rsa keygen pairwise failure test");
+ });
}
@@ -39,20 +39,26 @@ SKIP: {
SKIP: {
skip "Skip EC test because of no ec in this build", 2
if disabled("ec");
@ -81,5 +82,5 @@ index c837d48fb4..6291c08c49 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
2.44.0
2.49.0

37
0116-version-aliasing.patch → 0013-RH-version-aliasing.patch
View File

@ -1,7 +1,7 @@
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
From dcea5128f4a6ff30eedca8442b8e3cdc18bac216 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 46/49] 0116-version-aliasing.patch
Subject: [PATCH 13/50] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@ -17,11 +17,11 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 42331703da..3a280acc0e 100644
index 6fc201bcfe..3c80b9dfe1 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -553,7 +553,12 @@ legacy:
return ret;
@@ -572,7 +572,12 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
return ctx->digest->dsqueeze(ctx->algctx, md, &size, size);
}
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
@ -35,10 +35,10 @@ index 42331703da..3a280acc0e 100644
EVP_MD_CTX *out = EVP_MD_CTX_new();
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index e9faf31057..5a29b8dbb7 100644
index eee00a0780..7c51786515 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
@@ -1762,7 +1762,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
#endif /* FIPS_MODULE */
}
@ -53,20 +53,19 @@ index e9faf31057..5a29b8dbb7 100644
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
index 222b1886ae..7e2f65cccb 100644
index 7e2f65cccb..cc947d4821 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
if (@duplicates) {
note "Duplicates:";
note join('\n', @duplicates);
@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
s| .*||;
# Drop OpenSSL dynamic version information if there is any
s|\@\@.+$||;
+ s|\@.+$||;
# Return the result
$_
}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8046454025..068e9904e2 100644
index ceb4948839..eab3987a6b 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
@ -80,5 +79,5 @@ index 8046454025..068e9904e2 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
2.44.0
2.49.0

37
0013-skipped-tests-EC-curves.patch
View File

@ -1,37 +0,0 @@
diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t
--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100
+++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
- if $no_fips;
+ if 1; #Red Hat specific, original value is $no_fips;
plan tests => 2;
diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t
--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100
+++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
plan skip_all => "This test is not supported in a shared library build on Windows"
if $^O eq 'MSWin32' && !disabled("shared");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_protect_test",
data_file("prot_RSA.pem"),
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
index f722800e27..26a01786bb 100644
--- a/test/recipes/65-test_cmp_vfy.t
+++ b/test/recipes/65-test_cmp_vfy.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a no-ec build"
if disabled("ec");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),

80
0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch Normal file
View File

@ -0,0 +1,80 @@
From 1c440ca60081777e618eaecb31ef92b692cc2444 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
Subject: [PATCH 14/50] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
ABI backwards compatibility and the correct symbols to be compatible
with upstream.
---
crypto/o_str.c | 14 ++++++++++++--
test/recipes/01-test_symbol_presence.t | 2 +-
util/libcrypto.num | 2 ++
3 files changed, 15 insertions(+), 3 deletions(-)
mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 93af73561f..86442a939e 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -403,7 +403,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
#endif
}
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
+int
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+#endif
+OPENSSL_strcasecmp(const char *s1, const char *s2)
{
int t;
@@ -413,7 +418,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
return t;
}
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+int
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+#endif
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
{
int t;
size_t i;
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
old mode 100644
new mode 100755
index cc947d4821..de2dcd90c2
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -186,7 +186,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
-@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") && ($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp")} @duplicates;
if (@duplicates) {
note "Duplicates:";
note join('\n', @duplicates);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index eab3987a6b..d377d542db 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5426,7 +5426,9 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
EVP_RAND_CTX_up_ref 5558 3_1_0 EXIST::FUNCTION:
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
2.49.0

30
0015-RH-TMP-KTLS-test-skip.patch Normal file
View File

@ -0,0 +1,30 @@
From 73574d1847777d0c93d9ebe353d235ebb165eeae Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
Subject: [PATCH 15/50] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
test/sslapitest.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 38d58e9387..39118a9162 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
- if (!ktls_enable(sock))
+/* if (!ktls_enable(sock))
return 0;
- return 1;
+ return 1; */
+ return 0;
}
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
2.49.0

450
0049-Selectively-disallow-SHA1-signatures.patch → 0016-RH-Allow-disabling-of-SHA1-signatures.patch
View File

@ -1,45 +1,72 @@
From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch
From 81b507715dded07f61f6d2bd7d498cc16ae04e38 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
Subject: [PATCH 16/50] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
Patch-status: |
# # Selectively disallow SHA1 signatures rhbz#2070977
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
# Selectively disallow SHA1 signatures rhbz#2070977
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 14 ++++
crypto/evp/evp_cnf.c | 13 +++
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
crypto/context.c | 76 +++++++++++++++++++
crypto/evp/evp_cnf.c | 13 ++++
crypto/evp/m_sigver.c | 13 ++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 +++
include/crypto/context.h | 3 +
doc/man5/config.pod | 13 ++++
include/crypto/context.h | 8 ++
include/internal/cryptlib.h | 3 +-
include/internal/sslconf.h | 4 +
providers/common/securitycheck.c | 20 +++++
providers/common/securitycheck_default.c | 9 ++-
providers/implementations/signature/dsa_sig.c | 11 ++-
.../implementations/signature/ecdsa_sig.c | 4 +
providers/implementations/signature/rsa_sig.c | 20 ++++-
providers/common/include/prov/securitycheck.h | 2 +
providers/common/securitycheck.c | 14 ++++
providers/common/securitycheck_default.c | 1 +
providers/implementations/signature/dsa_sig.c | 1 +
.../implementations/signature/ecdsa_sig.c | 5 +-
providers/implementations/signature/rsa_sig.c | 17 ++++-
ssl/t1_lib.c | 8 ++
util/libcrypto.num | 2 +
15 files changed, 209 insertions(+), 9 deletions(-)
16 files changed, 189 insertions(+), 6 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index fb4816d89b..c04920fe14 100644
index 614c8a2c88..6859146510 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st {
void *fips_prov;
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
#endif
STACK_OF(SSL_COMP) *comp_methods;
+ void *legacy_digest_signatures;
+
unsigned int ischild:1;
int ischild;
int conf_diagnostics;
};
@@ -119,6 +121,25 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx)
return ctx->ischild;
}
@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
+
+ if (ldsigs != NULL) {
+ OPENSSL_free(ldsigs);
+ }
+}
+
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ ldsigs->allowed = 0;
+ return ldsigs;
+}
+
static void context_deinit_objs(OSSL_LIB_CTX *ctx);
static int context_init(OSSL_LIB_CTX *ctx)
@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
goto err;
#endif
@ -50,7 +77,7 @@ index fb4816d89b..c04920fe14 100644
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
@ -62,9 +89,9 @@ index fb4816d89b..c04920fe14 100644
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
return ctx->fips_prov;
#endif
@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
+ return ctx->legacy_digest_signatures;
@ -72,69 +99,10 @@ index fb4816d89b..c04920fe14 100644
default:
return NULL;
}
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
+#include "internal/sslconf.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
return 0;
}
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
+ int m;
+
+ /* Detailed error already reported. */
+ if (!X509V3_get_value_bool(oval, &m))
+ return 0;
+
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+ return 0;
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 3a979f4bd4..fd3a4b79df 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,73 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "crypto/context.h"
+
+typedef struct ossl_legacy_digest_signatures_st {
+ int allowed;
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
+
+ if (ldsigs != NULL) {
+ OPENSSL_free(ldsigs);
+ }
+}
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ ldsigs->allowed = 0;
+ return ldsigs;
+}
@@ -714,3 +747,46 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
return;
libctx->conf_diagnostics = value;
}
+
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
+ OSSL_LIB_CTX *libctx, int loadconfig)
@ -178,10 +146,50 @@ index 3a979f4bd4..fd3a4b79df 100644
+ ldsigs->allowed = allow;
+ return 1;
+}
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
+#include "internal/sslconf.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
return 0;
}
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
+ int m;
+
+ /* Detailed error already reported. */
+ if (!X509V3_get_value_bool(oval, &m))
+ return 0;
+
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+ return 0;
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 2d1839fedb..6e4685ecc0 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "internal/sslconf.h"
#ifndef FIPS_MODULE
@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
}
@ -201,7 +209,7 @@ index 3a979f4bd4..fd3a4b79df 100644
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 268b1617e3..248f655d0f 100644
index 665cafbc21..84fb95d4ca 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@ -212,7 +220,7 @@ index 268b1617e3..248f655d0f 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
@ -234,49 +242,56 @@ index 268b1617e3..248f655d0f 100644
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index bd05736220..ed34ff4b9c 100644
index 39fa468320..b994081924 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
@@ -315,6 +315,19 @@ Within the algorithm properties section, the following names have meaning:
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
+=item B<rh-allow-sha1-signatures>
+
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
+it behaves as if it was set to B<no>.
+it behaves as if it was set to B<yes>.
+
+When set to B<no>, any attempt to create or verify a signature with a SHA1
+digest will fail. For compatibility with older versions of OpenSSL, set this
+option to B<yes>. This setting also affects TLS, where signature algorithms
+that use SHA1 as digest will no longer be supported if this option is set to
+B<no>.
+digest will fail. To test whether your software will work with future versions
+of OpenSSL, set this option to B<no>. This setting also affects TLS, where
+signature algorithms that use SHA1 as digest will no longer be supported if
+this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
+pseudorandom function (PRF) to derive key material, disabling
+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
diff --git a/include/crypto/context.h b/include/crypto/context.h
index 7369a730fb..55b74238c8 100644
index 1c181933e0..35bdfdb52d 100644
--- a/include/crypto/context.h
+++ b/include/crypto/context.h
@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void);
@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void);
#if defined(OPENSSL_THREADS)
void ossl_threads_ctx_free(void *);
#endif
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
+void ossl_ctx_legacy_digest_signatures_free(void *);
+#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
+#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
+typedef struct ossl_legacy_digest_signatures_st {
+ int allowed;
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+#endif
+
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index 64851fd8ed..8e01a77ddc 100644
index da442f8a86..44a5e8a99a 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
# define OSSL_LIB_CTX_THREAD_INDEX 19
@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
-# define OSSL_LIB_CTX_MAX_INDEXES 20
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
+# define OSSL_LIB_CTX_MAX_INDEXES 21
# define OSSL_LIB_CTX_COMP_METHODS 21
# define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
-# define OSSL_LIB_CTX_MAX_INDEXES 22
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
+# define OSSL_LIB_CTX_MAX_INDEXES 23
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
@ -293,8 +308,18 @@ index fd7f7e3331..05464b0655 100644
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig);
#endif
diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h
index 29a2b7fbf8..a48cbb03d2 100644
--- a/providers/common/include/prov/securitycheck.h
+++ b/providers/common/include/prov/securitycheck.h
@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const EVP_MD *md);
/* Functions that have different implementations for the FIPS_MODULE */
int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 0d3acdbe56..fe694c4e96 100644
index 8ef8dc2a81..79a9c48ce2 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
@ -303,26 +328,27 @@ index 0d3acdbe56..fe694c4e96 100644
#include "prov/securitycheck.h"
+#include "internal/sslconf.h"
/*
* FIPS requires a minimum security strength of 112 bits (for encryption or
@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
mdnid = -1; /* disallowed by security checks */
}
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
@@ -219,3 +220,16 @@ int ossl_dh_check_key(const DH *dh)
return (L == 2048 && (N == 224 || N == 256));
}
#endif /* OPENSSL_NO_DH */
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid)
+{
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0))
+ /* SHA1 is globally disabled, check whether we want to locally allow
+ * it. */
+ if (mdnid == NID_sha1 && !sha1_allowed)
+ mdnid = -1;
+#endif
+ if (mdnid == NID_sha1)
+ mdnid = -1;
+
return mdnid;
}
+ return mdnid;
+}
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index 246323493e..2ca7a59f39 100644
index dd71fd91eb..9019fd2a80 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
@ -332,78 +358,46 @@ index 246323493e..2ca7a59f39 100644
+#include "internal/sslconf.h"
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
}
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
- ossl_unused int sha1_allowed)
+ int sha1_allowed)
{
int mdnid;
+ int ldsigs_allowed;
static const OSSL_ITEM name_to_nid[] = {
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
};
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
if (mdnid == NID_undef)
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
+ mdnid = -1;
return mdnid;
}
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index b89a0f6836..e0c26a13e4 100644
index c5adbf8002..52ed52482d 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
mdprops = ctx->propq;
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
if (mdname != NULL) {
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
- sha1_allowed);
+ int md_nid;
size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+ sha1_allowed);
md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
md_nid = ossl_digest_get_approved_nid(md);
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
if (md == NULL || md_nid < 0) {
if (md == NULL)
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index f158105e71..62355b89fe 100644
index 4018a772ff..80e4115b69 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
"%s could not be fetched", mdname);
return 0;
@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
goto err;
}
+#ifdef FIPS_MODULE
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ sha1_allowed = 0;
+#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
md_nid = ossl_digest_get_approved_nid(md);
+
#ifdef FIPS_MODULE
- if (md_nid == NID_undef) {
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
}
#endif
+
/* XOF digests don't work */
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index c1405f47ea..aeda1a7758 100644
index e75b90840b..c4740128ce 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -25,6 +25,7 @@
@@ -26,6 +26,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@ -411,54 +405,56 @@ index c1405f47ea..aeda1a7758 100644
#include "crypto/rsa.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -33,6 +34,7 @@
@@ -34,6 +35,7 @@
#include "prov/securitycheck.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+ int md_nid;
+ size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
- size_t mdname_len = strlen(mdname);
if (md == NULL
|| md_nid <= 0
@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
goto err;
}
md_nid = ossl_digest_rsa_sign_get_md_nid(md);
- if (md_nid == NID_undef) {
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
"%s could not be fetched", mdname);
return 0;
}
- /* The default for mgf1 is SHA1 - so allow SHA1 */
+ /* The default for mgf1 is SHA1 - so check if we allow SHA1 */
if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
+ || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0
|| !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
if (mdnid <= 0)
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
- && pad_mode == RSA_PKCS1_PSS_PADDING)
- pmdname = RSA_DEFAULT_DIGEST_NAME;
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
pmdname = RSA_DEFAULT_DIGEST_NAME;
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+ if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+ pmdname = RSA_DEFAULT_DIGEST_NAME;
+ } else {
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+ }
+#endif
+ }
+
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 631e1fdef9..05dd7c5595 100644
index 8d0c2647b7..f6117a1fc5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -20,6 +20,7 @@
@@ -21,6 +21,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
@ -466,15 +462,15 @@ index 631e1fdef9..05dd7c5595 100644
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
uint16_t *tls12_sigalgs_list = NULL;
@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
+ int ldsigs_allowed;
if (ctx == NULL)
goto err;
@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
@ -482,28 +478,28 @@ index 631e1fdef9..05dd7c5595 100644
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].enabled = 0;
@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && !ldsigs_allowed) {
+ cache[i].enabled = 0;
+ cache[i].available = 0;
+ continue;
+ }
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].enabled = 0;
cache[i].available = 0;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index ef97803327..8046454025 100644
index d377d542db..c2c55129ae 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION:
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
@@ -5928,3 +5928,5 @@ OSSL_AA_DIST_POINT_free 6051 3_5_0 EXIST::FUNCTION:
OSSL_AA_DIST_POINT_new 6052 3_5_0 EXIST::FUNCTION:
OSSL_AA_DIST_POINT_it 6053 3_5_0 EXIST::FUNCTION:
PEM_ASN1_write_bio_ctx 6054 3_5_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
2.44.0
2.49.0

34
0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch Normal file
View File

@ -0,0 +1,34 @@
From 3e20d4430b34488a06102c30634e7d25d2699290 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
Subject: [PATCH 17/50] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 373cd1c2e4..aa1ab85470 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VENDOR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
2.49.0

477
0034.fipsinstall_disable.patch → 0018-FIPS-disable-fipsinstall.patch
View File

@ -1,27 +1,33 @@
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
From 50de3f0a5f2023549aaa9caa2184795e692741b0 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 18/50] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
Patch-status: |
# Comment out fipsinstall command-line utility
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
# # Comment out fipsinstall command-line utility
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/fipsinstall.c | 3 +
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
doc/man1/openssl.pod | 4 -
doc/man5/config.pod | 1 -
doc/man5/fips_config.pod | 104 +----------
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
6 files changed, 10 insertions(+), 375 deletions(-)
apps/fipsinstall.c | 3 +
doc/man1/openssl-fipsinstall.pod.in | 485 +-------------------------
doc/man1/openssl.pod | 4 -
doc/man5/config.pod | 1 -
doc/man5/fips_config.pod | 228 +-----------
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
test/recipes/00-prep_fipsmodule_cnf.t | 10 +-
test/recipes/01-test_fipsmodule_cnf.t | 7 +-
test/recipes/03-test_fipsinstall.t | 2 +
9 files changed, 22 insertions(+), 719 deletions(-)
mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index e1ef645b60..db92cb5fb2 100644
index 0daa55a1b8..b4e29ac301 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)
@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **argv)
EVP_MAC *mac = NULL;
CONF *conf = NULL;
@ -32,10 +38,10 @@ index e1ef645b60..db92cb5fb2 100644
goto end;
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index b1768b7f91..b6b00e27d8 100644
index 9dd4f5a49f..9a063022a9 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
=head1 SYNOPSIS
B<openssl fipsinstall>
@ -53,8 +59,33 @@ index b1768b7f91..b6b00e27d8 100644
-[B<-pedantic>]
-[B<-no_conditional_errors>]
-[B<-no_security_checks>]
-[B<-hmac_key_check>]
-[B<-kmac_key_check>]
-[B<-ems_check>]
-[B<-no_drbg_truncated_digests>]
-[B<-signature_digest_check>]
-[B<-hkdf_digest_check>]
-[B<-tls13_kdf_digest_check>]
-[B<-tls1_prf_digest_check>]
-[B<-sshkdf_digest_check>]
-[B<-sskdf_digest_check>]
-[B<-x963kdf_digest_check>]
-[B<-dsa_sign_disabled>]
-[B<-no_pbkdf2_lower_bound_check>]
-[B<-no_short_mac>]
-[B<-tdes_encrypt_disabled>]
-[B<-rsa_pkcs15_padding_disabled>]
-[B<-rsa_pss_saltlen_check>]
-[B<-rsa_sign_x931_disabled>]
-[B<-hkdf_key_check>]
-[B<-kbkdf_key_check>]
-[B<-tls13_kdf_key_check>]
-[B<-tls1_prf_key_check>]
-[B<-sshkdf_key_check>]
-[B<-sskdf_key_check>]
-[B<-x963kdf_key_check>]
-[B<-x942kdf_key_check>]
-[B<-ecdh_cofactor_check>]
-[B<-self_test_onload>]
-[B<-self_test_oninstall>]
-[B<-corrupt_desc> I<selftest_description>]
@ -216,11 +247,154 @@ index b1768b7f91..b6b00e27d8 100644
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
-See RFC 7627 for information related to EMS.
-
-=item B<-no_short_mac>
-
-Configure the module to not allow short MAC outputs.
-See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
-
-=item B<-hmac_key_check>
-
-Configure the module to not allow small keys sizes when using HMAC.
-See SP 800-131Ar2 for details.
-
-=item B<-kmac_key_check>
-
-Configure the module to not allow small keys sizes when using KMAC.
-See SP 800-131Ar2 for details.
-
-=item B<-no_drbg_truncated_digests>
-
-Configure the module to not allow truncated digests to be used with Hash and
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
-
-=item B<-signature_digest_check>
-
-Configure the module to enforce signature algorithms to use digests that are
-explicitly permitted by the various standards.
-
-=item B<-hkdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-HKDF.
-See NIST SP 800-56Cr2 for details.
-
-=item B<-tls13_kdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-TLS13 KDF.
-See RFC 8446 for details.
-
-=item B<-tls1_prf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-TLS_PRF.
-See NIST SP 800-135r1 for details.
-
-=item B<-sshkdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-SSHKDF.
-See NIST SP 800-135r1 for details.
-
-=item B<-sskdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-SSKDF.
-See NIST SP 800-56Cr2 for details.
-
-=item B<-x963kdf_digest_check>
-
-Configure the module to enable a run-time digest check when deriving a key by
-X963KDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-dsa_sign_disabled>
-
-Configure the module to not allow DSA signing (DSA signature verification is
-still allowed). See FIPS 140-3 IG C.K for details.
-
-=item B<-tdes_encrypt_disabled>
-
-Configure the module to not allow Triple-DES encryption.
-Triple-DES decryption is still allowed for legacy purposes.
-See SP800-131Ar2 for details.
-
-=item B<-rsa_pkcs15_padding_disabled>
-
-Configure the module to not allow PKCS#1 version 1.5 padding to be used with
-RSA for key transport and key agreement. See NIST's SP 800-131A Revision 2
-for details.
-
-=item B<-rsa_pss_saltlen_check>
-
-Configure the module to enable a run-time salt length check when generating or
-verifying a RSA-PSS signature.
-See FIPS 186-5 5.4 (g) for details.
-
-=item B<-rsa_sign_x931_disabled>
-
-Configure the module to not allow X9.31 padding to be used when signing with
-RSA. See FIPS 140-3 IG C.K for details.
-
-=item B<-hkdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by HKDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-kbkdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by KBKDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-tls13_kdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by TLS13 KDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-tls1_prf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by TLS_PRF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-sshkdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by SSHKDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-sskdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by SSKDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-x963kdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by X963KDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-x942kdf_key_check>
-
-Configure the module to enable a run-time short key-derivation key check when
-deriving a key by X942KDF.
-See NIST SP 800-131Ar2 for details.
-
-=item B<-no_pbkdf2_lower_bound_check>
-
-Configure the module to not perform run-time lower bound check for PBKDF2.
-See NIST SP 800-132 for details.
-
-=item B<-ecdh_cofactor_check>
-
-Configure the module to enable a run-time check that ECDH uses the EC curves
-cofactor value when deriving a key. This only affects the 'B' and 'K' curves.
-See SP 800-56A r3 Section 5.7.1.2 for details.
-
-=item B<-self_test_onload>
-
-Do not write the two fields related to the "test status indicator" and
@ -230,14 +404,17 @@ index b1768b7f91..b6b00e27d8 100644
-target machine. Once the self tests have run on the target machine the user
-could possibly then add the 2 fields into the configuration using some other
-mechanism.
-
-This is the default.
-This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X).
-and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
-longer allowed.
-
-=item B<-self_test_oninstall>
-
-The converse of B<-self_test_oninstall>. The two fields related to the
-"test status indicator" and "MAC status indicator" are written to the
-output configuration file.
-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
-longer allowed.
-
-=item B<-quiet>
-
@ -308,6 +485,48 @@ index b1768b7f91..b6b00e27d8 100644
-L<fips_config(5)>,
-L<OSSL_PROVIDER-FIPS(7)>,
-L<EVP_MAC(3)>
-
-=head1 HISTORY
-
-The B<openssl-fipsinstall> application was added in OpenSSL 3.0.
-
-The following options were added in OpenSSL 3.1:
-
-B<-ems_check>,
-B<-self_test_oninstall>
-
-The following options were added in OpenSSL 3.2:
-
-B<-pedantic>,
-B<-no_drbg_truncated_digests>
-
-The following options were added in OpenSSL 3.4:
-
-B<-hmac_key_check>,
-B<-kmac_key_check>,
-B<-signature_digest_check>,
-B<-hkdf_digest_check>,
-B<-tls13_kdf_digest_check>,
-B<-tls1_prf_digest_check>,
-B<-sshkdf_digest_check>,
-B<-sskdf_digest_check>,
-B<-x963kdf_digest_check>,
-B<-dsa_sign_disabled>,
-B<-no_pbkdf2_lower_bound_check>,
-B<-no_short_mac>,
-B<-tdes_encrypt_disabled>,
-B<-rsa_pkcs15_padding_disabled>,
-B<-rsa_pss_saltlen_check>,
-B<-rsa_sign_x931_disabled>,
-B<-hkdf_key_check>,
-B<-kbkdf_key_check>,
-B<-tls13_kdf_key_check>,
-B<-tls1_prf_key_check>,
-B<-sshkdf_key_check>,
-B<-sskdf_key_check>,
-B<-x963kdf_key_check>,
-B<-x942kdf_key_check>,
-B<-ecdh_cofactor_check>
+This command is disabled.
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
+enable FIPS mode on Red Hat Enterprise
@ -315,10 +534,10 @@ index b1768b7f91..b6b00e27d8 100644
=head1 COPYRIGHT
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index d9c22a580f..d5ec3b9a6a 100644
index edef2ff598..0762a00d74 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.
@@ -139,10 +139,6 @@ Engine (loadable module) information and manipulation.
Error Number to Error String Conversion.
@ -330,10 +549,10 @@ index d9c22a580f..d5ec3b9a6a 100644
Generation of DSA Private Key from Parameters. Superseded by
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 714a10437b..bd05736220 100644
index b994081924..7a6d7fab4a 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.
@@ -603,7 +603,6 @@ configuration files using that syntax will have to be modified.
=head1 SEE ALSO
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
@ -342,10 +561,10 @@ index 714a10437b..bd05736220 100644
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 2255464304..1c15e32a5c 100644
index a25ced3383..15748c5756 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
@ -382,10 +601,6 @@ index 2255464304..1c15e32a5c 100644
-If present, the module is activated. The value assigned to this name is not
-significant.
-
-=item B<install-version>
-
-A version number for the fips install process. Should be 1.
-
-=item B<conditional-errors>
-
-The FIPS module normally enters an internal error mode if any self test fails.
@ -399,18 +614,14 @@ index 2255464304..1c15e32a5c 100644
-continuous test will return an error code if its continuous test fails. The
-operation may then be retried if the error mode has not been triggered.
-
-=item B<security-checks>
-
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
-are not performed and FIPS compliance must be done by procedures documented in
-the relevant Security Policy.
-
-=item B<module-mac>
-
-The calculated MAC of the FIPS provider file.
-
-=item B<install-version>
-
-A version number for the fips install process. Should be 1.
-
-=item B<install-status>
-
-An indicator that the self-tests were successfully run.
@ -427,6 +638,134 @@ index 2255464304..1c15e32a5c 100644
-
-=back
-
-=head2 FIPS indicator options
-
-The following FIPS configuration options indicate if run-time checks related to
-enforcement of FIPS security parameters such as minimum security strength of
-keys and approved curve names are used.
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
-are not performed and FIPS compliance must be done by procedures documented in
-the relevant Security Policy.
-
-See L<openssl-fipsinstall(1)/OPTIONS> for further information related to these
-options.
-
-=over 4
-
-=item B<security-checks>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_security_checks>
-
-=item B<tls1-prf-ems-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-ems_check>
-
-=item B<no-short-mac>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_short_mac>
-
-=item B<drbg-no-trunc-md>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_drbg_truncated_digests>
-
-=item B<signature-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-signature_digest_check>
-
-=item B<hkdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
-
-=item B<tls13-kdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_digest_check>
-
-=item B<tls1-prf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_digest_check>
-
-=item B<sshkdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_digest_check>
-
-=item B<sskdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
-
-=item B<x963kdf-digest-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_digest_check>
-
-=item B<dsa-sign-disabled>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-dsa_sign_disabled>
-
-=item B<tdes-encrypt-disabled>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-tdes_encrypt_disabled>
-
-=item B<rsa-pkcs15-pad-disabled>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pkcs15_pad_disabled>
-
-=item B<rsa-pss-saltlen-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pss_saltlen_check>
-
-=item B<rsa-sign-x931-pad-disabled>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_sign_x931_disabled>
-
-=item B<hkdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_key_check>
-
-=item B<kbkdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-kbkdf_key_check>
-
-=item B<tls13-kdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_key_check>
-
-=item B<tls1-prf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_key_check>
-
-=item B<sshkdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_key_check>
-
-=item B<sskdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_key_check>
-
-=item B<x963kdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_key_check>
-
-=item B<x942kdf-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-x942kdf_key_check>
-
-=item B<pbkdf2-lower-bound-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_pbkdf2_lower_bound_check>
-
-=item B<ecdh-cofactor-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-ecdh_cofactor_check>
-
-=item B<hmac-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-hmac_key_check>
-
-=item B<kmac-key-check>
-
-See L<openssl-fipsinstall(1)/OPTIONS> B<-kmac_key_check>
-
-=back
-
-For example:
-
- [fips_sect]
@ -449,18 +788,22 @@ index 2255464304..1c15e32a5c 100644
-
-L<config(5)>
-L<openssl-fipsinstall(1)>
-
-=head1 HISTORY
-
-This functionality was added in OpenSSL 3.0.
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
+automatically loaded when the system is booted in FIPS mode, or when the
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
+for more information.
=head1 HISTORY
=head1 COPYRIGHT
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index 4f908888ba..ef00247770 100644
index 20d35fada8..f8f219d647 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are:
@@ -575,7 +575,6 @@ want to operate in a FIPS approved manner. The algorithms are:
=head1 SEE ALSO
@ -468,6 +811,60 @@ index 4f908888ba..ef00247770 100644
L<fips_config(5)>,
L<OSSL_SELF_TEST_set_callback(3)>,
L<OSSL_SELF_TEST_new(3)>,
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
old mode 100644
new mode 100755
index 4e3a6d85e8..48869b2568
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -29,8 +29,10 @@ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
plan tests => 1;
+ok(1 == 1);
+
# Create the $fipsmoduleconf file
-ok(run(app(['openssl', 'fipsinstall', '-pedantic',
- '-module', $fipsmodule, '-provider_name', 'fips',
- '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
- "fips install");
+#ok(run(app(['openssl', 'fipsinstall', '-pedantic',
+# '-module', $fipsmodule, '-provider_name', 'fips',
+# '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
+# "fips install");
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
old mode 100644
new mode 100755
index ce594817d5..4530a46dd0
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -31,7 +31,8 @@ plan tests => 1;
my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
+ok(1 == 1)
# verify the $fipsconf file
-ok(run(app(['openssl', 'fipsinstall',
- '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
- "fipsinstall verify");
+#ok(run(app(['openssl', 'fipsinstall',
+# '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
+# "fipsinstall verify");
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
old mode 100644
new mode 100755
index 1f9110ef60..7e80637bd5
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
+plan skip_all => "Fipsinstall not available in Red Hat FIPS build";
+
plan skip_all => "Test only supported in a fips build" if disabled("fips");
# Compatible options for pedantic FIPS compliance
--
2.41.0
2.49.0

28
0032-Force-fips.patch → 0019-FIPS-Force-fips-provider-on.patch
View File

@ -1,18 +1,19 @@
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 11:59:02 +0200
Subject: [PATCH 16/48] 0032-Force-fips.patch
From a5f2ab969455d591327ea41cac9ffb64234ca38c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 19/50] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
Patch-status: |
# We load FIPS provider and set FIPS properties implicitly
# # We load FIPS provider and set FIPS properties implicitly
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index 058fb58837..5274265a70 100644
index 5ec50f97e4..a2a9786e1c 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
@ -24,7 +25,7 @@ index 058fb58837..5274265a70 100644
#include <openssl/conf.h>
#include <openssl/safestack.h>
#include <openssl/provider.h>
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
if (path != NULL)
ossl_provider_set_module_path(prov, path);
@ -33,7 +34,7 @@ index 058fb58837..5274265a70 100644
if (ok == 1) {
if (!ossl_provider_activate(prov, 1, 0)) {
@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
if (ok <= 0)
ossl_provider_free(prov);
@ -42,7 +43,7 @@ index 058fb58837..5274265a70 100644
}
CRYPTO_THREAD_unlock(pcgbl->lock);
@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
return 0;
}
@ -64,9 +65,6 @@ index 058fb58837..5274265a70 100644
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ }
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
+ return 0;
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
@ -77,5 +75,5 @@ index 058fb58837..5274265a70 100644
}
--
2.41.0
2.49.0

265
0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch Normal file
View File

@ -0,0 +1,265 @@
From 01427603bda0c44624b57c284e731c539828444e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/50] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33
Patch-status: |
# # Embed HMAC into the fips.so
# Modify fips self test as per
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/fips/self_test.c | 170 ++++++++++++++++++++++++++++++++++---
test/fipsmodule.cnf | 2 +
2 files changed, 161 insertions(+), 11 deletions(-)
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index ef7be26ca7..8b17b8ca94 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -235,13 +235,137 @@ err:
return ok;
}
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
/*
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+ const unsigned char *expected,
+ size_t expected_len, OSSL_LIB_CTX *libctx,
+ OSSL_SELF_TEST *ev, const char *event_type)
+{
+ int ret = 0, status;
+ unsigned char out[MAX_MD_SIZE];
+ unsigned char buf[INTEGRITY_BUF_SIZE];
+ size_t bytes_read = 0, out_len = 0;
+ EVP_MAC *mac = NULL;
+ EVP_MAC_CTX *ctx = NULL;
+ OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
+
+ if (expected_len != HMAC_LEN)
+ goto err;
+
+ if (!integrity_self_test(ev, libctx))
+ goto err;
+
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+ if (mac == NULL)
+ goto err;
+ ctx = EVP_MAC_CTX_new(mac);
+ if (ctx == NULL)
+ goto err;
+
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
+ *p = OSSL_PARAM_construct_end();
+
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+ goto err;
+
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off < paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ /* read away the buffer */
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ if (status != 1)
+ goto err;
+
+ /* check that it is the expect bytes, no point in continuing otherwise */
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
+ goto err;
+
+ /* replace in-file HMAC buffer with the original zeros */
+ memset(buf, 0, HMAC_LEN);
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
+ goto err;
+ off += HMAC_LEN;
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+ goto err;
+
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
+ if (expected_len != out_len
+ || memcmp(expected, out, out_len) != 0)
+ goto err;
+ ret = 1;
+err:
+ OSSL_SELF_TEST_onend(ev, ret);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(mac);
+# ifdef OPENSSL_PEDANTIC_ZEROIZATION
+ OPENSSL_cleanse(out, sizeof(out));
+# endif
+ return ret;
+}
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
- unsigned char *expected, size_t expected_len,
+ const unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
const char *event_type)
{
@@ -253,6 +377,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ if (expected_len != HMAC_LEN)
+ goto err;
+
if (!integrity_self_test(ev, libctx))
goto err;
@@ -316,7 +443,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
int ok = 0;
long checksum_len;
OSSL_CORE_BIO *bio_module = NULL;
- unsigned char *module_checksum = NULL;
+ const unsigned char *module_checksum = NULL;
+ unsigned char *alloc_checksum = NULL;
OSSL_SELF_TEST *ev = NULL;
EVP_RAND *testrand = NULL;
EVP_RAND_CTX *rng;
@@ -352,8 +480,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -362,8 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+ } else {
+ alloc_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+ &checksum_len);
+ module_checksum = alloc_checksum;
+ }
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -371,14 +505,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */
- if (bio_module == NULL
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
- module_checksum, checksum_len, st->libctx,
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ if (bio_module == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
goto end;
}
+ if (st->module_checksum_data == NULL) {
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len,
+ st->libctx, ev,
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ } else {
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len, st->libctx,
+ ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ }
+
if (!SELF_TEST_kats(ev, st->libctx)) {
ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
goto end;
@@ -398,7 +546,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
+ OPENSSL_free(alloc_checksum);
if (st != NULL)
(*st->bio_free_cb)(bio_module);
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
--
2.49.0

32
0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch Normal file
View File

@ -0,0 +1,32 @@
From e5fa1a36fb4786a29e5e0ffcafc1198a18ef2a1c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
Subject: [PATCH 21/50] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
by Red Hat to properly pass the integrty test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
fips-hmacify.sh | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100755 fips-hmacify.sh
diff --git a/fips-hmacify.sh b/fips-hmacify.sh
new file mode 100755
index 0000000000..54ae60b07f
--- /dev/null
+++ b/fips-hmacify.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+dd if=/dev/zero bs=1 count=32 of=tmp.mac >/dev/null 2>&1
+objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac
+mv providers/fips.so.zeromac providers/fips.so
+LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
2.49.0

49
0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch Normal file
View File

@ -0,0 +1,49 @@
From 2c0a4a02d274997dcc969ec8a7f13922aa3a4d7b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 22/50] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
Patch-status: |
# # Execute KATS before HMAC verification
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/fips/self_test.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 8b17b8ca94..0f5074936f 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
+ /*
+ * Run the KAT's before HMAC verification according to FIPS-140-3
+ * requirements
+ */
+ if (!SELF_TEST_kats(ev, st->libctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+ goto end;
+ }
+
if (st->module_checksum_data == NULL) {
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -527,11 +536,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
}
}
- if (!SELF_TEST_kats(ev, st->libctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
- goto end;
- }
-
/* Verify that the RNG has been restored properly */
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
2.49.0

190
0058-FIPS-limit-rsa-encrypt.patch → 0023-FIPS-RSA-encrypt-limits-REVIEW.patch
View File

@ -1,7 +1,7 @@
From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001
From e3def0e0439297fdfb9d17ede9f5e38e829d5d86 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch
Subject: [PATCH 23/50] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@ -10,53 +10,50 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/common/securitycheck.c | 1 +
.../implementations/asymciphers/rsa_enc.c | 35 +++++
.../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++-----
.../fips/include/fips_indicator_params.inc | 2 +-
.../implementations/asymciphers/rsa_enc.c | 26 ++++
.../30-test_evp_data/evppkey_rsa_common.txt | 146 +++++++++++++-----
test/recipes/80-test_cms.t | 5 +-
test/recipes/80-test_ssl_old.t | 27 +++-
5 files changed, 168 insertions(+), 40 deletions(-)
6 files changed, 164 insertions(+), 43 deletions(-)
mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index fe694c4e96..f635b5aec8 100644
index 79a9c48ce2..0e517542bc 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -27,6 +27,7 @@
@@ -65,6 +65,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
+/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
int ossl_rsa_check_key_size(const RSA *rsa, int protect)
{
int protect = 0;
int sz = RSA_bits(rsa);
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index 78f9fc0655..6bd783eb0a 100644
--- a/providers/fips/include/fips_indicator_params.inc
+++ b/providers/fips/include/fips_indicator_params.inc
@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
+OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1)
OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 71bfa344d4..d548560f1f 100644
index 6ee127caff..2a7c2f159e 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
}
@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
#endif
+# ifdef FIPS_MODULE
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
+{
+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
+ return 0;
+
+ return 1;
+}
+# endif
+
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
size_t outsize, const unsigned char *in, size_t inlen)
{
@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
+# ifdef FIPS_MODULE
+ if (fips_padding_allowed(prsactx) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+ if (prsactx->pad_mode == RSA_NO_PADDING) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
+ return 0;
+ }
+
@ -69,13 +66,15 @@ index 71bfa344d4..d548560f1f 100644
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
+# ifdef FIPS_MODULE
+ if (fips_padding_allowed(prsactx) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+ if ((prsactx->pad_mode == RSA_PKCS1_PADDING
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING
+ || prsactx->pad_mode == RSA_NO_PADDING)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
+ return 0;
+ }
+
@ -89,7 +88,7 @@ index 71bfa344d4..d548560f1f 100644
if (out == NULL) {
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 76ddc1ec60..62d55308b0 100644
index 18e11bdaa9..17ceb59148 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
@ -126,7 +125,31 @@ index 76ddc1ec60..62d55308b0 100644
# Corrupted ciphertext
# Note: disable the Bleichenbacher workaround to see if it fails
Decrypt = RSA-2048
@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
@@ -296,13 +296,14 @@ Input = 0000000000000000000000000000000000000001
Result = KEYOP_ERROR
# RSADP Ciphertext = 2 should pass
+Availablein = default
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = 0000000000000000000000000000000000000002
Output = 93d0bae8ad0d94de400eb078dd10edd7418ef1bf11b8e8b5d2b86b142e77d603e108fbcca2b976aa7b5326e5369db3bb73bf74f8d47c36a6318e913888c873502a561fc69329e7c24a0a016d81310449a52b29e49a6a41bdfe6c10a8d90072d64b4486756fd007c0071da2a8c7107a904621c11f0d81aa80b655a713c28170594ece28133dfbfddd61d4e4dad0d6781f6145a351a994054993fd57cd1330966ce97d7ac259b15616fd7235e2cac29fdc1c05f1612c61785614b80e7b650c03ef77d64163d75fa637cc2a9a7e570b3176fdcfb6ad6d25e8515f6ced02cfb3a441c87220044110fd27dcb53888f0377e1797bf297b7da27d3f033cd8b5d60ececc
# RSADP Ciphertext = n-2 should pass
-Availablein = fips
+Availablein = none
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44d
@@ -317,6 +318,7 @@ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b0
Result = KEYOP_ERROR
# RSADP Ciphertext = n should fail
+Availablein = default
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f
@@ -406,82 +408,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
# RSA decrypt
# a random positive test case
@ -223,7 +246,7 @@ index 76ddc1ec60..62d55308b0 100644
# an otherwise correct plaintext, but with wrong first byte
# (0x01 instead of 0x00), generates a random 11 byte long plaintext
Decrypt = RSA-2048-2
@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc
@@ -489,7 +499,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc
Output = a1f8c9255c35cfba403ccc
# The old FIPS provider doesn't include the workaround (#13817)
@ -232,7 +255,7 @@ index 76ddc1ec60..62d55308b0 100644
# an otherwise correct plaintext, but with wrong second byte
# (0x01 instead of 0x02), generates a random 11 byte long plaintext
Decrypt = RSA-2048-2
@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d
@@ -497,7 +507,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d
Output = e6d700309ca0ed62452254
# The old FIPS provider doesn't include the workaround (#13817)
@ -241,7 +264,7 @@ index 76ddc1ec60..62d55308b0 100644
# an invalid ciphertext, with a zero byte in first byte of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a
@@ -506,7 +516,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a
Output = ba27b1842e7c21c0e7ef6a
# The old FIPS provider doesn't include the workaround (#13817)
@ -250,7 +273,7 @@ index 76ddc1ec60..62d55308b0 100644
# an invalid ciphertext, with a zero byte removed from first byte of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3
@@ -515,7 +525,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3
Output = ba27b1842e7c21c0e7ef6a
# The old FIPS provider doesn't include the workaround (#13817)
@ -259,7 +282,7 @@ index 76ddc1ec60..62d55308b0 100644
# an invalid ciphertext, with two zero bytes in first bytes of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f
@@ -524,7 +534,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f
Output = d5cf555b1d6151029a429a
# The old FIPS provider doesn't include the workaround (#13817)
@ -268,7 +291,7 @@ index 76ddc1ec60..62d55308b0 100644
# an invalid ciphertext, with two zero bytes removed from first bytes of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c
@@ -533,7 +543,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c
Output = d5cf555b1d6151029a429a
# The old FIPS provider doesn't include the workaround (#13817)
@ -277,7 +300,7 @@ index 76ddc1ec60..62d55308b0 100644
# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
# to random 11 byte long synthetic plaintext
Decrypt = RSA-2048-2
@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802
@@ -541,7 +551,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802
Output = 3d4a054d9358209e9cbbb9
# The old FIPS provider doesn't include the workaround (#13817)
@ -286,7 +309,7 @@ index 76ddc1ec60..62d55308b0 100644
# negative test with otherwise valid padding but a zero byte in first byte
# of padding
Decrypt = RSA-2048-2
@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94
@@ -549,7 +559,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94
Output = 1f037dd717b07d3e7f7359
# The old FIPS provider doesn't include the workaround (#13817)
@ -295,7 +318,7 @@ index 76ddc1ec60..62d55308b0 100644
# negative test with otherwise valid padding but a zero byte at the eighth
# byte of padding
Decrypt = RSA-2048-2
@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646
@@ -557,7 +567,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646
Output = 63cb0bf65fc8255dd29e17
# The old FIPS provider doesn't include the workaround (#13817)
@ -304,7 +327,7 @@ index 76ddc1ec60..62d55308b0 100644
# negative test with an otherwise valid plaintext but with missing separator
# byte
Decrypt = RSA-2048-2
@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
@@ -612,53 +622,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
# RSA decrypt
# The old FIPS provider doesn't include the workaround (#13817)
@ -367,7 +390,7 @@ index 76ddc1ec60..62d55308b0 100644
# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
Decrypt = RSA-2049
Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
@@ -722,14 +737,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
# The old FIPS provider doesn't include the workaround (#13817)
@ -384,7 +407,7 @@ index 76ddc1ec60..62d55308b0 100644
# a random invalid that has PRF output with a length one byte too long
# in the last value
Decrypt = RSA-3072
@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa
@@ -737,46 +752,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa
Output = 56a3bea054e01338be9b7d7957539c
# The old FIPS provider doesn't include the workaround (#13817)
@ -439,7 +462,7 @@ index 76ddc1ec60..62d55308b0 100644
# a random negative test case that generates a 9 byte long message based on
# second to last value from PRF
Decrypt = RSA-3072
@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0
@@ -784,7 +804,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0
Output = 043383c929060374ed
# The old FIPS provider doesn't include the workaround (#13817)
@ -448,7 +471,7 @@ index 76ddc1ec60..62d55308b0 100644
# a random negative test that generates message based on 3rd last value from
# PRF
Decrypt = RSA-3072
@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48
@@ -792,35 +812,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48
Output = 70263fa6050534b9e0
# The old FIPS provider doesn't include the workaround (#13817)
@ -489,7 +512,18 @@ index 76ddc1ec60..62d55308b0 100644
# an otherwise valid plaintext, but with null separator missing
Decrypt = RSA-3072
Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
@@ -912,9 +932,9 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
# Verify of above signature
Verify = RSA-2048-PUBLIC
+Ctrl = digest:sha256
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:0
-Ctrl = digest:sha256
Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
@@ -1207,36 +1227,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
h90qjKHS9PvY4Q==
-----END PRIVATE KEY-----
@ -532,7 +566,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
@@ -1261,36 +1287,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
eG2e4XlBcKjI6A==
-----END PRIVATE KEY-----
@ -575,7 +609,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
@@ -1315,36 +1347,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
Ya4qnqZe1onjY5o=
-----END PRIVATE KEY-----
@ -618,7 +652,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
@@ -1369,36 +1407,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
aD0x7TDrmEvkEro=
-----END PRIVATE KEY-----
@ -661,7 +695,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
@@ -1423,36 +1467,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
MSwGUGLx60i3nRyDyw==
-----END PRIVATE KEY-----
@ -704,7 +738,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
@@ -1477,36 +1527,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
Yejn5Ly8mU2q+jBcRQ==
-----END PRIVATE KEY-----
@ -747,7 +781,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
@@ -1531,36 +1587,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
FMlxv0gq65dqc3DC
-----END PRIVATE KEY-----
@ -790,7 +824,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
@@ -1585,36 +1647,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
2MiPa249Z+lh3Luj0A==
-----END PRIVATE KEY-----
@ -833,7 +867,7 @@ index 76ddc1ec60..62d55308b0 100644
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
@@ -1645,36 +1713,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
tKo5Eb69iFQvBb4=
-----END PRIVATE KEY-----
@ -877,19 +911,19 @@ index 76ddc1ec60..62d55308b0 100644
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 4e368c730b..879d5d76eb 100644
index 5c967c5818..d13dceaac5 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1118,6 +1118,9 @@ sub check_availability {
if ($no_fips || $old_fips) {
push(@smime_pkcs7_tests,
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1267,6 +1267,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
@ -900,10 +934,12 @@ index 4e368c730b..879d5d76eb 100644
}
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e2dcb68fb5..0775112b40 100644
old mode 100644
new mode 100755
index f7be2e1872..568a1ddba4
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -493,6 +493,18 @@ sub testssl {
@@ -561,6 +561,18 @@ sub testssl {
# the default choice if TLSv1.3 enabled
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
my $ciphersuites = "";
@ -920,9 +956,9 @@ index e2dcb68fb5..0775112b40 100644
+AES128-SHA:@SECLEVEL=0
+ );
foreach my $cipher (@{$ciphersuites{$protocol}}) {
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
note "*****SKIPPING $protocol $cipher";
@@ -504,11 +516,16 @@ sub testssl {
if ($dsaallow == '0' && index($cipher, "DSS") != -1) {
# DSA is not allowed in FIPS 140-3
@@ -576,11 +588,16 @@ sub testssl {
} else {
$cipher = $cipher.':@SECLEVEL=0';
}
@ -945,5 +981,5 @@ index e2dcb68fb5..0775112b40 100644
}
next if $protocol eq "-tls1_3";
--
2.44.0
2.49.0

157
0024-FIPS-RSA-PCTs.patch Normal file
View File

@ -0,0 +1,157 @@
From 77fdffb56f9194fe81d7e91bf9a7ac06be02e250 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
Subject: [PATCH 24/50] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
2 files changed, 61 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 77d0950094..f0e71beb43 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
+ void *prov_rsa_ctx;
#endif
};
@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
+#ifdef FIPS_MODULE
+void *rsa_newctx(void *provctx, const char *propq);
+void rsa_freectx(void *vctx);
+int do_rsa_pct(void *, const char *, void *);
+#endif
+
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
{
@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
+#endif
return gctx;
err:
@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
+ abort();
+#endif
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
+ rsa_freectx(gctx->prov_rsa_ctx);
+ gctx->prov_rsa_ctx = NULL;
#endif
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index c4740128ce..b08c9685dd 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -37,7 +37,7 @@
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
@@ -54,7 +54,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
@@ -226,7 +226,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
return 1;
}
-static void *rsa_newctx(void *provctx, const char *propq)
+void *rsa_newctx(void *provctx, const char *propq)
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
@@ -1317,7 +1317,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return ok;
}
-static void rsa_freectx(void *vprsactx)
+void rsa_freectx(void *vprsactx)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -1867,6 +1867,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
+#ifdef FIPS_MODULE
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
+{
+ static const unsigned char data[32];
+ unsigned char *sigbuf = NULL;
+ size_t siglen = 0;
+ int ret = 0;
+
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
+ return 0;
+
+ if (rsa_digest_sign_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
+ return 0;
+
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_update(vctx, data, sizeof(data)) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ goto err;
+ ret = 1;
+
+ err:
+ OPENSSL_free(sigbuf);
+ return ret;
+}
+#endif
+
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.49.0

80
0024-load-legacy-prov.patch
View File

@ -1,80 +0,0 @@
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
@@ -42,23 +42,27 @@ [ evp_properties ]
#This section is intentionally added empty here
#to be tuned on particular systems
-# List of providers to load
-[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
-[default_sect]
-# activate = 1
+[provider_sect]
+default = default_sect
+##legacy = legacy_sect
+##
+[default_sect]
+activate = 1
+
+##[legacy_sect]
+##activate = 1
+
+#Place the third party provider configuration files into this folder
+.include /etc/pki/tls/openssl.d
[ ssl_module ]
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
=head3 Default provider and its activation
If no providers are activated explicitly, the default one is activated implicitly.

59
0025-FIPS-RSA-encapsulate-limits.patch Normal file
View File

@ -0,0 +1,59 @@
From 1ba2caa0c71e45e5ccc9cec2e389d3ee7c68a252 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 25/50] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
Patch-status: |
# 0091-FIPS-RSA-encapsulate.patch
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/implementations/kem/rsa_kem.c | 14 ++++++++++++++
test/recipes/30-test_evp_data/evppkey_rsa_kem.txt | 1 +
2 files changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 7494dcc010..5d6123e8cb 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -284,6 +284,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
/* Step (1): nlen = Ceil(len(n)/8) */
nlen = RSA_size(prsactx->rsa);
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
if (out == NULL) {
if (nlen == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
@@ -360,6 +367,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
/* Step (1): get the byte length of n */
nlen = RSA_size(prsactx->rsa);
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
if (out == NULL) {
if (nlen == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
index ecab1454e7..8e5edd35fe 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
@@ -108,3 +108,4 @@ Securitycheck = 1
Unapproved = 1
CtrlInit = key-check:0
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
2.49.0

26
0025-for-tests.patch
View File

@ -1,26 +0,0 @@
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
@@ -55,17 +55,17 @@ providers = provider_sect
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-default = default_sect
+##default = default_sect
##legacy = legacy_sect
##
-[default_sect]
-activate = 1
+##[default_sect]
+##activate = 1
##[legacy_sect]
##activate = 1
-#Place the third party provider configuration files into this folder
-.include /etc/pki/tls/openssl.d
+##Place the third party provider configuration files into this folder
+#.include /etc/pki/tls/openssl.d
####################################################################

70
0085-FIPS-RSA-disable-shake.patch → 0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
View File

@ -1,7 +1,7 @@
From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 11 Jan 2023 12:52:59 +0100
Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov
From 3b61e3b98c1c0110e9c55fb14a967c69d8efdda8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 26/50] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@ -17,68 +17,52 @@ Add a check to prevent their use as message digest in PSS signatures and
as MGF1 hash function in both OAEP and PSS.
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
crypto/rsa/rsa_oaep.c | 16 ++++++++++++++++
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
2 files changed, 44 insertions(+)
2 files changed, 32 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d9be1a4f98..dfe9c9f0e8 100644
index 5a1c080fcd..11cd78618b 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
return 0;
#endif
}
+
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return 0;
+ }
+#endif
@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
if (mgf1md == NULL)
mgf1md = md;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
+ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return 0;
+ }
+#endif
+
mdlen = EVP_MD_get_size(md);
if (mdlen <= 0) {
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
#endif
}
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
#ifdef FIPS_MODULE
/* XOF are approved as standalone; Shake256 in Ed448; MGF */
if (EVP_MD_xof(md)) {
@@ -194,6 +202,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
if (mgf1md == NULL)
mgf1md = md;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
+ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
mdlen = EVP_MD_get_size(md);
if (tlen <= 0 || flen <= 0)
#ifdef FIPS_MODULE
/* XOF are approved as standalone; Shake256 in Ed448; MGF */
if (EVP_MD_xof(md)) {
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 33874bfef8..e8681b0351 100644
index a2bc198a89..2833ca50f3 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
@ -91,9 +75,9 @@ index 33874bfef8..e8681b0351 100644
+#endif
+
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
if (hLen <= 0)
goto err;
@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
@@ -186,6 +194,14 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
@ -106,8 +90,8 @@ index 33874bfef8..e8681b0351 100644
+#endif
+
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
if (hLen <= 0)
goto err;
--
2.39.0
2.49.0

443
0027-FIPS-RSA-size-mode-restrictions.patch Normal file
View File

@ -0,0 +1,443 @@
From 8cb662f002e33c6fb99b96ef24733e16e3dc48ad Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
Subject: [PATCH 27/50] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/implementations/signature/rsa_sig.c | 26 +++++++++
ssl/ssl_ciph.c | 3 +
test/recipes/30-test_evp_data/evppkey_rsa.txt | 55 ++++++++++++++++++-
.../30-test_evp_data/evppkey_rsa_common.txt | 8 +--
4 files changed, 87 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index b08c9685dd..0e0810f60a 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -940,6 +940,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
@@ -1034,6 +1047,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
const unsigned char *tbs, size_t tbslen)
{
size_t rslen;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 19420d6c6a..5ab1ccee93 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -350,6 +350,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
ctx->disabled_mkey_mask = 0;
ctx->disabled_auth_mask = 0;
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
+
/*
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
index f1dc5dd2a2..103556c750 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
@@ -268,8 +268,8 @@ TwIDAQAB
PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT
-
# Wrong MGF1 digest
+Availablein = default
Verify = RSA-2048
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:0
@@ -279,7 +279,19 @@ Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
Result = VERIFY_ERROR
+# Wrong MGF1 digest - In RHEL FIPS errors as set ctx before verify
+Availablein = fips
+Verify = RSA-2048
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:0
+Ctrl = digest:sha256
+Ctrl = rsa_mgf1_md:sha1
+Input="0123456789ABCDEF0123456789ABCDEF"
+Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+Result = PKEY_CTRL_ERROR
+
# Verify using default parameters
+Availablein = default
Verify = RSA-PSS-DEFAULT
Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
@@ -303,36 +315,42 @@ fc6CnohE9iWxFeXpxKWc+PgRO2g0M2ov0mibRyy7Xlyr5nQ1DFm2wX4XaHT7Qvj8
PRdqAX7cYf0ybEszyQIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=5c81a3e2a658246628cd0ee8b00bb4c012bc9739
Output=014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=27f71611446aa6eabf037f7dedeede3203244991
Output=010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=03ecc2c33e93f05fc7224fcc0d461356cb897217
Output=007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=246c727b4b9494849dddb068d582e179ac20999c
Output=009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912
Output=00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf
+Availablein = default
Verify=RSA-PSS-2
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -348,36 +366,42 @@ nQ6tsIdYbKSJM9o8yVPZW9DtUN4Q3ctnNhB9bIMcf2Y+gzykwJfnAM4PuUX4j7hf
6OWncxclZbkUpHGkQwIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=3552be69dd74bdc56d2cf8c38ef7bafe269040fe
Output=0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=609143ff7240e55c062aba8b9e4426a781919bc9
Output=02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=0afd22f879a9cda7c584f4135f8f1c961db114c0
Output=0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=405dd56d395ef0f01b555c48f748cc32b210650b
Output=0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=a2c313b0440c8a0c47233b87f0a160c61af3eae7
Output=021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83
+Availablein = default
Verify=RSA-PSS-3
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -393,36 +417,42 @@ MAz5u2xTrR3IoXi4FdtCNamp2gwG3k5hXqEnfOVZ6cEI3ljBSoGqd/Wm+NEzVJRJ
iEjIuVlAdAvnv3w3BQIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd
Output=0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=04a10944bfe11ab801e77889f3fd3d7f4ff0b629
Output=049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=ba01243db223eb97fb86d746c3148adaaa0ca344
Output=03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=934bb0d38d6836daec9de82a9648d4593da67cd2
Output=0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=ec35d81abd1cceac425a935758b683465c8bd879
Output=022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a
+Availablein = default
Verify=RSA-PSS-4
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -438,18 +468,21 @@ pLDMjaMl7YqmdrDQ9ibgp38HaSFwrKyAgvQvqn3HzRI+cw4xqHmFIEyry+ZnDUOi
3Sst3vXgU5L8ITvFBwIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-5
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=d98b7061943510bc3dd9162f7169aabdbdcd0222
Output=0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d
+Availablein = default
Verify=RSA-PSS-5
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=7ae8e699f754988f4fd645e463302e49a2552072
Output=08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e
+Availablein = default
Verify=RSA-PSS-5
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -463,12 +496,14 @@ Ctrl = rsa_mgf1_md:sha1
Input=ee3de96783fd0a157c8b20bf5566124124dcfe65
Output=0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1
+Availablein = default
Verify=RSA-PSS-5
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=1204df0b03c2724e2709c23fc71789a21b00ae4c
Output=0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd
+Availablein = default
Verify=RSA-PSS-5
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -484,36 +519,42 @@ Kl8QsJwxGvjA/7W3opfy78Y7jWsFEJMfC5jki/X8bsTnuNsf+usIw44CrbjwOkgi
nJnpaUMfYcuMTcaY0QIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6
Output=04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=92d0bcae82b641f578f040f5151be8eda6d42299
Output=0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=3569bd8fd2e28f2443375efa94f186f6911ffc2b
Output=086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=7abbb7b42de335730a0b641f1e314b6950b84f98
Output=0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=55b7eb27be7a787a59eb7e5fac468db8917a7725
Output=02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b
+Availablein = default
Verify=RSA-PSS-6
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -529,36 +570,42 @@ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTfJ2kpmyMQIuNon0MnXn4zLHq/B
2LXF01SAItcGTqKaswIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d
Output=187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=402140dc605b2f5c5ec0d15bce9f9ba8857fe117
Output=10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20
Output=2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=1fc2201d0c442a4736cd8b2cd00c959c47a3bf42
Output=32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=e4351b66819e5a31501f89acc7faf57030e9aac5
Output=07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1
+Availablein = default
Verify=RSA-PSS-7
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -574,36 +621,42 @@ R1PbPO4O4Gx9+uix1TtZUyGPnM7qaVsIZo7eqtztlGOx15DV6/J+kRW0bK1NmiuO
+rBWGwgQNEc5raBzPwIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=a1dd230d8ead860199b6277c2ecfe3d95f6d9160
Output=0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=f6e68e53c602c5c65fa67b5aa6d786e5524b12ab
Output=2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=d6f9fcd3ae27f32bb2c7c93536782eba52af1f76
Output=2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=7ff2a53ce2e2d900d468e498f230a5f5dd0020de
Output=1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=4eb309f7022ba0b03bb78601b12931ec7c1be8d3
Output=33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee
+Availablein = default
Verify=RSA-PSS-8
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 17ceb59148..972e90f32f 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -285,7 +285,7 @@ FIPSversion = >=3.4.0
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = 0000000000000000000000000000000000000000
-Result = KEYOP_ERROR
+Result = KEYOP_LENGTH_ERROR
# RSADP Ciphertext = 1 should fail
Availablein = fips
@@ -293,7 +293,7 @@ FIPSversion = >=3.4.0
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = 0000000000000000000000000000000000000001
-Result = KEYOP_ERROR
+Result = KEYOP_LENGTH_ERROR
# RSADP Ciphertext = 2 should pass
Availablein = default
@@ -315,7 +315,7 @@ FIPSversion = >=3.4.0
Decrypt = RSA-2048
Ctrl = rsa_padding_mode:none
Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44e
-Result = KEYOP_ERROR
+Result = KEYOP_LENGTH_ERROR
# RSADP Ciphertext = n should fail
Availablein = default
@@ -2074,7 +2074,7 @@ Securitycheck = 1
Unapproved = 1
CtrlInit = key-check:0
Input = 550AF55A2904E7B9762352F8FB7FA235
-Result = KEYOP_MISMATCH
+Result = KEYOP_LENGTH_ERROR
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
2.49.0

26
0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch Normal file
View File

@ -0,0 +1,26 @@
From 325fb1b9829a5731d9807161f077dae684fa58cb Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
Subject: [PATCH 28/50] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/include/fips_indicator_params.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index 6bd783eb0a..c1b029de86 100644
--- a/providers/fips/include/fips_indicator_params.inc
+++ b/providers/fips/include/fips_indicator_params.inc
@@ -15,7 +15,7 @@ OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1)
OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
-OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
+OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 1)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
2.49.0

58
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch → 0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
View File

@ -1,7 +1,7 @@
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 13:53:31 +0100
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
From 004971c02760bcddb77954b90a2be4aeeb70ec22 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 29/50] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@ -21,34 +21,17 @@ now.
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/implementations/signature/rsa_sig.c | 6 +
test/acvp_test.inc | 214 ------------------
2 files changed, 6 insertions(+), 214 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 34f45175e8..49e7f9158a 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
err_extra_text = "No padding not allowed with RSA-PSS";
goto cont;
case RSA_X931_PADDING:
+#ifndef FIPS_MODULE
err_extra_text = "X.931 padding not allowed with RSA-PSS";
+#else /* !defined(FIPS_MODULE) */
+ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
+ " since it was removed from FIPS 186-5";
+ goto bad_pad;
+#endif /* !defined(FIPS_MODULE) */
cont:
if (RSA_test_flags(prsactx->rsa,
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
test/acvp_test.inc | 225 ---------------------------------------------
1 file changed, 225 deletions(-)
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index 73b24bdb0c..96a72073f9 100644
index 97ec1ff3e5..31fa0eafc6 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
@@ -1354,13 +1354,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
ITM(rsa_siggen0_msg),
NO_PSS_SALT_LEN,
},
@ -62,8 +45,8 @@ index 73b24bdb0c..96a72073f9 100644
{
"pss",
2048,
@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
@@ -1772,202 +1765,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1
};
-static const unsigned char rsa_sigverx931_0_n[] = {
@ -265,13 +248,24 @@ index 73b24bdb0c..96a72073f9 100644
static const struct rsa_sigver_st rsa_sigver_data[] = {
{
"pkcs1", /* pkcs1v1.5 */
@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
@@ -1991,28 +1788,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
NO_PSS_SALT_LEN,
FAIL
},
- {
- "x931",
- 3072,
- "SHA1",
- ITM(rsa_sigverx931_0_msg),
- ITM(rsa_sigverx931_0_n),
- ITM(rsa_sigverx931_0_e),
- ITM(rsa_sigverx931_0_sig),
- NO_PSS_SALT_LEN,
- PASS
- },
- {
- "x931",
- 3072,
- "SHA256",
- ITM(rsa_sigverx931_1_msg),
- ITM(rsa_sigverx931_1_n),
@ -284,5 +278,5 @@ index 73b24bdb0c..96a72073f9 100644
"pss",
4096,
--
2.38.1
2.49.0

387
0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch Normal file
View File

@ -0,0 +1,387 @@
From 0d8ac9675eaaf3eaded5f7d2ec304be022eacd10 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
Subject: [PATCH 30/50] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
---
...EP-in-KATs-support-fixed-OAEP-seed.p.patch | 348 ++++++++++++++++++
REBASE.txt | 10 +
2 files changed, 358 insertions(+)
create mode 100644 Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
create mode 100644 REBASE.txt
diff --git a/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
new file mode 100644
index 0000000000..793b8a4dac
--- /dev/null
+++ b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
@@ -0,0 +1,348 @@
+From a0e92712c141cda0b8321feb492982506b18c612 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 28/55]
+ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+
+Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+Patch-id: 73
+Patch-status: |
+ # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/rsa/rsa_local.h | 8 ++
+ crypto/rsa/rsa_oaep.c | 34 ++++++--
+ providers/fips/self_test_data.inc | 79 ++++++++++---------
+ providers/fips/self_test_kats.c | 7 ++
+ .../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
+ util/perl/OpenSSL/paramnames.pm | 1 +
+ 6 files changed, 126 insertions(+), 44 deletions(-)
+
+diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
+index ea70da05ad..dde57a1a0e 100644
+--- a/crypto/rsa/rsa_local.h
++++ b/crypto/rsa/rsa_local.h
+@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
+ int tlen, const unsigned char *from,
+ int flen);
+
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
++ unsigned char *to, int tlen,
++ const unsigned char *from, int flen,
++ const unsigned char *param,
++ int plen, const EVP_MD *md,
++ const EVP_MD *mgf1md,
++ const char *redhat_st_seed);
++
+ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index b9030440c4..3d665c3860 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+ param, plen, NULL, NULL);
+ }
+
++#ifdef FIPS_MODULE
++extern int REDHAT_FIPS_asym_cipher_st;
++#endif /* FIPS_MODULE */
++
+ /*
+ * Perform the padding as per NIST 800-56B 7.2.2.3
+ * from (K) is the key material.
+@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+ * Step numbers are included here but not in the constant time inverse below
+ * to avoid complicating an already difficult enough function.
+ */
+-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+- unsigned char *to, int tlen,
+- const unsigned char *from, int flen,
+- const unsigned char *param,
+- int plen, const EVP_MD *md,
+- const EVP_MD *mgf1md)
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
++ unsigned char *to, int tlen,
++ const unsigned char *from, int flen,
++ const unsigned char *param,
++ int plen, const EVP_MD *md,
++ const EVP_MD *mgf1md,
++ const char *redhat_st_seed)
+ {
+ int rv = 0;
+ int i, emlen = tlen - 1;
+@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+ db[emlen - flen - mdlen - 1] = 0x01;
+ memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
+ /* step 3d: generate random byte string */
++#ifdef FIPS_MODULE
++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
++ memcpy(seed, redhat_st_seed, mdlen);
++ } else
++#endif
+ if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
+ goto err;
+
+@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+ return rv;
+ }
+
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++ unsigned char *to, int tlen,
++ const unsigned char *from, int flen,
++ const unsigned char *param,
++ int plen, const EVP_MD *md,
++ const EVP_MD *mgf1md)
++{
++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
++ flen, param, plen, md,
++ mgf1md, NULL);
++}
++
+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param, int plen,
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 4b80bb70b9..c33ecd0791 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
+ };
+
+ /*-
+- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
+ * HP/UX PA-RISC compilers.
+ */
+-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
++static const char oaep_fixed_seed[] = {
++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
++ 0x2e, 0x4b, 0x2c, 0xe6
++};
+
+ static const ST_KAT_PARAM rsa_enc_params[] = {
+- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
++ oaep_fixed_seed),
+ ST_KAT_PARAM_END()
+ };
+
+@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
+ 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
+ };
+
+-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
++static const unsigned char rsa_asym_plaintext_encrypt[208] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+ };
+ static const unsigned char rsa_asym_expected_encrypt[256] = {
+- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
+- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
+- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
+- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
+- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
+- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
+- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
+- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
+- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
+- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
+- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
+- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
+- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
+- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
+- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
+- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
+- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
+- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
+- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
+- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
+- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
+- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
+- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
+- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
+- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
+- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
+- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
+- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
+- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
+- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
+- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
+- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
+ };
+
+ #ifndef OPENSSL_NO_EC
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index f13c41abd6..4ea10670c0 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ return ret;
+ }
+
++int REDHAT_FIPS_asym_cipher_st = 0;
++
+ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ {
+ int i, ret = 1;
+
++ REDHAT_FIPS_asym_cipher_st = 1;
++
+ for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
+ if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
+ ret = 0;
+ }
++
++ REDHAT_FIPS_asym_cipher_st = 0;
++
+ return ret;
+ }
+
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index d548560f1f..f3443b0c66 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -30,6 +30,9 @@
+ #include "prov/implementations.h"
+ #include "prov/providercommon.h"
+ #include "prov/securitycheck.h"
++#ifdef FIPS_MODULE
++# include "crypto/rsa/rsa_local.h"
++#endif
+
+ #include <stdlib.h>
+
+@@ -75,6 +78,9 @@ typedef struct {
+ /* TLS padding */
+ unsigned int client_version;
+ unsigned int alt_version;
++#ifdef FIPS_MODULE
++ char *redhat_st_oaep_seed;
++#endif /* FIPS_MODULE */
+ /* PKCS#1 v1.5 decryption mode */
+ unsigned int implicit_rejection;
+ } PROV_RSA_CTX;
+@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ }
+ }
+ ret =
+- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
++#ifdef FIPS_MODULE
++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
++#else
++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
++#endif
++ prsactx->libctx, tbuf,
+ rsasize, in, inlen,
+ prsactx->oaep_label,
+ prsactx->oaep_labellen,
+ prsactx->oaep_md,
+- prsactx->mgf1_md);
++ prsactx->mgf1_md
++#ifdef FIPS_MODULE
++ , prsactx->redhat_st_oaep_seed
++#endif
++ );
+
+ if (!ret) {
+ OPENSSL_free(tbuf);
+@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx)
+ EVP_MD_free(prsactx->oaep_md);
+ EVP_MD_free(prsactx->mgf1_md);
+ OPENSSL_free(prsactx->oaep_label);
++#ifdef FIPS_MODULE
++ OPENSSL_free(prsactx->redhat_st_oaep_seed);
++#endif /* FIPS_MODULE */
+
+ OPENSSL_free(prsactx);
+ }
+@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ NULL, 0),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
++#endif /* FIPS_MODULE */
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+ OSSL_PARAM_END
+ };
+@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
+ return known_gettable_ctx_params;
+ }
+
++#ifdef FIPS_MODULE
++extern int REDHAT_FIPS_asym_cipher_st;
++#endif /* FIPS_MODULE */
++
+ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ {
+ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ prsactx->oaep_labellen = tmp_labellen;
+ }
+
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
++ void *tmp_oaep_seed = NULL;
++
++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
++ return 0;
++ OPENSSL_free(prsactx->redhat_st_oaep_seed);
++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
++ }
++#endif /* FIPS_MODULE */
++
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
+ if (p != NULL) {
+ unsigned int client_version;
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index c37ed7815f..70f7c50fe4 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -401,6 +401,7 @@ my %params = (
+ 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
+ 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
+ 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
+
+ # Encoder / decoder parameters
+
+--
+2.48.1
+
diff --git a/REBASE.txt b/REBASE.txt
new file mode 100644
index 0000000000..2833a383c1
--- /dev/null
+++ b/REBASE.txt
@@ -0,0 +1,10 @@
+0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+
+Some asym testing has been dropped upstream, unclear if this needs to survive,
+if so we may need to resurrect deleted code in upstream patch:
+
+ commit 635bf4946a7e948f26a348ddc3b5a8d282354f64
+
+ fips: remove redundant RSA encrypt/decrypt KAT
+--
+
--
2.49.0

358
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch → 0031-FIPS-Deny-SHA-1-signature-verification.patch
View File

@ -1,7 +1,7 @@
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 18 May 2022 17:25:59 +0200
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
From 446e3e1ec006a55206881c5e7e658918e104a972 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 31/50] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@ -27,112 +27,83 @@ This requires adjusting a few tests that would otherwise fail:
the FIPS provider.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Bug Id: https://bugzilla.redhat.com/show_bug.cgi?id=2087147
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/implementations/signature/dsa_sig.c | 4 --
.../implementations/signature/ecdsa_sig.c | 4 --
providers/implementations/signature/rsa_sig.c | 8 +--
test/acvp_test.inc | 20 -------
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++-
providers/implementations/signature/dsa_sig.c | 4 +-
.../implementations/signature/ecdsa_sig.c | 4 +-
providers/implementations/signature/rsa_sig.c | 8 ++-
.../30-test_evp_data/evppkey_ecdsa.txt | 11 +++-
.../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 64 ++++++++++++++++---
.../30-test_evp_data/evppkey_rsa_common.txt | 58 +++++++++++++++--
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 4 ++
test/smime-certs/smdh.pem | 18 +++---
test/smime-certs/smdsa1.pem | 60 +++++++++----------
test/smime-certs/smdsa2.pem | 60 +++++++++----------
test/smime-certs/smdsa3.pem | 60 +++++++++----------
test/smime-certs/smec1.pem | 30 +++++-----
test/smime-certs/smec2.pem | 30 +++++-----
test/smime-certs/smec3.pem | 30 +++++-----
test/smime-certs/smroot.pem | 38 ++++++------
test/smime-certs/smrsa1.pem | 38 ++++++------
test/smime-certs/smrsa2.pem | 38 ++++++------
test/smime-certs/smrsa3.pem | 38 ++++++------
19 files changed, 286 insertions(+), 256 deletions(-)
8 files changed, 130 insertions(+), 27 deletions(-)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index fa3822f39f..c365d7b13a 100644
index 52ed52482d..0d3050dbe9 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
-#ifdef FIPS_MODULE
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
int sha1_allowed = 0;
-#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 99b228e82c..44a22832ec 100644
index 80e4115b69..096d944896 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
"%s could not be fetched", mdname);
return 0;
}
-#ifdef FIPS_MODULE
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
sha1_allowed = 0;
-#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index f66d7705c3..34f45175e8 100644
index 0e0810f60a..ac3888a1b9 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
-#ifdef FIPS_MODULE
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
int sha1_allowed = 0;
-#endif
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+ int sha1_allowed = 0;
@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
@@ -1796,11 +1794,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
+#ifdef FIPS_MODULE
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+#else
pmdname = RSA_DEFAULT_DIGEST_NAME;
-#ifndef FIPS_MODULE
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
pmdname = RSA_DEFAULT_DIGEST_NAME;
} else {
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
}
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1e..73b24bdb0c 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
NO_PSS_SALT_LEN,
FAIL
},
- {
- "x931",
- 3072,
- "SHA1",
- ITM(rsa_sigverx931_0_msg),
- ITM(rsa_sigverx931_0_n),
- ITM(rsa_sigverx931_0_e),
- ITM(rsa_sigverx931_0_sig),
- NO_PSS_SALT_LEN,
- PASS
- },
{
"x931",
3072,
+#endif
}
if (pmgf1mdname != NULL
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index f36982845d..51e507a61c 100644
index 06ec905be0..1602f0c521 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
@ -140,14 +111,14 @@ index f36982845d..51e507a61c 100644
Title = ECDSA tests
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
# Digest too long
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF12345"
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
@ -155,7 +126,7 @@ index f36982845d..51e507a61c 100644
# Digest too short
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF123"
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
@ -163,7 +134,7 @@ index f36982845d..51e507a61c 100644
# Digest invalid
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1235"
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
@ -171,7 +142,7 @@ index f36982845d..51e507a61c 100644
# Invalid signature
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
@ -179,7 +150,7 @@ index f36982845d..51e507a61c 100644
# BER signature
+Availablein = default
Verify = P-256
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
@ -189,8 +160,151 @@ index f36982845d..51e507a61c 100644
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -237,7 +244,7 @@ Unapproved = 1
CtrlInit = digest-check:0
Key = P-256
Input = "Hello World"
-Result = SIGNATURE_MISMATCH
+Result = DIGESTSIGNINIT_ERROR
# Test that SHA1 is not allowed in fips mode for signing
FIPSversion = >=3.4.0
@@ -247,7 +254,7 @@ Unapproved = 1
CtrlInit = digest-check:0
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
-Result = KEYOP_MISMATCH
+Result = PKEY_CTRL_ERROR
Title = XOF disallowed
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
index 0ff482e4e8..d407ea1ca8 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
Title = ECDSA tests
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF1234"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
# Digest too long
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF12345"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
Result = VERIFY_ERROR
# Digest too short
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF123"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
Result = VERIFY_ERROR
# Digest invalid
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF1235"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
Result = VERIFY_ERROR
# Invalid signature
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF1234"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
@@ -78,16 +78,64 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
Result = VERIFY_ERROR
# BER signature
-FIPSversion = >=3.4.0
+Availablein = default
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF1234"
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
Result = VERIFY_ERROR
+Availablein = fips
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+Result = KEYOP_INIT_ERROR
+
+# Digest too long
+Availablein = fips
+FIPSversion = >=3.4.0
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF12345"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+Result = KEYOP_INIT_ERROR
+
+# Digest too short
+Availablein = fips
+FIPSversion = >=3.4.0
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF123"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+Result = KEYOP_INIT_ERROR
+
+# Digest invalid
+Availablein = fips
+FIPSversion = >=3.4.0
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF1235"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+Result = KEYOP_INIT_ERROR
+
+# Invalid signature
+Availablein = fips
+FIPSversion = >=3.4.0
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
+Result = KEYOP_INIT_ERROR
+
+# BER signature
+Availablein = fips
+FIPSversion = >=3.4.0
+Verify = ECDSA-SHA1:P-256-PUBLIC
+Input = "0123456789ABCDEF1234"
+Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+Result = KEYOP_INIT_ERROR
+
+Availablein = fips
FIPSversion = >=3.4.0
Verify = ECDSA-SHA1:P-256-PUBLIC
Input = "0123456789ABCDEF1234"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+Result = KEYOP_INIT_ERROR
Title = Sign-Message and Verify-Message
@@ -236,7 +284,7 @@ Securitycheck = 1
Unapproved = 1
CtrlInit = digest-check:0
Input = "Hello World"
-Result = KEYOP_MISMATCH
+Result = KEYOP_INIT_ERROR
# Test that SHA1 is not allowed in fips mode for signing
Availablein = fips
@@ -246,4 +294,4 @@ Securitycheck = 1
Unapproved = 1
CtrlInit = digest-check:0
Input = "0123456789ABCDEF1234"
-Result = KEYOP_MISMATCH
+Result = KEYOP_INIT_ERROR
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index b8d8bb2993..8dd566067b 100644
index 972e90f32f..61e2b4e3ac 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -96,6 +96,7 @@ NDL6WCBbets=
@ -304,16 +418,17 @@ index b8d8bb2993..8dd566067b 100644
Verify = RSA-2048-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
@@ -939,7 +954,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
# Verify using salt length auto detect
-FIPSversion = <3.4.0
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:auto
@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
@@ -974,6 +990,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
Result = VERIFY_ERROR
# Verify using default parameters, explicitly setting parameters
@ -324,7 +439,7 @@ index b8d8bb2993..8dd566067b 100644
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:20
@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"
@@ -982,6 +1002,7 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify explicitly setting parameters "digest" salt length
@ -332,10 +447,11 @@ index b8d8bb2993..8dd566067b 100644
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:digest
@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"
@@ -990,20 +1011,21 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify using salt length larger than minimum
-FIPSversion = <3.4.0
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:30
@ -343,6 +459,7 @@ index b8d8bb2993..8dd566067b 100644
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
# Verify using maximum salt length
-FIPSversion = <3.4.0
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:max
@ -354,7 +471,7 @@ index b8d8bb2993..8dd566067b 100644
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:0
Result = PKEY_CTRL_ERROR
@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR
@@ -1011,21 +1033,25 @@ Result = PKEY_CTRL_ERROR
# Attempt to change padding mode
# Note this used to return PKEY_CTRL_INVALID
# but it is limited because setparams only returns 0 or 1.
@ -380,7 +497,7 @@ index b8d8bb2993..8dd566067b 100644
Verify = RSA-PSS-BAD2
Result = KEYOP_INIT_ERROR
Reason = invalid salt length
@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
@@ -1081,36 +1107,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
4fINDOjP+yJJvZohNwIDAQAB
-----END PUBLIC KEY-----
@ -423,7 +540,7 @@ index b8d8bb2993..8dd566067b 100644
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
@@ -1126,36 +1158,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
-----END PUBLIC KEY-----
@ -466,7 +583,7 @@ index b8d8bb2993..8dd566067b 100644
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
@@ -1173,36 +1211,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
BQIDAQAB
-----END PUBLIC KEY-----
@ -509,9 +626,9 @@ index b8d8bb2993..8dd566067b 100644
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests
# FIPS tests
@@ -1999,11 +2043,13 @@ Securitycheck = 1
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
Result = KEYOP_INIT_ERROR
-# Verifying with SHA1 is permitted in fips mode for older applications
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
@ -524,11 +641,29 @@ index b8d8bb2993..8dd566067b 100644
# Verifying with a 1024 bit key is permitted in fips mode for older applications
DigestVerify = SHA256
@@ -2019,7 +2065,7 @@ Securitycheck = 1
Key = RSA-2048
Input = "Hello"
Result = DIGESTSIGNINIT_ERROR
-Reason = invalid digest
+Reason = digest not allowed
# Signing with a 1024 bit key is not allowed in fips mode
Availablein = fips
@@ -2085,7 +2131,7 @@ Unapproved = 1
CtrlInit = digest-check:0
Key = RSA-2048
Input = "Hello"
-Result = SIGNATURE_MISMATCH
+Result = DIGESTSIGNINIT_ERROR
Availablein = fips
FIPSversion = >=3.4.0
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 48a92f735d..34afe91b88 100644
index d13dceaac5..ece29485f4 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (
@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
"-signer", $smrsa1, "-out", "{output}.cms" ],
@ -537,7 +672,7 @@ index 48a92f735d..34afe91b88 100644
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (
@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
[ "signed zero-length content S/MIME format, RSA key SHA1",
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
@ -547,10 +682,10 @@ index 48a92f735d..34afe91b88 100644
\&zero_compare
],
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 8c52b637fc..ff75c5b6ec 100644
index 568a1ddba4..6332aaec4b 100755
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -394,6 +394,9 @@ sub testssl {
@@ -462,6 +462,9 @@ sub testssl {
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
@ -560,7 +695,7 @@ index 8c52b637fc..ff75c5b6ec 100644
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
@@ -402,6 +405,7 @@ sub testssl {
@@ -470,6 +473,7 @@ sub testssl {
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
@ -568,3 +703,6 @@ index 8c52b637fc..ff75c5b6ec 100644
SKIP: {
skip "No IPv4 available on this machine", 4
--
2.49.0

172
0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch Normal file
View File

@ -0,0 +1,172 @@
From f33528e229063b98748943d2fddaf83426fcb8eb Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 32/50] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
Patch-name: 0076-FIPS-140-3-DRBG.patch
Patch-id: 76
Patch-status: |
# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/drbg.c | 11 ++-
providers/implementations/rands/drbg_local.h | 2 +-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
4 files changed, 23 insertions(+), 67 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index 2985c7f2d8..3202a28226 100644
--- a/crypto/rand/prov_seed.c
+++ b/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
size_t entropy_available;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 4925a3b400..1cdb67b22c 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -559,6 +559,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
#endif
}
+#ifdef FIPS_MODULE
+ prediction_resistance = 1;
+#endif
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -680,8 +683,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
+#else
reseed_required = 1;
+#endif
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
index e591e0b3d1..c7cafba1ea 100644
--- a/providers/implementations/rands/drbg_local.h
+++ b/providers/implementations/rands/drbg_local.h
@@ -39,7 +39,7 @@
*
* The value is in bytes.
*/
-#define CRNGT_BUFSIZ 16
+#define CRNGT_BUFSIZ 32
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index c3a5d8b3bf..b7b34a9345 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
+++ b/providers/implementations/rands/seeding/rand_unix.c
@@ -53,6 +53,8 @@
# include <fcntl.h>
# include <unistd.h>
# include <sys/time.h>
+# include <sys/random.h>
+# include <openssl/evp.h>
static uint64_t get_time_stamp(void);
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
* between size_t and ssize_t is safe even without a range check.
*/
-
- /*
- * Do runtime detection to find getentropy().
- *
- * Known OSs that should support this:
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
- * - Solaris since 11.3
- * - OpenBSD since 5.6
- * - Linux since 3.17 with glibc 2.25
- *
- * Note: Sometimes getentropy() can be provided but not implemented
- * internally. So we need to check errno for ENOSYS
- */
-# if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-
- if (getentropy != NULL) {
- if (getentropy(buf, buflen) == 0)
- return (ssize_t)buflen;
- if (errno != ENOSYS)
- return -1;
- }
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
-
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
- return (ssize_t)buflen;
-
- return -1;
-# else
- union {
- void *p;
- int (*f)(void *buffer, size_t length);
- } p_getentropy;
-
- /*
- * We could cache the result of the lookup, but we normally don't
- * call this function often.
- */
- ERR_set_mark();
- p_getentropy.p = DSO_global_lookup("getentropy");
- ERR_pop_to_mark();
- if (p_getentropy.p != NULL)
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
-# endif
-# endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
-
- /* Linux supports this since version 3.17 */
-# if defined(__linux) && defined(__NR_getrandom)
- return syscall(__NR_getrandom, buf, buflen, 0);
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
- return getrandom(buf, buflen, 0);
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
- return sysctl_random(buf, buflen);
-# elif defined(__wasi__)
- if (getentropy(buf, buflen) == 0)
- return (ssize_t)buflen;
- return -1;
-# else
- errno = ENOSYS;
- return -1;
-# endif
+ /* Red Hat uses downstream patch to always seed from getrandom() */
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
2.49.0

119
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch → 0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
View File

@ -1,7 +1,7 @@
From 6aed6931cf50499e778a6d34502f9bf82f5a4c0d Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 16 Nov 2022 13:53:24 +0100
Subject: [PATCH] rand: Forbid truncated hashes & SHA-3 in FIPS prov
From c5a417c02dc6f50b8886eac366650c0f0bee38a0 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 33/50] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@ -21,18 +21,20 @@ algorithms in the default provider.
[1]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/implementations/rands/drbg_hash.c | 12 ++
providers/implementations/rands/drbg_hmac.c | 12 ++
test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++
3 files changed, 153 insertions(+)
test/recipes/30-test_evp_data/evprand.txt | 197 ++++++++++++++++----
3 files changed, 187 insertions(+), 34 deletions(-)
diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c
index 12faa993d0..5f9602cf84 100644
index 8bb831ae35..cedf5c3894 100644
--- a/providers/implementations/rands/drbg_hash.c
+++ b/providers/implementations/rands/drbg_hash.c
@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[])
if (!ossl_drbg_verify_digest(libctx, md))
@@ -579,6 +579,18 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (!ossl_drbg_verify_digest(ctx, libctx, md))
return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
@ -48,14 +50,14 @@ index 12faa993d0..5f9602cf84 100644
+#endif /* defined(FIPS_MODULE) */
+
/* These are taken from SP 800-90 10.1 Table 2 */
hash->blocklen = EVP_MD_get_size(md);
/* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
md_size = EVP_MD_get_size(md);
if (md_size <= 0)
diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
index ffeb70f8c3..79ed96a15a 100644
index 43b3f8766e..64b7610cd1 100644
--- a/providers/implementations/rands/drbg_hmac.c
+++ b/providers/implementations/rands/drbg_hmac.c
@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[])
if (md != NULL && !ossl_drbg_verify_digest(libctx, md))
@@ -505,6 +505,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md))
return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
@ -70,11 +72,11 @@ index ffeb70f8c3..79ed96a15a 100644
+ }
+#endif /* defined(FIPS_MODULE) */
+
if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params,
NULL, NULL, NULL, libctx))
return 0;
if (md != NULL && hmac->ctx != NULL) {
/* These are taken from SP 800-90 10.1 Table 2 */
md_size = EVP_MD_get_size(md);
diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt
index 8cb70247a0..8a0a2dea15 100644
index 9756859c0e..9baecf6f31 100644
--- a/test/recipes/30-test_evp_data/evprand.txt
+++ b/test/recipes/30-test_evp_data/evprand.txt
@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe
@ -1109,6 +1111,85 @@ index 8cb70247a0..8a0a2dea15 100644
RAND = HMAC-DRBG
Digest = SHA-512
PredictionResistance = 1
@@ -79795,29 +79924,29 @@ Result = EVP_RAND_CTX_set_params
Title = Test FIPS indicator callbacks for truncated digests
-Availablein = fips
-FIPSversion = >=3.4.0
-RAND = HASH-DRBG
-Digest = SHA2-224
-PredictionResistance = 0
-GenerateBits = 16
-Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433
-Nonce.0 = 15e32abbae6b7433
-Output.0 = 5af6
-Result = EVP_RAND_CTX_set_params
-Reason = digest not allowed
-
-Availablein = fips
-FIPSversion = >=3.4.0
-RAND = HASH-DRBG
-Unapproved = 1
-CtrlInit = digest-check:0
-Digest = SHA2-224
-PredictionResistance = 0
-GenerateBits = 16
-Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433
-Nonce.0 = 15e32abbae6b7433
-Output.0 = 5af6
+#Availablein = fips
+#FIPSversion = >=3.4.0
+#RAND = HASH-DRBG
+#Digest = SHA2-224
+#PredictionResistance = 0
+#GenerateBits = 16
+#Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = 5af6
+#Result = EVP_RAND_CTX_set_params
+#Reason = digest not allowed
+
+#Availablein = fips
+#FIPSversion = >=3.4.0
+#RAND = HASH-DRBG
+#Unapproved = 1
+#CtrlInit = digest-check:0
+#Digest = SHA2-224
+#PredictionResistance = 0
+#GenerateBits = 16
+#Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = 5af6
Availablein = fips
FIPSversion = >=3.4.0
@@ -79831,14 +79960,14 @@ Output.0 = ee9f
Result = EVP_RAND_CTX_set_params
Reason = digest not allowed
-Availablein = fips
-FIPSversion = >=3.4.0
-RAND = HMAC-DRBG
-Unapproved = 1
-CtrlInit = digest-check:0
-Digest = SHA2-384
-PredictionResistance = 0
-GenerateBits = 16
-Entropy.0 = 32c1ca125223de8de569697f92a37c6732c1ca125223de8de569697f92a37c67
-Nonce.0 = 15e32abbae6b7433
-Output.0 = ee9f
+#Availablein = fips
+#FIPSversion = >=3.4.0
+#RAND = HMAC-DRBG
+#Unapproved = 1
+#CtrlInit = digest-check:0
+#Digest = SHA2-384
+#PredictionResistance = 0
+#GenerateBits = 16
+#Entropy.0 = 32c1ca125223de8de569697f92a37c6732c1ca125223de8de569697f92a37c67
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
2.38.1
2.49.0

396
0033-FIPS-embed-hmac.patch
View File

@ -1,396 +0,0 @@
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33
Patch-status: |
# # Embed HMAC into the fips.so
# Modify fips self test as per
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 200 insertions(+), 18 deletions(-)
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index b8dc9817b2..28f536d13c 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -230,11 +230,133 @@ err:
return ok;
}
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
/*
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+ unsigned char *expected, size_t expected_len,
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+ const char *event_type)
+{
+ int ret = 0, status;
+ unsigned char out[MAX_MD_SIZE];
+ unsigned char buf[INTEGRITY_BUF_SIZE];
+ size_t bytes_read = 0, out_len = 0;
+ EVP_MAC *mac = NULL;
+ EVP_MAC_CTX *ctx = NULL;
+ OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
+
+ if (expected_len != HMAC_LEN)
+ goto err;
+
+ if (!integrity_self_test(ev, libctx))
+ goto err;
+
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+ if (mac == NULL)
+ goto err;
+ ctx = EVP_MAC_CTX_new(mac);
+ if (ctx == NULL)
+ goto err;
+
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
+ *p = OSSL_PARAM_construct_end();
+
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+ goto err;
+
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off < paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ /* read away the buffer */
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ if (status != 1)
+ goto err;
+
+ /* check that it is the expect bytes, no point in continuing otherwise */
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
+ goto err;
+
+ /* replace in-file HMAC buffer with the original zeros */
+ memset(buf, 0, HMAC_LEN);
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
+ goto err;
+ off += HMAC_LEN;
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+ goto err;
+
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
+ if (expected_len != out_len
+ || memcmp(expected, out, out_len) != 0)
+ goto err;
+ ret = 1;
+err:
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
+ OSSL_SELF_TEST_onend(ev, ret);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(mac);
+ return ret;
+}
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+ } else {
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+ &checksum_len);
+ }
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */
- if (bio_module == NULL
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
- module_checksum, checksum_len, st->libctx,
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ if (bio_module == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
goto end;
}
-
+ if (st->module_checksum_data == NULL) {
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len,
+ st->libctx, ev,
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ } else {
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len,
+ st->libctx, ev,
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ }
/* This will be NULL during installation - so the self test KATS will run */
if (st->indicator_data != NULL) {
/*
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
OPENSSL_free(indicator_checksum);
if (st != NULL) {
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 4e3a6d85e8..e8255ba974 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index ce594817d5..00cebacff8 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index b8b136d110..8242f4ebc3 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
index c8f145405b..56a2ec5dc4 100644
--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
($no_fips ? 1 : 5);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 195b85ea8c..92d48dbf7d 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 18d9f3d204..71780d8caa 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
setup("test_sslapi");
}
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
--
2.44.0

77
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch → 0034-FIPS-PBKDF2-Set-minimum-password-length.patch
View File

@ -1,7 +1,7 @@
From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 18:37:17 +0100
Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes
From 07db6d2bc68c37db2c8b00225c42e3c2e3c8b6cc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 34/50] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -23,15 +23,17 @@ passwords combined with an implicit indicator (i.e., returning an error)
would cause the module to fail ACVP testing.
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
providers/implementations/kdfs/pbkdf2.c | 39 +++++++++++++++++++++----
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 2a0ae63acc..aa0adce5e6 100644
index b383314064..68f9355b7d 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
@@ -36,6 +36,21 @@
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
@ -53,8 +55,43 @@ index 2a0ae63acc..aa0adce5e6 100644
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ctx->lower_bound_checks = pkcs5 == 0;
@@ -179,8 +194,8 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
}
static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
- size_t keylen, int *error,
- const char **desc)
+ size_t keylen, size_t passlen,
+ int *error, const char **desc)
{
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
*error = PROV_R_KEY_SIZE_TOO_SMALL;
@@ -200,7 +215,12 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
*desc = "Iteration count";
return 0;
}
-
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+ *error = PROV_R_INVALID_INPUT_LENGTH;
+ if (desc != NULL)
+ *desc = "Password length";
+ return 0;
+ }
return 1;
}
@@ -211,7 +231,8 @@ static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen)
int error = 0;
const char *desc = NULL;
int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter,
- keylen, &error, &desc);
+ keylen, ctx->pass_len,
+ &error, &desc);
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
@@ -283,9 +304,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
#endif
}
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
@ -70,17 +107,15 @@ index 2a0ae63acc..aa0adce5e6 100644
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
if (ctx->lower_bound_checks != 0
@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
}
@@ -406,7 +433,7 @@ static int pbkdf2_derive(KDF_PBKDF2 *ctx, const char *pass, size_t passlen,
if (lower_bound_checks) {
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
return 0;
int error = 0;
int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
- &error, NULL);
+ passlen, &error, NULL);
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
2.38.1
2.49.0

73
0035-FIPS-DH-PCT.patch Normal file
View File

@ -0,0 +1,73 @@
From 4201d6a3b23e14885f2703c705166c68db6351ab Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
Subject: [PATCH 35/50] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
crypto/dh/dh_key.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 7132b9b68e..189bfc3e8b 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
BN_MONT_CTX *mont = NULL;
BIGNUM *z = NULL, *pminus1;
int ret = -1;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
return 0;
}
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ return 0;
+ }
+#endif
+
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
@@ -271,6 +281,9 @@ static int generate_key(DH *dh)
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ goto err;
+ }
+#endif
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ abort();
+ }
+#endif
+
dh->dirty_cnt++;
ok = 1;
err:
--
2.49.0

13
0035-speed-skip-unavailable-dgst.patch
View File

@ -1,13 +0,0 @@
diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100
+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100
@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo
for (count = 0; COND(c[algindex][testnum]); count++) {
size_t outl;
+ if (mctx == NULL)
+ return -1;
+
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))

72
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch → 0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
View File

@ -1,7 +1,7 @@
From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 May 2023 12:51:59 +0200
Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode
From ea3020727f873e14b4ee4c7f94dfa038d4777319 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 36/50] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@ -20,6 +20,10 @@ fail due to this change.
Related: rhbz#2169757, rhbz#2169757
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
NOTE: Dropped changes in test/recipes/80-test_cms.t
---
crypto/dh/dh_backend.c | 10 ++++
crypto/dh/dh_check.c | 12 ++--
@ -31,15 +35,14 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
test/evp_libctx_test.c | 2 +-
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
test/helpers/predefined_dhparams.h | 1 +
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 3 +
12 files changed, 118 insertions(+), 20 deletions(-)
11 files changed, 116 insertions(+), 18 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 726843fd30..24c65ca84f 100644
index 1aaa88daca..aa3a491799 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
if (!dh_ffc_params_fromdata(dh, params))
return 0;
@ -57,7 +60,7 @@ index 726843fd30..24c65ca84f 100644
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 0b391910d6..75581ca347 100644
index ae23f61839..6e30a9b735 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
@ -82,10 +85,10 @@ index 0b391910d6..75581ca347 100644
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index aec6b85316..9c55121067 100644
index b73bfb7f3b..275ce2c1af 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
{
@ -115,10 +118,10 @@ index aec6b85316..9c55121067 100644
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705beef..14c0b0b6b3 100644
index 189bfc3e8b..023d628502 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -308,8 +308,12 @@ static int generate_key(DH *dh)
@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
@ -133,7 +136,7 @@ index 4e9705beef..14c0b0b6b3 100644
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -330,9 +334,7 @@ static int generate_key(DH *dh)
@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@ -144,7 +147,7 @@ index 4e9705beef..14c0b0b6b3 100644
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -348,6 +350,7 @@ static int generate_key(DH *dh)
@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
@ -153,10 +156,10 @@ index 4e9705beef..14c0b0b6b3 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index f201eede0d..30f90d15be 100644
index c11ada9826..e279e9d60d 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
prime_len, subprime_len, &res,
pcb);
else
@ -178,10 +181,10 @@ index f201eede0d..30f90d15be 100644
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 9a7dde7c66..b3e7bca5ac 100644
index c2ee859355..51c21e436f 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
@ -194,10 +197,10 @@ index 9a7dde7c66..b3e7bca5ac 100644
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
index e3f7b81f69..1b63daaed5 100644
index 85c84f6592..d2ff9e6eb6 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
* for testing only. Use a minimum key size of 2048 for security purposes.
*/
if (strcmp(type, "DH") == 0)
@ -211,10 +214,10 @@ index e3f7b81f69..1b63daaed5 100644
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2448c35a14..92d484fb12 100644
index 039fca9bb0..2838f343bd 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
@ -308,28 +311,11 @@ index f0e8709062..2ff6d6e721 100644
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index cabbe3ecdf..efe56c5665 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
],
[ "enveloped content test streaming S/MIME format, X9.42 DH",
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
"-stream", "-out", "{output}.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "{output}.cms", "-out", "{output}.txt" ],
\&final_compare
]
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 8c52b637fc..31ed54621b 100644
index 6332aaec4b..4d8c900c00 100755
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -390,6 +390,9 @@ sub testssl {
@@ -458,6 +458,9 @@ sub testssl {
skip "skipping dhe1024dsa test", 1
if ($no_dh);
@ -340,5 +326,5 @@ index 8c52b637fc..31ed54621b 100644
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.40.1
2.49.0

167
0114-FIPS-enforce-EMS-support.patch → 0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
View File

@ -1,32 +1,34 @@
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:40:56 +0200
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
From 39afccf3c978a35d1a2d3ebd072d3d1a7a0d0e09 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
Subject: [PATCH 37/50] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
Patch-name: 0114-FIPS-enforce-EMS-support.patch
Patch-id: 114
Patch-status: |
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
# # We believe that some changes present in CentOS are not necessary
# # because ustream has a check for FIPS version
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
doc/man3/SSL_CONF_cmd.pod | 3 +++
doc/man5/fips_config.pod | 13 +++++++++++
include/openssl/fips_names.h | 8 +++++++
include/openssl/ssl.h.in | 1 +
providers/fips/fipsprov.c | 2 +-
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
ssl/ssl_conf.c | 1 +
ssl/statem/extensions_srvr.c | 8 ++++++-
ssl/t1_enc.c | 11 ++++++++--
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
test/sslapitest.c | 2 +-
11 files changed, 76 insertions(+), 5 deletions(-)
doc/man3/SSL_CONF_cmd.pod | 3 +++
doc/man5/fips_config.pod | 13 +++++++++++++
include/openssl/ssl.h.in | 1 +
providers/fips/include/fips_indicator_params.inc | 2 +-
ssl/ssl_conf.c | 1 +
ssl/statem/extensions_srvr.c | 8 +++++++-
ssl/t1_enc.c | 11 +++++++++--
test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++
test/sslapitest.c | 2 +-
9 files changed, 46 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ae6ca43282..b83c04a308 100644
index e2c1e69847..009b683b27 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
@ -37,12 +39,12 @@ index ae6ca43282..b83c04a308 100644
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 1c15e32a5c..f2cedaf88d 100644
index 15748c5756..34cbfbb2ad 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -15,6 +15,19 @@ for more information.
This functionality was added in OpenSSL 3.0.
@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
for more information.
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
+OpenSSL configuration directory and managed by crypto policies. If present, it
@ -59,31 +61,12 @@ index 1c15e32a5c..f2cedaf88d 100644
+
=head1 COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 5c77f6d691..8cdd5a6bf7 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
@@ -70,6 +70,14 @@ extern "C" {
*/
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
+/*
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
+ * This is disabled by default.
+ *
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
+
# ifdef __cplusplus
}
# endif
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0b6de603e2..26a69ca282 100644
index 0b2232b01c..99b2ad4eb3 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
* interoperability with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
@ -91,84 +74,42 @@ index 0b6de603e2..26a69ca282 100644
/*
* Disable RFC8879 certificate compression
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 5ff9872bd8..eb9653a9df 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
if (fgbl == NULL)
return NULL;
init_fips_option(&fgbl->fips_security_checks, 1);
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
return fgbl;
}
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 25a6c79a2e..79bc7a9719 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
static void kdf_tls1_prf_free(void *vctx)
{
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
if (ctx != NULL) {
kdf_tls1_prf_reset(ctx);
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
}
}
+ /*
+ * The seed buffer is prepended with a label.
+ * If EMS mode is enforced then the label "master secret" is not allowed,
+ * We do the check this way since the PRF is used for other purposes, as well
+ * as "extended master secret".
+ */
+#ifdef FIPS_MODULE
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
+ return 0;
+ }
+ }
+
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
ctx->sec, ctx->seclen,
ctx->seed, ctx->seedlen,
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index c1b029de86..47d1cf2d01 100644
--- a/providers/fips/include/fips_indicator_params.inc
+++ b/providers/fips/include/fips_indicator_params.inc
@@ -1,5 +1,5 @@
OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
+OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 1)
OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 5146cedb96..086db98c33 100644
index 946d20be52..b52c1675fd 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 00b1ee531e..22cdabb308 100644
index 1a09913ad6..936be81819 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -11,6 +11,7 @@
#include "../ssl_local.h"
@@ -12,6 +12,7 @@
#include "statem_local.h"
#include "internal/cryptlib.h"
#include "internal/ssl_unwrap.h"
+#include <openssl/fips.h>
#define COOKIE_STATE_FORMAT_VERSION 1
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
unsigned int context,
X509 *x, size_t chainidx)
{
@ -184,10 +125,10 @@ index 00b1ee531e..22cdabb308 100644
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 91238e6457..e8ad8ecd9e 100644
index 474ea7bf5b..e0e595e989 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -20,6 +20,7 @@
@@ -21,6 +21,7 @@
#include <openssl/obj_mac.h>
#include <openssl/core_names.h>
#include <openssl/trace.h>
@ -195,7 +136,7 @@ index 91238e6457..e8ad8ecd9e 100644
/* seed1 through seed5 are concatenated */
static int tls1_PRF(SSL_CONNECTION *s,
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s,
}
err:
@ -213,7 +154,7 @@ index 91238e6457..e8ad8ecd9e 100644
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
EVP_KDF_CTX_free(kctx);
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
index 44040ff66b..deb6bf3fcb 100644
index 50944328cb..edb2e81273 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
@ -234,10 +175,10 @@ index 44040ff66b..deb6bf3fcb 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 169e3c7466..e67b5bb44c 100644
index 39118a9162..9522478ad2 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@ -247,5 +188,5 @@ index 169e3c7466..e67b5bb44c 100644
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
2.41.0
2.49.0

61
0038-FIPS-CMS-Set-default-padding-to-OAEP.patch Normal file
View File

@ -0,0 +1,61 @@
From e1d57286ca07c3d89018d3c4368bed420f5c454a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
Subject: [PATCH 38/50] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
apps/cms.c | 1 +
crypto/cms/cms_env.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/apps/cms.c b/apps/cms.c
index 919d306ff6..b4950df759 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -20,6 +20,7 @@
#include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>
#include <openssl/cms.h>
+#include <openssl/fips.h>
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 375239c78d..e09ad03ece 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -14,6 +14,7 @@
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/evp.h>
+#include <openssl/fips.h>
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
@@ -375,6 +376,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
return 0;
+ if (FIPS_mode()) {
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
+ return 0;
+ }
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
return 0;
return 1;
@@ -540,6 +545,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
if (EVP_PKEY_encrypt_init(pctx) <= 0)
goto err;
+
+ if (FIPS_mode()) {
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
+ goto err;
+ }
}
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
2.49.0

35
0039-FIPS-PKCS12-PBMAC1-defaults.patch Normal file
View File

@ -0,0 +1,35 @@
From db948b9f36c27a72595eb81633d787e6c95977b4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
Subject: [PATCH 39/50] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
apps/pkcs12.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 9964faf21a..59439a8cc0 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -17,6 +17,7 @@
#include <openssl/asn1.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
@@ -709,6 +710,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
+ if (EVP_default_properties_is_fips_enabled(NULL))
+ pbmac1_pbkdf2 = 1;
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
--
2.49.0

35
0040-FIPS-Fix-encoder-decoder-negative-test.patch Normal file
View File

@ -0,0 +1,35 @@
From c49eb02a6c08ab8398688e609a6c1681b86c24e0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
Subject: [PATCH 40/50] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
test/recipes/04-test_encoder_decoder.t | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
mode change 100644 => 100755 test/recipes/04-test_encoder_decoder.t
diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
old mode 100644
new mode 100755
index 2acc980e90..660d4e1115
--- a/test/recipes/04-test_encoder_decoder.t
+++ b/test/recipes/04-test_encoder_decoder.t
@@ -75,10 +75,10 @@ SKIP: {
}
my $no_des = disabled("des");
SKIP: {
- skip "MD5 disabled", 2 if disabled("md5");
- ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem',
- '-traditional', '-passout', 'pass:pass' ])),
- "rsa encrypted using a non fips algorithm MD5 in pbe");
+ skip "DES disabled", 2 if disabled("des3");
+ ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem',
+ '-traditional', '-passout', 'pass:pass'])),
+ "rsa encrypted using a non fips algorithm DES3 in pbe");
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
2.49.0

180
0041-FIPS-EC-DH-DSA-PCTs.patch Normal file
View File

@ -0,0 +1,180 @@
From ad8a02985f28b1ead7169ca20dca010113f52250 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
Subject: [PATCH 41/50] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
.../implementations/exchange/ecdh_exch.c | 19 ++++++++++
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++++-
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++++++--
3 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 58fbc7bc09..98d4354f3e 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
#endif
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
+#ifdef FIPS_MODULE
+ {
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
+ int check = 0;
+
+ if (bn_ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
+ BN_CTX_free(bn_ctx);
+
+ if (check <= 0) {
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
+ goto end;
+ }
+ }
+#endif
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 9421aabb14..77531c4b59 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -993,9 +993,18 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
+#ifdef FIPS_MODULE
+ void *ecdsa_sig_ctx;
+#endif
OSSL_FIPS_IND_DECLARE
};
+#ifdef FIPS_MODULE
+void *ecdsa_newctx(void *provctx, const char *propq);
+void ecdsa_freectx(void *vctx);
+int do_ec_pct(void *, const char *, void *);
+#endif
+
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
+#endif
return gctx;
}
@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
+ abort();
+#endif
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
-
+#ifdef FIPS_MODULE
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
+ gctx->ecdsa_sig_ctx = NULL;
+#endif
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 096d944896..34fb3aa56e 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
#include "prov/der_ec.h"
#include "crypto/ec.h"
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
@@ -48,7 +48,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
@@ -139,7 +139,7 @@ typedef struct {
OSSL_FIPS_IND_DECLARE
} PROV_ECDSA_CTX;
-static void *ecdsa_newctx(void *provctx, const char *propq)
+void *ecdsa_newctx(void *provctx, const char *propq)
{
PROV_ECDSA_CTX *ctx;
@@ -613,7 +613,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ok;
}
-static void ecdsa_freectx(void *vctx)
+void ecdsa_freectx(void *vctx)
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -862,6 +862,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
+#ifdef FIPS_MODULE
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
+{
+ static const unsigned char data[32];
+ unsigned char sigbuf[256];
+ size_t siglen = sizeof(sigbuf);
+
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ return 0;
+
+ return 1;
+}
+#endif
+
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
2.49.0

31
0042-FIPS-EC-disable-weak-curves.patch Normal file
View File

@ -0,0 +1,31 @@
From 998f0c96eb674c2647bfead8b925f3599be3bd0a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
Subject: [PATCH 42/50] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
apps/ecparam.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/apps/ecparam.c b/apps/ecparam.c
index f0879dfb11..a6042e7d2a 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
+ continue;
+
if (comment == NULL)
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
2.49.0

400
0043-FIPS-NO-DSA-Support.patch Normal file
View File

@ -0,0 +1,400 @@
From 64467bd0ad1bf2a0c1a67462a27e405632704026 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
Subject: [PATCH 43/50] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 8 +++++---
providers/fips/self_test_data.inc | 6 +++++-
test/acvp_test.c | 2 ++
test/endecode_test.c | 2 ++
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +--
test/recipes/30-test_evp.t | 7 ++-----
test/recipes/30-test_evp_data/evppkey_dsa.txt | 18 ++++++++++++++++-
test/recipes/80-test_cms.t | 20 +++++++++----------
9 files changed, 45 insertions(+), 23 deletions(-)
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index aa1ab85470..7999744b5a 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -430,7 +430,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
};
static const OSSL_ALGORITHM fips_signature[] = {
-#ifndef OPENSSL_NO_DSA
+/* We don't certify DSA in our FIPS provider */
+#if 0 /* #ifndef OPENSSL_NO_DSA */
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
@@ -560,8 +561,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
- PROV_DESCS_DSA },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+ PROV_DESCS_DSA }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 5cbb5352a5..10ca473764 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expected_sig[] = {
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DSA
/* dsa 2048 */
+#if 0
+#ifndef OPENSSL_NO_DSA
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
#endif /* OPENSSL_NO_DSA */
+#endif
#ifndef OPENSSL_NO_ML_DSA
static const unsigned char ml_dsa_65_pub_key[] = {
@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
+#if 0
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
+#endif
#ifndef OPENSSL_NO_ML_DSA
{
diff --git a/test/acvp_test.c b/test/acvp_test.c
index 2bcc886fd2..db0282d043 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1735,6 +1735,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
#ifndef OPENSSL_NO_DSA
dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0);
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
@@ -1743,6 +1744,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
+#endif
#ifndef OPENSSL_NO_EC
ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0);
diff --git a/test/endecode_test.c b/test/endecode_test.c
index d2ff9e6eb6..dfd5e92f7e 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1536,6 +1536,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
+ if (is_fips == 0) {
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1546,6 +1547,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
+ }
#ifndef OPENSSL_NO_EC
ADD_TEST(ec_encode_to_data_multi);
ADD_TEST_SUITE(EC);
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
index cd331c4cfc..e21d6acda4 100644
--- a/test/recipes/15-test_gendsa.t
+++ b/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "This test is unsupported in a no-dsa build"
if disabled("dsa");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1;
plan tests =>
($no_fips ? 0 : 2) # FIPS related tests
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index 2abc4d2434..9a6875b3ec 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -283,8 +283,7 @@ SKIP: {
}
SKIP : {
- skip "FIPS DSA tests because of no dsa in this build", 1
- if disabled("dsa") || $dsasignpass == '0';
+ skip "FIPS DSA tests because of no dsa in this build", 1;
subtest DSA => sub {
my $testtext_prefix = 'DSA';
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
old mode 100644
new mode 100755
index a86456157b..05a61c8abe
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -83,10 +83,6 @@ push @files, qw(
evppkey_slh_dsa_siggen.txt
evppkey_slh_dsa_sigver.txt
) unless $no_slh_dsa;
-push @files, qw(
- evppkey_dsa.txt
- evppkey_dsa_sigalg.txt
- ) unless $no_dsa;
push @files, qw(
evppkey_ecx.txt
evppkey_ecx_sigalg.txt
@@ -166,11 +162,12 @@ my @defltfiles = qw(
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecx_kem.txt) unless $no_ecx;
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
push @defltfiles, qw(evpkdf_argon2.txt) unless $no_argon2;
+push @defltfiles, qw(evppkey_dsa.txt
+ evppkey_dsa_sigalg.txt) unless $no_dsa;
plan tests =>
+ (scalar(@configs) * scalar(@files))
diff --git a/test/recipes/30-test_evp_data/evppkey_dsa.txt b/test/recipes/30-test_evp_data/evppkey_dsa.txt
index 5e5315a5b9..660d1db149 100644
--- a/test/recipes/30-test_evp_data/evppkey_dsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_dsa.txt
@@ -44,17 +44,22 @@ PrivPubKeyPair = DSA-1024:DSA-1024-PUBLIC
Title = DSA tests
+## Red Hat all SHA1 tests are unavailable
+
+Availablein = none
Verify = DSA-1024
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
# Modified signature
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -62,6 +67,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
Result = VERIFY_ERROR
# Digest too short
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF123"
@@ -69,6 +75,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
Result = VERIFY_ERROR
# Digest too long
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF12345"
@@ -76,12 +83,14 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
Result = VERIFY_ERROR
# Garbage after signature
+Availablein = none
Verify = DSA-1024-PUBLIC
Input = "0123456789ABCDEF1234"
Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700
Result = VERIFY_ERROR
# Invalid tag
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -89,6 +98,7 @@ Output = 312d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
Result = VERIFY_ERROR
# BER signature
+Availablein = none
Verify = DSA-1024-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -277,6 +287,7 @@ Output = 00
Result = DIGESTSIGNINIT_ERROR
# Test sign with a 2048 bit key with N == 224 is allowed in fips mode
+Availablein = none
FIPSversion = <3.4.0
DigestSign = SHA256
Key = DSA-2048-224
@@ -285,6 +296,7 @@ Output = 00
Result = SIGNATURE_MISMATCH
# Test sign with a 2048 bit key with N == 256 is allowed in fips mode
+Availablein = none
FIPSversion = <3.4.0
DigestSign = SHA256
Key = DSA-2048-256
@@ -292,6 +304,7 @@ Input = "Hello"
Result = SIGNATURE_MISMATCH
# Test sign with a 3072 bit key with N == 256 is allowed in fips mode
+Availablein = none
FIPSversion = <3.4.0
DigestSign = SHA256
Key = DSA-3072-256
@@ -299,6 +312,7 @@ Input = "Hello"
Result = SIGNATURE_MISMATCH
# Test sign with a 2048 bit SHA3 is allowed in fips mode
+Availablein = none
FIPSversion = <3.4.0
DigestSign = SHA3-224
Key = DSA-2048-256
@@ -306,19 +320,21 @@ Input = "Hello"
Result = SIGNATURE_MISMATCH
# Test verify with a 1024 bit key is allowed in fips mode
+Availablein = default
DigestVerify = SHA256
Key = DSA-1024
Input = "Hello "
Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713
# Test verify with SHA1 is allowed in fips mode
+Availablein = none
DigestVerify = SHA1
Key = DSA-1024
Input = "Hello "
Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6
# Test verify with a 2048/160 bit key is allowed in fips mode
-FIPSversion = >3.1.1
+Availablein = default
DigestVerify = SHA256
Key = DSA-2048-160
Input = "Hello"
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index ece29485f4..756f90c1bd 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content DER format, DSA key",
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, DSA key",
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, DSA key",
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", $smrsa1,
@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
\&zero_compare
],
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) {
my @smime_cms_tests = (
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -278,7 +278,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
2.49.0

402
0044-FIPS-140-3-keychecks.patch
View File

@ -1,402 +0,0 @@
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 12:05:23 +0200
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
Patch-name: 0044-FIPS-140-3-keychecks.patch
Patch-id: 44
Patch-status: |
# Extra public/private key checks required by FIPS-140-3
---
crypto/dh/dh_key.c | 26 ++++++++++
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
6 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705beef..83773cceea 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
BN_MONT_CTX *mont = NULL;
BIGNUM *z = NULL, *pminus1;
int ret = -1;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
return 0;
}
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ return 0;
+ }
+#endif
+
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ goto err;
+ }
+#endif
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ abort();
+ }
+#endif
+
dh->dirty_cnt++;
ok = 1;
err:
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 43caedb6df..73873f9758 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
}
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
+#ifdef FIPS_MODULE
+ {
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
+ int check = 0;
+
+ if (bn_ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
+ BN_CTX_free(bn_ctx);
+
+ if (check <= 0) {
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
+ goto end;
+ }
+ }
+#endif
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index a37cbbdba8..bca3f3c674 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
+#ifdef FIPS_MODULE
+ void *ecdsa_sig_ctx;
+#endif
};
+#ifdef FIPS_MODULE
+void *ecdsa_newctx(void *provctx, const char *propq);
+void ecdsa_freectx(void *vctx);
+int do_ec_pct(void *, const char *, void *);
+#endif
+
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
+#endif
return gctx;
}
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
+ abort();
+#endif
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
-
+#ifdef FIPS_MODULE
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
+ gctx->ecdsa_sig_ctx = NULL;
+#endif
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 3ba12c4889..ff49f8fcd8 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
+ void *prov_rsa_ctx;
#endif
};
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
+#ifdef FIPS_MODULE
+void *rsa_newctx(void *provctx, const char *propq);
+void rsa_freectx(void *vctx);
+int do_rsa_pct(void *, const char *, void *);
+#endif
+
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
{
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
+#endif
return gctx;
err:
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
+ abort();
+#endif
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
+ rsa_freectx(gctx->prov_rsa_ctx);
+ gctx->prov_rsa_ctx = NULL;
#endif
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 865d49d100..ebeb30e002 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -32,7 +32,7 @@
#include "crypto/ec.h"
#include "prov/der_ec.h"
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
@@ -104,7 +104,7 @@ typedef struct {
unsigned int nonce_type;
} PROV_ECDSA_CTX;
-static void *ecdsa_newctx(void *provctx, const char *propq)
+void *ecdsa_newctx(void *provctx, const char *propq)
{
PROV_ECDSA_CTX *ctx;
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}
-static void ecdsa_freectx(void *vctx)
+void ecdsa_freectx(void *vctx)
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
+#ifdef FIPS_MODULE
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
+{
+ static const unsigned char data[32];
+ unsigned char sigbuf[256];
+ size_t siglen = sizeof(sigbuf);
+
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ return 0;
+
+ return 1;
+}
+#endif
+
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index cd5de6bd51..d4261e8f7d 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -34,7 +34,7 @@
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
return 1;
}
-static void *rsa_newctx(void *provctx, const char *propq)
+void *rsa_newctx(void *provctx, const char *propq)
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
}
-static void rsa_freectx(void *vprsactx)
+void rsa_freectx(void *vprsactx)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
+#ifdef FIPS_MODULE
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
+{
+ static const unsigned char data[32];
+ unsigned char *sigbuf = NULL;
+ size_t siglen = 0;
+ int ret = 0;
+
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
+ return 0;
+
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
+ return 0;
+
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
+ goto err;
+
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ goto err;
+ ret = 1;
+
+ err:
+ OPENSSL_free(sigbuf);
+ return ret;
+}
+#endif
+
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index e0d139d..35f23b2 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* defined(FIPS_MODULE) */
}
}
return ok;
--
2.41.0

174
0044-FIPS-NO-DES-support.patch Normal file
View File

@ -0,0 +1,174 @@
From 88abbb0a30dd2d990992c769eaad71f6c6764237 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
Subject: [PATCH 44/50] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 3 ++-
providers/fips/self_test_data.inc | 5 ++++-
test/evp_libctx_test.c | 4 +++-
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ----------
test/recipes/80-test_cms.t | 2 +-
6 files changed, 14 insertions(+), 23 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7999744b5a..30f0c8ca14 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
-#ifndef OPENSSL_NO_DES
+/* We don't certify 3DES in our FIPS provider */
+#if 0 /* ifndef OPENSSL_NO_DES */
ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
#endif /* OPENSSL_NO_DES */
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 10ca473764..6a69e1687b 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
+#if 0
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
-
+#endif
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
CIPHER_MODE_DECRYPT,
ITM(aes_128_ecb_key)
},
+#if 0
#ifndef OPENSSL_NO_DES
{
{
@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
ITM(tdes_key)
}
#endif
+#endif
};
static const char hkdf_digest[] = "SHA256";
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2838f343bd..19dd2c6c63 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -831,7 +831,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
#ifndef OPENSSL_NO_DES
- ADD_TEST(test_cipher_tdes_randkey);
+ if (strcmp(prov_name, "fips") != 0) {
+ ADD_TEST(test_cipher_tdes_randkey);
+ }
#endif
return 1;
}
diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
index 1947e21f74..119b75d9ce 100644
--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@@ -14,7 +14,7 @@
Title = DES3 Tests
# DES EDE3 CBC tests (from destest)
-FIPSversion = <3.4.0
+Availablein = default
Cipher = DES-EDE3-CBC
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
IV = fedcba9876543210
@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
# DES EDE3 ECB test
# FIPS(3.0.0): has a bug in the IV length #17591
-FIPSversion = >3.0.0
-FIPSversion = <3.4.0
+Availablein = default
Cipher = DES-EDE3-ECB
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
# Test that DES3 CBC mode encryption fails because it is not FIPS approved
Availablein = fips
-FIPSversion = >=3.4.0
Cipher = DES-EDE3-CBC
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
IV = fedcba9876543210
@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
# Test that DES3 EBC mode encryption fails because it is not FIPS approved
Availablein = fips
-FIPSversion = >=3.4.0
Cipher = DES-EDE3-ECB
Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
Title = DES3 FIPS Indicator Tests
# Test that DES3 CBC mode encryption is not FIPS approved
-Availablein = fips
-FIPSversion = >=3.4.0
+Availablein = none
Cipher = DES-EDE3-CBC
Unapproved = 1
CtrlInit = encrypt-check:0
@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
# Test that DES3 ECB mode encryption is not FIPS approved
-Availablein = fipss
-FIPSversion = >=3.4.0
+Availablein = none
Cipher = DES-EDE3-ECB
Operation = ENCRYPT
Unapproved = 1
diff --git a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
index a11e5ffe54..e4a7cbe75e 100644
--- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
+++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
@@ -35,13 +35,3 @@ Algorithm = DES-EDE3-CBC
Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
Result = MAC_INIT_ERROR
-
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = CMAC
-Unapproved = 1
-Ctrl = encrypt-check:0
-Algorithm = DES-EDE3-CBC
-Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
-Output = 8F49A1B7D6AA2258
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 756f90c1bd..ac833d2a2f 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -398,7 +398,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "encrypted content test streaming PEM format, triple DES key",
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
[ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
2.49.0

426
0045-FIPS-NO-Kmac.patch Normal file
View File

@ -0,0 +1,426 @@
From 77495dcfb162a588e9121305e798997c687862cd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
Subject: [PATCH 45/50] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 10 +-
providers/fips/self_test_data.inc | 4 +
test/recipes/30-test_evp.t | 2 +-
test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 +-
.../30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 +-
test/recipes/30-test_evp_data/evpkdf_ss.txt | 6 +-
.../30-test_evp_data/evpmac_common.txt | 100 ++++--------------
7 files changed, 40 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 30f0c8ca14..00b7d1e2aa 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+ /* We don't certify KECCAK in our FIPS provider */
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
ossl_keccak_kmac_128_functions },
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
- ossl_keccak_kmac_256_functions },
+ ossl_keccak_kmac_256_functions }, */
{ NULL, NULL, NULL }
};
@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
+ /* We don't certify KMAC in our FIPS provider */
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
{ NULL, NULL, NULL }
};
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 6a69e1687b..f3059a8446 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
ST_KAT_PARAM_END()
};
+#if 0
static const char kbkdf_kmac_mac[] = "KMAC128";
static unsigned char kbkdf_kmac_label[] = {
0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
ST_KAT_PARAM_END()
};
+#endif
static const char tls13_kdf_digest[] = "SHA256";
static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
kbkdf_params,
ITM(kbkdf_expected)
},
+#if 0
{
OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC,
OSSL_KDF_NAME_KBKDF,
kbkdf_kmac_params,
ITM(kbkdf_kmac_expected)
},
+#endif
{
OSSL_SELF_TEST_DESC_KDF_HKDF,
OSSL_KDF_NAME_HKDF,
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 05a61c8abe..4f2e8277b5 100755
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -52,7 +52,6 @@ my @files = qw(
evpciph_des3_common.txt
evpkdf_hkdf.txt
evpkdf_kbkdf_counter.txt
- evpkdf_kbkdf_kmac.txt
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
@@ -144,6 +143,7 @@ my @defltfiles = qw(
evpkdf_scrypt.txt
evpkdf_tls11_prf.txt
evpkdf_hmac_drbg.txt
+ evpkdf_kbkdf_kmac.txt
evpmac_blake.txt
evpmac_poly1305.txt
evpmac_siphash.txt
diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
index c617f2cc44..c5cbaf5840 100644
--- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
@@ -244,7 +244,7 @@ Ctrl.digest = digest:SHA1
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
Ctrl.salt = hexsalt:000102030405060708090a0b0c
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
-Result = KDF_CTRL_ERROR
+Result = KDF_DERIVE_ERROR
Reason = invalid key length
# Test that the key whose length is shorter than 112 bits is reported as
diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
index 67090f2112..bc87975449 100644
--- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
@@ -1869,7 +1869,7 @@ Ctrl.use-separator = use-separator:0
Ctrl.r = r:8
Ctrl.hexkey = hexkey:0ef9
Ctrl.hexinfo = hexinfo:56ec
-Result = KDF_CTRL_ERROR
+Result = KDF_DERIVE_ERROR
Reason = invalid key length
Availablein = fips
diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
index 07691ccf57..4503af711f 100644
--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
@@ -1171,6 +1171,7 @@ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96CB056DEBAEB6E5E706F99435257C
Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
Output = 428979EA52175DC833C04215AC6B4BA89BA4FCAA0E0FA3B4E2C0E264C5746F0A5C788F2907A2C2B90719E396B35A14C4B583C51B9911125D34100FADDC4D94C0D936263CC1EF0B0D526E3891FE1F67BCB94DEA2525B84A8E7949A4CA34F36AEEC55099BF0EC5DE24B86428F4E6E6E23FE9AA443E2BDCF25A77ECD22BF758D554
+Availablein = default
KDF = SSKDF
Ctrl.mac = mac:KMAC-128
Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390ADBA9DFB291EE8C1920CB13452FDF851E0A6DBBB862FD8811F8CB29CDEC13591D8C047065FCD2
@@ -1209,7 +1210,7 @@ Ctrl.mac = mac:KMAC-128
Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A
Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400
Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Reason = unsupported
Title = Secret length < 112 is not approved in FIPS
@@ -1246,6 +1247,8 @@ Ctrl.mac = mac:KMAC-128
Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A
Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400
Output = b160ca853957becf10f4edd06b24cff412b6ca85cff76490afb53ce2f81081ef
+Result = KDF_CTRL_ERROR
+Reason = unsupported
Title = Test Small salt is allowed
@@ -1257,6 +1260,7 @@ Ctrl.hexsalt = hexsalt:00
Ctrl.hexinfo = hexinfo:861aa2886798231259bd0314
Output = 02cfca07797566285b38982b86762abd
+Availablein = default
KDF = SSKDF
Ctrl.mac = mac:KMAC-128
Ctrl.hexsalt = hexsalt:00000000
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index 831eecbac9..af92ceea98 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -399,6 +399,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C
Result = MAC_INIT_ERROR
Reason = invalid mode
+Availablein = default
Title = KMAC Tests (From NIST)
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -409,12 +410,14 @@ Ctrl = xof:0
OutputSize = 32
BlockSize = 168
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Custom = "My Tagged Application"
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -422,6 +425,7 @@ Custom = "My Tagged Application"
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -430,12 +434,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
OutputSize = 64
BlockSize = 136
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
Custom = ""
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -445,12 +451,14 @@ Ctrl = size:64
Title = KMAC XOF Tests (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -458,6 +466,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -466,6 +475,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
XOF = 1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -473,6 +483,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -480,6 +491,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -490,6 +502,7 @@ XOF = 1
Title = KMAC long customisation string (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -500,12 +513,14 @@ XOF = 1
Title = KMAC XOF Tests via ctrl (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -513,6 +528,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -521,6 +537,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
Ctrl = xof:1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -528,6 +545,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -535,6 +553,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -545,6 +564,7 @@ Ctrl = xof:1
Title = KMAC long customisation string via ctrl (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -555,6 +575,7 @@ Ctrl = xof:1
Title = KMAC long customisation string negative test
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -564,6 +585,7 @@ Reason = invalid custom length
Title = KMAC output is too large
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -572,81 +594,3 @@ Ctrl = size:2097152
Result = MAC_INIT_ERROR
Reason = invalid output length
-Title = KMAC output is too small in FIPS
-
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = KMAC256
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Output = 28c815
-Custom = "My Tagged Application"
-Unapproved = 1
-Ctrl = size:3
-Ctrl = no-short-mac:0
-
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = KMAC256
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Output = 28c815
-Custom = "My Tagged Application"
-Ctrl = size:3
-Result = MAC_INIT_ERROR
-Reason = invalid output length
-
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = KMAC256
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Output = 28c815
-Custom = "My Tagged Application"
-Ctrl = size:3
-Ctrl = no-short-mac:1
-Result = MAC_INIT_ERROR
-Reason = invalid output length
-
-# Old FIPS providers accept short output
-FIPSversion = <3.4.0
-MAC = KMAC256
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Output = 28c815
-Custom = "My Tagged Application"
-Ctrl = size:3
-
-# The default provider accepts short output
-Availablein = default
-MAC = KMAC256
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Output = 28c815
-Custom = "My Tagged Application"
-Ctrl = size:3
-
-Title = KMAC FIPS short key test
-
-# Test KMAC with key < 112 bits is not allowed
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = KMAC256
-Key = 404142434445464748494A4B4C
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Custom = ""
-Result = MAC_INIT_ERROR
-Reason = invalid key length
-
-Title = KMAC FIPS short key indicator test
-
-# Test KMAC with key < 112 bits is unapproved
-Availablein = fips
-FIPSversion = >=3.4.0
-MAC = KMAC256
-Unapproved = 1
-Ctrl = key-check:0
-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
2.49.0

779
0045-FIPS-services-minimize.patch
View File

@ -1,779 +0,0 @@
From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
Patch-name: 0045-FIPS-services-minimize.patch
Patch-id: 45
Patch-status: |
# # Minimize fips services
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/ecparam.c | 7 +++
apps/req.c | 2 +-
providers/common/capabilities.c | 2 +-
providers/fips/fipsprov.c | 44 +++++++++++--------
providers/fips/self_test_data.inc | 9 +++-
providers/implementations/signature/rsa_sig.c | 26 +++++++++++
ssl/ssl_ciph.c | 3 ++
test/acvp_test.c | 2 +
test/endecode_test.c | 4 ++
test/evp_libctx_test.c | 9 +++-
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +-
test/recipes/30-test_evp.t | 20 ++++-----
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
test/recipes/80-test_cms.t | 22 +++++-----
test/recipes/80-test_ssl_old.t | 2 +-
16 files changed, 128 insertions(+), 51 deletions(-)
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 71f93c4ca5..347bf62d5c 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
+ continue;
+
if (comment == NULL)
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
diff --git a/apps/req.c b/apps/req.c
index 8995453dca..cb38e6aa64 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
#ifndef OPENSSL_NO_DES
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
#endif
opt_set_unknown_name("digest");
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
index f7234615e4..0d4c0e3388 100644
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = {
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
-# endif
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+# endif
# ifndef FIPS_MODULE
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7ec409710b..ec5bdd5a69 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+ /* We don't certify KECCAK in our FIPS provider */
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
ossl_keccak_kmac_128_functions },
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
- ossl_keccak_kmac_256_functions },
+ ossl_keccak_kmac_256_functions }, */
{ NULL, NULL, NULL }
};
@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
#ifndef OPENSSL_NO_DES
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+ /* We don't certify 3DES in our FIPS provider */
+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
#endif /* OPENSSL_NO_DES */
{ { NULL, NULL, NULL }, NULL }
};
@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
+ /* We don't certify KMAC in our FIPS provider */
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
{ NULL, NULL, NULL }
};
@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
+ /* We don't certify Edwards curves in our FIPS provider */
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
# endif
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
- PROV_DESCS_DSA },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+ PROV_DESCS_DSA }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
PROV_DESCS_X25519 },
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
PROV_DESCS_X448 },
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
PROV_DESCS_ED25519 },
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
- PROV_DESCS_ED448 },
+ PROV_DESCS_ED448 }, */
# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 2057378d3d..4b80bb70b9 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
+#if 0
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
-
+#endif
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
# endif /* OPENSSL_NO_EC2M */
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DSA
/* dsa 2048 */
+#if 0
+#ifndef OPENSSL_NO_DSA
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
#endif /* OPENSSL_NO_DSA */
+#endif
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif
#endif /* OPENSSL_NO_EC */
+#if 0
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
+#endif
};
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 22d93ead53..c1405f47ea 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 33c23efb0d..113c204716 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
ctx->disabled_mkey_mask = 0;
ctx->disabled_auth_mask = 0;
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
+
/*
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/acvp_test.c b/test/acvp_test.c
index 45509095af..4a67519bb4 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1478,6 +1478,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
#ifndef OPENSSL_NO_DSA
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
@@ -1485,6 +1486,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
+#endif
#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
diff --git a/test/endecode_test.c b/test/endecode_test.c
index b53b7b715b..885e49a47c 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1419,6 +1419,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
+ if (is_fips == 0) {
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1429,6 +1430,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
+ }
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1443,10 +1445,12 @@ int setup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
+ if (is_fips == 0) {
ADD_TEST_SUITE(ED25519);
ADD_TEST_SUITE(ED448);
ADD_TEST_SUITE(X25519);
ADD_TEST_SUITE(X448);
+ }
/*
* ED25519, ED448, X25519 and X448 have no support for
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2448c35a14..a7913cda4c 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -21,6 +21,7 @@
*/
#include "internal/deprecated.h"
#include <assert.h>
+#include <string.h>
#include <openssl/evp.h>
#include <openssl/provider.h>
#include <openssl/dsa.h>
@@ -726,7 +727,9 @@ int setup_tests(void)
return 0;
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
+ if (strcmp(prov_name, "fips") != 0) {
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
+ }
#endif
#ifndef OPENSSL_NO_DH
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
@@ -746,7 +749,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
#ifndef OPENSSL_NO_DES
- ADD_TEST(test_cipher_tdes_randkey);
+ if (strcmp(prov_name, "fips") != 0) {
+ ADD_TEST(test_cipher_tdes_randkey);
+ }
#endif
return 1;
}
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
index 4bc460784b..93052eb3e7 100644
--- a/test/recipes/15-test_gendsa.t
+++ b/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "This test is unsupported in a no-dsa build"
if disabled("dsa");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1;
plan tests =>
($no_fips ? 0 : 2) # FIPS related tests
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index d4b4d4ca51..031814e8ff 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -278,8 +278,7 @@ SKIP: {
}
SKIP : {
- skip "FIPS DSA tests because of no dsa in this build", 1
- if disabled("dsa");
+ skip "FIPS DSA tests because of no dsa in this build", 1;
subtest DSA => sub {
my $testtext_prefix = 'DSA';
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index eddca5c58e..36a192d041 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -46,10 +46,8 @@ my @files = qw(
evpciph_aes_cts.txt
evpciph_aes_wrap.txt
evpciph_aes_stitched.txt
- evpciph_des3_common.txt
evpkdf_hkdf.txt
evpkdf_kbkdf_counter.txt
- evpkdf_kbkdf_kmac.txt
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
@@ -69,15 +67,6 @@ push @files, qw(
evppkey_ffdhe.txt
evppkey_dh.txt
) unless $no_dh;
-push @files, qw(
- evpkdf_x942_des.txt
- evpmac_cmac_des.txt
- ) unless $no_des;
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(
- evppkey_ecx.txt
- evppkey_mismatch_ecx.txt
- ) unless $no_ecx;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
@@ -97,6 +86,7 @@ my @defltfiles = qw(
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
+ evpciph_des3_common.txt
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
@@ -121,13 +111,19 @@ my @defltfiles = qw(
evpmd_whirlpool.txt
evppbe_scrypt.txt
evppbe_pkcs12.txt
+ evpkdf_kbkdf_kmac.txt
evppkey_kdf_scrypt.txt
evppkey_kdf_tls1_prf.txt
evppkey_rsa.txt
);
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
+push @defltfiles, qw(
+ evpkdf_x942_des.txt
+ evpmac_cmac_des.txt
+ ) unless $no_des;
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index e47023aae6..96a8febeef 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
Result = MAC_INIT_ERROR
+Availablein = default
Title = KMAC Tests (From NIST)
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -373,12 +374,14 @@ Ctrl = xof:0
OutputSize = 32
BlockSize = 168
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Custom = "My Tagged Application"
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
OutputSize = 64
BlockSize = 136
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
Custom = ""
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -409,12 +415,14 @@ Ctrl = size:64
Title = KMAC XOF Tests (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
XOF = 1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -444,6 +455,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -454,6 +466,7 @@ XOF = 1
Title = KMAC long customisation string (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -464,12 +477,14 @@ XOF = 1
Title = KMAC XOF Tests via ctrl (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
Ctrl = xof:1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -499,6 +517,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -509,6 +528,7 @@ Ctrl = xof:1
Title = KMAC long customisation string via ctrl (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -519,6 +539,7 @@ Ctrl = xof:1
Title = KMAC long customisation string negative test
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
Title = KMAC output is too large
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 6a9792128b..4e368c730b 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content DER format, DSA key",
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, DSA key",
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, DSA key",
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", $smrsa1,
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
\&zero_compare
],
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
my @smime_cms_tests = (
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "encrypted content test streaming PEM format, triple DES key",
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 50b74a1e29..e2dcb68fb5 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -436,7 +436,7 @@ sub testssl {
my @exkeys = ();
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
- if (!$no_dsa) {
+ if (!$no_dsa && $provider ne "fips") {
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
}
--
2.44.0

33
0046-FIPS-NO-PQ-ML-SLH-DSA.patch Normal file
View File

@ -0,0 +1,33 @@
From 5de6758ff6d27df266280e8df7f587d7deba6d92 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:24:36 -0500
Subject: [PATCH 46/50] FIPS: NO PQ (ML/SLH-DSA)
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/self_test_data.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index f3059a8446..9659f10613 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -3037,6 +3037,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
#endif /* OPENSSL_NO_DSA */
#endif
+#if 0
#ifndef OPENSSL_NO_ML_DSA
{
OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
@@ -3081,6 +3082,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
slh_dsa_sig_params, slh_dsa_sig_params
},
#endif /* OPENSSL_NO_SLH_DSA */
+#endif
};
#if !defined(OPENSSL_NO_ML_DSA)
--
2.49.0

106
0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch Normal file
View File

@ -0,0 +1,106 @@
From 7996dc097918cf09350312d5ee04c727c3cd42ac Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
Subject: [PATCH 47/50] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
test/ssl-tests/13-fragmentation.cnf.in | 4 ++--
test/ssl-tests/17-renegotiate.cnf.in | 4 ++--
test/ssl-tests/18-dtls-renegotiate.cnf.in | 2 +-
test/ssl-tests/19-mac-then-encrypt.cnf.in | 2 +-
test/ssl-tests/20-cert-select.cnf.in | 6 +++---
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in
index 318fd65960..87ec08ee5b 100644
--- a/test/ssl-tests/13-fragmentation.cnf.in
+++ b/test/ssl-tests/13-fragmentation.cnf.in
@@ -14,7 +14,7 @@ use warnings;
package ssltests;
-our $fips_3_4;
+our $fips_mode;
our @tests = (
# Default fragment size is 512.
@@ -273,4 +273,4 @@ my @tests_rsa = (
);
push @tests, @tests_rsa
- unless $fips_3_4;
+ unless $fips_mode;
diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
index 2812e4c38b..9cbd972eba 100644
--- a/test/ssl-tests/17-renegotiate.cnf.in
+++ b/test/ssl-tests/17-renegotiate.cnf.in
@@ -15,7 +15,7 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
-our $fips_3_4;
+our $fips_mode;
our @tests = (
{
@@ -318,5 +318,5 @@ our @tests_tls1_2 = (
}
);
-push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
+push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_mode;
push @tests, @tests_tls1_2 unless disabled("tls1_2");
diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
index 8996849a2c..415dc2978d 100644
--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
@@ -133,7 +133,7 @@ foreach my $sctp ("No", "Yes")
);
push @tests, @tests_basic;
- next if disabled("dtls1_2") || $fips_3_4;
+ next if disabled("dtls1_2") || $fips_mode;
our @tests_dtls1_2 = (
{
name => "renegotiate-aead-to-non-aead".$suffix,
diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
index 32bcec4be4..2f8a123c20 100644
--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
@@ -17,7 +17,7 @@ our $fips_mode;
our $fips_3_4;
# Nothing to test with newer fips providers
-return if $fips_3_4;
+return if $fips_mode;
our @tests = (
{
diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
index af47842fd8..21c75033e8 100644
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@@ -266,7 +266,7 @@ our @tests = (
},
test => {
"ExpectedServerCertType" =>, "RSA",
- "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success"
+ "ExpectedResult" => $fips_mode ? "ClientFail" : "Success"
},
},
{
@@ -1005,8 +1005,8 @@ my @tests_dsa_tls_1_3 = (
);
if (!disabled("dsa")) {
- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4;
- push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
+ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3") || $fips_mode;
}
my @tests_mldsa_tls_1_3 = (
--
2.49.0

57
0047-FIPS-early-KATS.patch
View File

@ -1,57 +0,0 @@
From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
Patch-status: |
# # Execute KATS before HMAC verification
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
providers/fips/self_test.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index e3a629018a..3c09bd8638 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
+ /*
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
+ */
+ if (kats_already_passed == 0) {
+ if (!SELF_TEST_kats(ev, st->libctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+ goto end;
+ }
+ }
+
if (st->module_checksum_data == NULL) {
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
}
}
- /*
- * Only runs the KAT's during installation OR on_demand().
- * NOTE: If the installation option 'self_test_onload' is chosen then this
- * path will always be run, since kats_already_passed will always be 0.
- */
- if (on_demand_test || kats_already_passed == 0) {
- if (!SELF_TEST_kats(ev, st->libctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
- goto end;
- }
- }
-
/* Verify that the RNG has been restored properly */
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
2.41.0

106
0048-Current-Rebase-status.patch Normal file
View File

@ -0,0 +1,106 @@
From d2068b5ee18ccb9014bc49e71be49e467f1bf07f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
Subject: [PATCH 48/50] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
REBASE.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/REBASE.txt b/REBASE.txt
index 2833a383c1..c8f6c992a8 100644
--- a/REBASE.txt
+++ b/REBASE.txt
@@ -1,3 +1,6 @@
+REBASED on TOP of tagged openssl-3.5.0
+
+
0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
Some asym testing has been dropped upstream, unclear if this needs to survive,
@@ -8,3 +11,81 @@ if so we may need to resurrect deleted code in upstream patch:
fips: remove redundant RSA encrypt/decrypt KAT
--
+This does not apply cleanly and I can't figure out the original intent exactly
+to modify the existing code correctly.
+
+--
+0030-0075-FIPS-Use-FFDHE2048-in-self-test.patch.patch
+
+Unnecessary, upstream aleady change to use ffsh2048
+
+--
+0032-0077-FIPS-140-3-zeroization.patch.patch
+
+Unnecessary, but MUST define OPENSSL_PEDANTIC_ZEROIZATION to do the same
+
+--
+0048-Spec-cleanup.patch
+
+Not applied as I did not get in the initial patch that imports into packit
+--
+0049-0117-ignore-unknown-sigalgorithms-groups.patch.patch
+
+Unnecessary, already included in 3.5
+
+--
+0050-0118-no-crl-memleak.patch.patch
+
+Unnecessary, already included in 3.5
+
+--
+0051-0119-provider-sigalgs-in-signaturealgorithms-conf.pa.patch
+
+Unnecessary, already included in 3.5
+
+--
+
+Recheck
+======
+
+- Dropped: openssl speed - skip unavailable dgst
+
+- Dropped: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signa.patch
+
+- Dropped patch to disable ECX algorihms
+
+Needed build/spec changes
+====================
+
+Add -DOPENSSL_PEDANTIC_ZEROIZATION to ./Configure line
+This is needed for zeroizations required for FIPS
+
+Add -DREDHAT_FIPS_VENDOR for the module name
+
+Drop 0025-for-tests.patch from dist-git
+We now use a separate config file for tests and for install
+Copy rh-openssl.cnf over the openssl default conf file in the install section.
+
+Testing
+=======
+./Configure \
+ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
+ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
+ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
+ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
+ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
+ -Wl,--allow-multiple-definition
+
+prefix=$HOME/tmp/openssl-rebase
+sysconfigdir=$prefix/etc
+fips="Rebase Testing"
+sslarch=linux-x86_64
+sslflags=enable-ec_nistp_64_gcc_128
+ktlsopt=enable-ktls
+
+Example Testing
+===============
+
+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
+
--
2.49.0

175
0049-FIPS-KDF-key-lenght-errors.patch Normal file
View File

@ -0,0 +1,175 @@
From f9fb76834b0c471d770463e5d7d70f1e2fca3237 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
Subject: [PATCH 49/50] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
test/recipes/30-test_evp_data/evpkdf_ss.txt | 8 ++++----
test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 6 +++---
test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 11 ++++++-----
test/recipes/30-test_evp_data/evpkdf_x942.txt | 3 +--
test/recipes/30-test_evp_data/evpkdf_x963.txt | 6 ++----
test/recipes/30-test_evp_data/evpmac_common.txt | 2 +-
test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt | 2 +-
7 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
index 4503af711f..7ef2894ae6 100644
--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
@@ -1189,8 +1189,8 @@ KDF = SSKDF
Ctrl.digest = digest:SHA1
Ctrl.hexsecret = hexsecret:d7e6
Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_DERIVE_ERROR
+#Reason = invalid key length
Availablein = fips
FIPSversion = >=3.4.0
@@ -1200,8 +1200,8 @@ Ctrl.digest = digest:SHA224
Ctrl.salt = hexsalt:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96C
Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_DERIVE_ERROR
+#Reason = invalid key length
Availablein = fips
FIPSversion = >=3.4.0
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
index edb2e81273..d663e5e5a5 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -104,8 +104,8 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55
Ctrl.label = seed:extended master secret
Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
-Result = KDF_CTRL_ERROR
-Reason = digest not allowed
+Result = KDF_DERIVE_ERROR
+Reason = invalid key length
# Test that the operation with unapproved digest function is is reported as
# unapproved
@@ -131,7 +131,7 @@ Ctrl.Secret = hexsecret:0102030405060708090a0b
Ctrl.label = seed:extended master secret
Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
-Result = KDF_CTRL_ERROR
+Result = KDF_DERIVE_ERROR
Reason = invalid key length
# Test that the key whose length is shorter than 112 bits is reported as
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
index f2ea9ac44a..0f2f6e3904 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
@@ -4963,7 +4963,7 @@ KDF = TLS13-KDF
Ctrl.mode = mode:EXTRACT_ONLY
Ctrl.digest = digest:SHA512-256
Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
-Result = KDF_CTRL_ERROR
+Result = KDF_DERIVE_ERROR
# Test that the operation with unapproved digest function is is reported as
# unapproved
@@ -4985,20 +4985,21 @@ KDF = TLS13-KDF
Ctrl.mode = mode:EXTRACT_ONLY
Ctrl.digest = digest:SHA2-256
Ctrl.key = hexkey:0102030405060708090a0b
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_DERIVE_ERROR
+Reason = wrong output buffer size
Availablein = fips
FIPSversion = >=3.4.0
KDF = TLS13-KDF
+Unapproved = 1
Ctrl.mode = mode:EXPAND_ONLY
Ctrl.digest = digest:SHA2-256
Ctrl.key = hexkey:0102030405060708090a0b
Ctrl.data = hexdata:7c92f68bd5bf3638ea338a6494722e1b44127e1b7e8aad535f2322a644ff22b3
Ctrl.prefix = hexprefix:746c73313320
Ctrl.label = hexlabel:6320652074726166666963
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_MISMATCH
+#Reason = invalid key length
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt
index b1774592e9..6869fd0f20 100644
--- a/test/recipes/30-test_evp_data/evpkdf_x942.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt
@@ -124,11 +124,10 @@ Reason = xof digests not allowed
Availablein = fips
FIPSversion = >=3.4.0
KDF = X942KDF-ASN1
+Unapproved = 1
Ctrl.digest = digest:SHA256
Ctrl.hexsecret = hexsecret:6B
Ctrl.use-keybits = use-keybits:0
Ctrl.cekalg = cekalg:id-aes128-wrap
Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC
Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt
index b8f3cff3d3..74524c4694 100644
--- a/test/recipes/30-test_evp_data/evpkdf_x963.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt
@@ -148,8 +148,7 @@ KDF = X963KDF
Ctrl.digest = digest:SHA1
Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2
Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
-Result = KDF_CTRL_ERROR
-Reason = digest not allowed
+Result = KDF_DERIVE_ERROR
# Test that the operation with unapproved digest function is is reported as
# unapproved
@@ -170,8 +169,7 @@ KDF = X963KDF
Ctrl.digest = digest:SHA224
Ctrl.hexsecret = hexsecret:0102030405060908090a0b
Ctrl.hexinfo = hexinfo:0102030405060708090a0b0c0d0e0f10
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_DERIVE_ERROR
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index af92ceea98..a1541bf226 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -271,7 +271,7 @@ MAC = HMAC
Algorithm = SHA256
Input = "Test Input"
Key = 0001020304
-Result = MAC_INIT_ERROR
+Output = db70da6176d87813b059879ccc27bc53e295c6eca74db8bdc4e77d7e951d894b
Title = HMAC FIPS short key indicator test
diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
index 1fb2472001..93c07ede7c 100644
--- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
@@ -216,7 +216,7 @@ Ctrl.digest = digest:SHA1
Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
Ctrl.salt = hexsalt:000102030405060708090a0b0c
Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
-Result = PKEY_CTRL_ERROR
+Result = KDF_DERIVE_ERROR
Reason = invalid key length
# Test that the key whose length is shorter than 112 bits is reported as
--
2.49.0

95
0050-FIPS-enable-pkcs12-mac.patch
View File

@ -1,95 +0,0 @@
diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
EVP_KDF *kdf;
EVP_KDF_CTX *ctx;
OSSL_PARAM params[6], *p = params;
+ char *adjusted_propq = NULL;
if (n <= 0)
return 0;
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
- if (kdf == NULL)
+ if (ossl_get_kernel_fips_flag()) {
+ const char *nofips = "-fips";
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
+ strlen(nofips) + 1;
+ char *ptr = NULL;
+
+ adjusted_propq = OPENSSL_zalloc(len);
+ if (adjusted_propq != NULL) {
+ ptr = adjusted_propq;
+ if (propq) {
+ memcpy(ptr, propq, strlen(propq));
+ ptr += strlen(propq);
+ *ptr = ',';
+ ptr++;
+ }
+ memcpy(ptr, nofips, strlen(nofips));
+ }
+ }
+
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
+ if (kdf == NULL) {
+ OPENSSL_free(adjusted_propq);
return 0;
+ }
ctx = EVP_KDF_CTX_new(kdf);
EVP_KDF_free(kdf);
- if (ctx == NULL)
+ if (ctx == NULL) {
+ OPENSSL_free(adjusted_propq);
return 0;
+ }
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
(char *)EVP_MD_get0_name(md_type),
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
} OSSL_TRACE_END(PKCS12_KEYGEN);
}
EVP_KDF_CTX_free(ctx);
+ OPENSSL_free(adjusted_propq);
return res;
}
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
}
if (macver) {
EVP_KDF *pkcs12kdf;
+ char *adjusted_propq = NULL;
+ const char *nofips = "-fips";
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
+ strlen(nofips) + 1;
+ char *ptr = NULL;
+
+ adjusted_propq = OPENSSL_zalloc(len);
+ if (adjusted_propq != NULL) {
+ ptr = adjusted_propq;
+ if (app_get0_propq()) {
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
+ ptr += strlen(app_get0_propq());
+ *ptr = ',';
+ ptr++;
+ }
+ memcpy(ptr, nofips, strlen(nofips));
+ }
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
- app_get0_propq());
+ adjusted_propq ? adjusted_propq : app_get0_propq());
if (pkcs12kdf == NULL) {
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+ OPENSSL_free(adjusted_propq);
goto end;
}
EVP_KDF_free(pkcs12kdf);
+ OPENSSL_free(adjusted_propq);
/* If we enter empty password try no password first */
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
/* If mac and crypto pass the same set it to NULL too */

51
0050-FIPS-fix-disallowed-digests-tests.patch Normal file
View File

@ -0,0 +1,51 @@
From 7dc0e5c5dbab91874602bbe73a3c0b627283ff64 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
Subject: [PATCH 50/50] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
test/recipes/30-test_evp_data/evpkdf_ssh.txt | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
index 6688c217aa..8347f773e6 100644
--- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
@@ -4894,13 +4894,14 @@ Title = FIPS indicator tests
Availablein = fips
FIPSversion = >=3.4.0
KDF = SSHKDF
+Unapproved = 1
Ctrl.digest = digest:SHA512-256
Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
Ctrl.type = type:A
-Result = KDF_CTRL_ERROR
-Reason = digest not allowed
+Result = KDF_MISMATCH
+#Reason = digest not allowed
# Test that the operation with unapproved digest function is is reported as
# unapproved
@@ -4920,13 +4921,14 @@ Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2
Availablein = fips
FIPSversion = >=3.4.0
KDF = SSHKDF
+Unapproved = 1
Ctrl.digest = digest:SHA1
Ctrl.hexkey = hexkey:0102030405060708090a0b
Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
Ctrl.type = type:A
-Result = KDF_CTRL_ERROR
-Reason = invalid key length
+Result = KDF_MISMATCH
+#Reason = invalid key length
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
--
2.49.0

205
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
View File

@ -1,205 +0,0 @@
From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
References: rhbz#2055796
---
crypto/x509/x509_vfy.c | 19 ++++++++++-
doc/man5/config.pod | 7 +++-
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 7 ++--
4 files changed, 79 insertions(+), 18 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ff3ca83de6..a549c1c111 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include "internal/dane.h"
+#include "internal/sslconf.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
{
int secbits = -1;
int level = ctx->param->auth_level;
+ int nid;
+ OSSL_LIB_CTX *libctx = NULL;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ if (ctx->libctx)
+ libctx = ctx->libctx;
+ else if (cert->libctx)
+ libctx = cert->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if (nid == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 3)
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index aa1be5ca7f..aa69e2b844 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
digest will fail. For compatibility with older versions of OpenSSL, set this
option to B<yes>. This setting also affects TLS, where signature algorithms
that use SHA1 as digest will no longer be supported if this option is set to
-B<no>.
+B<no>. Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
+algorithms that use SHA1 in security level 2, despite the definition of
+security level 2 of 112 bits of security, which SHA1 does not meet. Because
+TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key
+material, disabling B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or
+newer.
=item B<fips_mode> (deprecated)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4b74ee1a34..5f089de107 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "crypto/x509.h"
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
- if (secbits == 0 ||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if (lu->hash == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(s->session_ctx, lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
}
}
+ if (lu->hash == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
+ OSSL_LIB_CTX *libctx = NULL;
+
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
+
+ if (x && x->libctx)
+ libctx = x->libctx;
+ else if (ctx && ctx->libctx)
+ libctx = ctx->libctx;
+ else if (s && s->session_ctx && s->session_ctx->libctx)
+ libctx = s->session_ctx->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (nid == NID_sha1
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
+ * explicitly allow SHA1 for backwards compatibility. */
+ return 1;
+
if (s != NULL)
return ssl_security(s, op, secbits, nid, x);
else
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 700bbd849c..2de1d76b5e 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 193;
+plan tests => 192;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
- "Reject PSS signature using SHA1 and auth level 1");
+## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
+#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+# "Reject PSS signature using SHA1 and auth level 1");
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");
--
2.35.1

53
0056-strcasecmp.patch
View File

@ -1,53 +0,0 @@
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
#endif
}
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
+int
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+#endif
+OPENSSL_strcasecmp(const char *s1, const char *s2)
{
int t;
@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
return t;
}
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+int
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+#endif
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
{
int t;
size_t i;
diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
s| .*||;
# Drop OpenSSL dynamic version information if there is any
s|\@\@.+$||;
+ s|\@.+$||;
# Return the result
$_
}

466
0062-fips-Expose-a-FIPS-indicator.patch
View File

@ -1,466 +0,0 @@
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 7 Jun 2022 12:02:49 +0200
Subject: [PATCH] fips: Expose a FIPS indicator
FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.
Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.
As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.
To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.
Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
doc/build.info | 6 ++
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
providers/fips/fipsprov.c | 71 +++++++++++++
providers/fips/indicator.h | 66 ++++++++++++
util/mkdef.pl | 25 ++++-
util/providers.num | 1 +
6 files changed, 322 insertions(+), 1 deletion(-)
create mode 100644 doc/man7/fips_module_indicators.pod
create mode 100644 providers/fips/indicator.h
diff --git a/doc/build.info b/doc/build.info
index b0aa4297a4..af235113bb 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
@@ -4631,6 +4635,7 @@ html/man7/ct.html \
html/man7/des_modes.html \
html/man7/evp.html \
html/man7/fips_module.html \
+html/man7/fips_module_indicators.html \
html/man7/life_cycle-cipher.html \
html/man7/life_cycle-digest.html \
html/man7/life_cycle-kdf.html \
@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
man/man7/des_modes.7 \
man/man7/evp.7 \
man/man7/fips_module.7 \
+man/man7/fips_module_indicators.7 \
man/man7/life_cycle-cipher.7 \
man/man7/life_cycle-digest.7 \
man/man7/life_cycle-kdf.7 \
diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
new file mode 100644
index 0000000000..23db2b395c
--- /dev/null
+++ b/doc/man7/fips_module_indicators.pod
@@ -0,0 +1,154 @@
+=pod
+
+=head1 NAME
+
+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
+
+=head1 DESCRIPTION
+
+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
+implements Approved Security Service Indicators according to the FIPS 140-3
+Implementation Guidelines, section 2.4.C. See
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
+for the FIPS 140-3 Implementation Guidelines.
+
+For all approved services except signatures, the Red Hat OpenSSL FIPS provider
+uses the return code as the indicator as understood by FIPS 140-3. That means
+that every operation that succeeds denotes use of an approved security service.
+Operations that do not succeed may not have been approved security services, or
+may have been used incorrectly.
+
+For signatures, an explicit indicator API is available to determine whether
+a selected operation is an approved security service, in combination with the
+return code of the operation. For a signature operation to be approved, the
+explicit indicator must claim it as approved, and it must succeed.
+
+=head2 Querying the explicit indicator
+
+The Red Hat OpenSSL FIPS provider exports a symbol named
+I<redhat_ossl_query_fipsindicator> that provides information on which signature
+operations are approved security functions. To use this function, either link
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
+dlsym(3).
+
+ #include <openssl/core_dispatch.h>
+ #include "providers/fips/indicator.h"
+
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
+ if (provider == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ // handle error
+ }
+
+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
+ = dlsym(provider, "redhat_ossl_query_fipsindicator");
+ if (redhat_ossl_query_fipsindicator == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
+ " patches?\n");
+ // handle error
+ }
+
+Note that this uses the I<providers/fips/indicator.h> header, which is not
+public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
+repository using I<dnf debuginfo-install openssl> and include
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
+
+I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
+obtain the indicators for signature operations. On success, the return value is
+a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
+returned. The last entry in the array is indicated by I<algorithm_names> being
+NULL.
+
+ typedef struct ossl_rh_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
+ } OSSL_RH_FIPSINDICATOR_ALGORITHM;
+
+ typedef struct ossl_rh_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+ } OSSL_RH_FIPSINDICATOR_DISPATCH;
+
+The I<algorithm_names> field is a colon-separated list of algorithm names from
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
+be used to locate the appropriate entry. See the example below, where
+I<algorithm> contains the algorithm name to search for:
+
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
+ redhat_ossl_query_fipsindicator(operation_id);
+ if (indicator == NULL) {
+ fprintf(stderr, "No indicator for operation, probably using implicit"
+ " indicators.\n");
+ // handle error
+ }
+
+ for (; indicator->algorithm_names != NULL; ++indicator) {
+ char *algorithm_names = strdup(indicator->algorithm_names);
+ if (algorithm_names == NULL) {
+ perror("strdup(3)");
+ // handle error
+ }
+
+ const char *algorithm_name = strtok(algorithm_names, ":");
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
+ indicator_dispatch = indicator->indicators;
+ free(algorithm_names);
+ algorithm_names = NULL;
+ break;
+ }
+ }
+ free(algorithm_names);
+ }
+ if (indicator_dispatch == NULL) {
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
+ // handle error
+ }
+
+If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
+given algorithm name, it maps function IDs to their approval status. The last
+entry is indicated by a zero I<function_id>. I<approved> is
+I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
+service, or part of an approved security service, or
+I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
+
+Assuming I<function_id> is the function in question, the following code can be
+used to query the approval status:
+
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
+ if (indicator_dispatch->function_id == function_id) {
+ switch (indicator_dispatch->approved) {
+ case OSSL_RH_FIPSINDICATOR_APPROVED:
+ // approved security service
+ break;
+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
+ // unapproved security service
+ break;
+ default:
+ // invalid result
+ break;
+ }
+ break;
+ }
+ }
+
+=head1 SEE ALSO
+
+L<fips_module(7)>, L<provider(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index de391ce067..1cfd71c5cf 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -23,6 +23,7 @@
#include "self_test.h"
#include "crypto/context.h"
#include "internal/core.h"
+#include "indicator.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
{ NULL, NULL, NULL }
};
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
+ redhat_rsa_signature_indicators },
+#ifndef OPENSSL_NO_EC
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
+ redhat_ecdsa_signature_indicators },
+#endif
+ { NULL, NULL, NULL }
+};
+
static const OSSL_ALGORITHM fips_asym_cipher[] = {
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
{ NULL, NULL, NULL }
@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
return NULL;
}
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
+ switch (operation_id) {
+ case OSSL_OP_SIGNATURE:
+ return redhat_indicator_fips_signature;
+ }
+ return NULL;
+}
+
static void fips_teardown(void *provctx)
{
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
new file mode 100644
index 0000000000..b323efe44c
--- /dev/null
+++ b/providers/fips/indicator.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_INDICATOR_H
+# define OPENSSL_FIPS_INDICATOR_H
+# pragma once
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
+# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
+
+/*
+ * FIPS indicator dispatch table element. function_id numbers and the
+ * functions are defined in core_dispatch.h, see macros with
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
+ *
+ * An array of these is always terminated by function_id == 0
+ */
+typedef struct ossl_rh_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+} OSSL_RH_FIPSINDICATOR_DISPATCH;
+
+/*
+ * Type to tie together algorithm names, property definition string and the
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
+ * indicator dispatch table.
+ *
+ * An array of these is always terminated by algorithm_names == NULL
+ */
+typedef struct ossl_rh_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
+} OSSL_RH_FIPSINDICATOR_ALGORITHM;
+
+/**
+ * Query FIPS indicator status for the given operation. Possible values for
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
+ * use implicit indicators. The return value is an array of
+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
+ * algorithm names, 'property_definition' a comma-separated list of properties,
+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This
+ * list is terminated by function_id == 0. 'function_id' is one of the
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
+ *
+ * If there is no entry in the returned struct for the given operation_id,
+ * algorithm name, or function_id, the algorithm is unapproved.
+ */
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif
diff --git a/util/mkdef.pl b/util/mkdef.pl
index a1c76f7c97..eda39b71ee 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
return
$item->exists()
&& platform_filter($item)
- && feature_filter($item);
+ && feature_filter($item)
+ && fips_filter($item, $name);
};
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
@@ -205,6 +206,28 @@ sub feature_filter {
return $verdict;
}
+sub fips_filter {
+ my $item = shift;
+ my $name = uc(shift);
+ my @features = ( $item->features() );
+
+ # True if no features are defined
+ return 1 if scalar @features == 0;
+
+ my @matches = grep(/^ONLY_.*$/, @features);
+ if (@matches) {
+ # There is at least one only_* flag on this symbol, check if any of
+ # them match the name
+ for (@matches) {
+ if ($_ eq "ONLY_${name}") {
+ return 1;
+ }
+ }
+ return 0;
+ }
+ return 1;
+}
+
sub sorter_unix {
my $by_name = OpenSSL::Ordinals::by_name();
my %weight = (
diff --git a/util/providers.num b/util/providers.num
index 4e2fa81b98..77879d0e5f 100644
--- a/util/providers.num
+++ b/util/providers.num
@@ -1 +1,2 @@
OSSL_provider_init 1 * EXIST::FUNCTION:
+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
--
2.35.3

371
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
View File

@ -1,371 +0,0 @@
From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 22 Jul 2022 13:59:37 +0200
Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed
Review by our lab for FIPS 140-3 certification expects the RSA
encryption and decryption tests to use a supported padding mode, not raw
RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that.
The FIPS 140-3 Implementation Guidance specifies in section 10.3.A
"Cryptographic Algorithm Self-Test Requirements" that a self-test may be
a known-answer test, a comparison test, or a fault-detection test.
Comparison tests are not an option, because they would require
a separate implementation of RSA-OAEP, which we do not have. Fault
detection tests require implementing fault detection mechanisms into the
cryptographic algorithm implementation, we we also do not have.
As a consequence, a known-answer test must be used to test RSA
encryption and decryption, but RSA encryption with OAEP padding is not
deterministic, and thus encryption will always yield different results
that could not be compared to known answers. For this reason, this
change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1),
which is the source of randomness for RSA-OAEP, to a fixed value. This
setting is only available during self-test execution, and the parameter
set using EVP_PKEY_CTX_set_params() will be ignored otherwise.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
crypto/rsa/rsa_local.h | 8 ++
crypto/rsa/rsa_oaep.c | 34 ++++++--
providers/fips/self_test_data.inc | 83 +++++++++++--------
providers/fips/self_test_kats.c | 7 ++
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
6 files changed, 126 insertions(+), 44 deletions(-)
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index ea70da05ad..dde57a1a0e 100644
--- a/crypto/rsa/rsa_local.h
+++ b/crypto/rsa/rsa_local.h
@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
int tlen, const unsigned char *from,
int flen);
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md,
+ const char *redhat_st_seed);
+
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d9be1a4f98..b2f7f7dc4b 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
param, plen, NULL, NULL);
}
+#ifdef FIPS_MODULE
+extern int REDHAT_FIPS_asym_cipher_st;
+#endif /* FIPS_MODULE */
+
/*
* Perform the padding as per NIST 800-56B 7.2.2.3
* from (K) is the key material.
@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
* Step numbers are included here but not in the constant time inverse below
* to avoid complicating an already difficult enough function.
*/
-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
- unsigned char *to, int tlen,
- const unsigned char *from, int flen,
- const unsigned char *param,
- int plen, const EVP_MD *md,
- const EVP_MD *mgf1md)
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md,
+ const char *redhat_st_seed)
{
int rv = 0;
int i, emlen = tlen - 1;
@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
/* step 3d: generate random byte string */
+#ifdef FIPS_MODULE
+ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
+ memcpy(seed, redhat_st_seed, mdlen);
+ } else
+#endif
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
goto err;
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
return rv;
}
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md)
+{
+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
+ flen, param, plen, md,
+ mgf1md, NULL);
+}
+
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen,
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 4e30ec56dd..0103c87528 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
ST_KAT_PARAM_END()
};
-/*-
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
- * HP/UX PA-RISC compilers.
- */
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
-
+/*-
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
+ * HP/UX PA-RISC compilers.
+ */
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
+static const char oaep_fixed_seed[] = {
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
+ 0x2e, 0x4b, 0x2c, 0xe6
+};
+
static const ST_KAT_PARAM rsa_enc_params[] = {
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
+ oaep_fixed_seed),
ST_KAT_PARAM_END()
};
@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = {
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
};
-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
+static const unsigned char rsa_asym_plaintext_encrypt[208] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
};
static const unsigned char rsa_asym_expected_encrypt[256] = {
- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
};
#ifndef OPENSSL_NO_EC
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 064794d9bf..b6d5e8e134 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
return ret;
}
+int REDHAT_FIPS_asym_cipher_st = 0;
+
static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
{
int i, ret = 1;
+ REDHAT_FIPS_asym_cipher_st = 1;
+
for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
ret = 0;
}
+
+ REDHAT_FIPS_asym_cipher_st = 0;
+
return ret;
}
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 00cf65fcd6..83be3d8ede 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -30,6 +30,9 @@
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
+#ifdef FIPS_MODULE
+# include "crypto/rsa/rsa_local.h"
+#endif
#include <stdlib.h>
@@ -75,6 +78,9 @@ typedef struct {
/* TLS padding */
unsigned int client_version;
unsigned int alt_version;
+#ifdef FIPS_MODULE
+ char *redhat_st_oaep_seed;
+#endif /* FIPS_MODULE */
/* PKCS#1 v1.5 decryption mode */
unsigned int implicit_rejection;
} PROV_RSA_CTX;
@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
}
ret =
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
+#ifdef FIPS_MODULE
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
+#else
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
+#endif
+ prsactx->libctx, tbuf,
rsasize, in, inlen,
prsactx->oaep_label,
prsactx->oaep_labellen,
prsactx->oaep_md,
- prsactx->mgf1_md);
+ prsactx->mgf1_md
+#ifdef FIPS_MODULE
+ , prsactx->redhat_st_oaep_seed
+#endif
+ );
if (!ret) {
OPENSSL_free(tbuf);
@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx)
EVP_MD_free(prsactx->oaep_md);
EVP_MD_free(prsactx->mgf1_md);
OPENSSL_free(prsactx->oaep_label);
+#ifdef FIPS_MODULE
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
+#endif /* FIPS_MODULE */
OPENSSL_free(prsactx);
}
@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
NULL, 0),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+#endif /* FIPS_MODULE */
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_PARAM_END
};
@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
return known_gettable_ctx_params;
}
+#ifdef FIPS_MODULE
+extern int REDHAT_FIPS_asym_cipher_st;
+#endif /* FIPS_MODULE */
+
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->oaep_labellen = tmp_labellen;
}
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
+ if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
+ void *tmp_oaep_seed = NULL;
+
+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
+ return 0;
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
+ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
+ }
+#endif /* FIPS_MODULE */
+
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
if (p != NULL) {
unsigned int client_version;
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index c37ed7815f..70f7c50fe4 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -401,6 +401,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
+ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
# Encoder / decoder parameters
--
2.37.1

317
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
View File

@ -1,317 +0,0 @@
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 28/49]
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch-id: 74
Patch-status: |
# [PATCH 29/46]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
2 files changed, 73 insertions(+), 24 deletions(-)
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index fd3a4b79df..3e9f33c26c 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
return 0;
}
+#endif /* !defined(FIPS_MODULE) */
/*
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
reinit = 0;
if (e == NULL)
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
+#ifndef FIPS_MODULE
else
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
+#endif /* !defined(FIPS_MODULE) */
}
if (ctx->pctx == NULL)
return 0;
@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
locpctx = ctx->pctx;
ERR_set_mark();
+#ifndef FIPS_MODULE
if (evp_pkey_ctx_is_legacy(locpctx))
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
/* do not reinitialize if pkey is set or operation is different */
if (reinit
@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
signature =
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
supported_sig, locpctx->propquery);
+#ifndef FIPS_MODULE
if (signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
break;
}
if (signature == NULL)
@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
if (ctx->fetched_digest != NULL) {
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
+#ifndef FIPS_MODULE
} else {
/* legacy engine support : remove the mark when this is deleted */
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
+#endif /* !defined(FIPS_MODULE) */
}
(void)ERR_pop_to_mark();
}
}
+#ifndef FIPS_MODULE
if (ctx->reqdigest != NULL
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
goto err;
}
}
+#endif /* !defined(FIPS_MODULE) */
if (ver) {
if (signature->digest_verify_init == NULL) {
@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
EVP_KEYMGMT_free(tmp_keymgmt);
return 0;
+#ifndef FIPS_MODULE
legacy:
/*
* If we don't have the full support we need with provided methods,
@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->pctx->flag_call_digest_custom = 1;
ret = 1;
+#endif /* !defined(FIPS_MODULE) */
end:
#ifndef FIPS_MODULE
@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
NULL);
}
-#endif /* FIPS_MDOE */
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
{
@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
return EVP_DigestUpdate(ctx, data, dsize);
}
-#ifndef FIPS_MODULE
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
size_t *siglen)
{
- int sctx = 0, r = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ int r = 0;
+#ifndef FIPS_MODULE
+ int sctx = 0;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
else
EVP_PKEY_CTX_free(dctx);
return r;
+#else
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+ sigret, siglen,
+ sigret == NULL ? 0 : *siglen);
+ return r;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
}
}
return 1;
+#endif /* !defined(FIPS_MODULE) */
}
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen)
{
- unsigned char md[EVP_MAX_MD_SIZE];
int r = 0;
+#ifndef FIPS_MODULE
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen = 0;
int vctx = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
else
EVP_PKEY_CTX_free(dctx);
return r;
+#else
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+ sig, siglen);
+ return r;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
if (vctx || !r)
return r;
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
+#endif /* !defined(FIPS_MODULE) */
}
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
return -1;
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
}
-#endif /* FIPS_MODULE */
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 4ea10670c0..5eb27c8ed2 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
int ret = 0;
OSSL_PARAM *params = NULL, *params_sig = NULL;
OSSL_PARAM_BLD *bld = NULL;
+ EVP_MD *md = NULL;
+ EVP_MD_CTX *ctx = NULL;
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
EVP_PKEY *pkey = NULL;
- unsigned char sig[256];
BN_CTX *bnctx = NULL;
+ const char *msg = "Hello World!";
+ unsigned char sig[256];
size_t siglen = sizeof(sig);
static const unsigned char dgst[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto err;
- /* Create a EVP_PKEY_CTX to use for the signing operation */
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
- if (sctx == NULL
- || EVP_PKEY_sign_init(sctx) <= 0)
- goto err;
-
- /* set signature parameters */
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
- t->mdalgorithm,
- strlen(t->mdalgorithm) + 1))
- goto err;
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
+ * parameters and sign */
params_sig = OSSL_PARAM_BLD_to_param(bld);
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
+ ctx = EVP_MD_CTX_new();
+ if (md == NULL || ctx == NULL)
+ goto err;
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
+ || EVP_MD_CTX_reset(ctx) <= 0)
goto err;
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
- || EVP_PKEY_verify_init(sctx) <= 0
+ /* sctx is not freed automatically inside the FIPS module */
+ EVP_PKEY_CTX_free(sctx);
+ sctx = NULL;
+
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
goto err;
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
goto err;
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
goto err;
ret = 1;
err:
BN_CTX_free(bnctx);
EVP_PKEY_free(pkey);
- EVP_PKEY_CTX_free(kctx);
+ EVP_MD_free(md);
+ EVP_MD_CTX_free(ctx);
+ /* sctx is not freed automatically inside the FIPS module */
EVP_PKEY_CTX_free(sctx);
+ EVP_PKEY_CTX_free(kctx);
OSSL_PARAM_free(params);
OSSL_PARAM_free(params_sig);
OSSL_PARAM_BLD_free(bld);
--
2.44.0

378
0075-FIPS-Use-FFDHE2048-in-self-test.patch
View File

@ -1,378 +0,0 @@
From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 22 Jul 2022 17:51:16 +0200
Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
1 file changed, 172 insertions(+), 170 deletions(-)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index a29cc650b5..1b5623833f 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
#ifndef OPENSSL_NO_DH
/* DH KAT */
+/* RFC7919 FFDHE2048 p */
static const unsigned char dh_p[] = {
- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
-};
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+/* RFC7919 FFDHE2048 q */
static const unsigned char dh_q[] = {
- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
- 0x11, 0xac, 0xb5, 0x7d
-};
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+/* RFC7919 FFDHE2048 g */
static const unsigned char dh_g[] = {
- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
+ 0x02
};
static const unsigned char dh_priv[] = {
- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
- 0x40, 0xb8, 0xfc, 0xe6
+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94
};
static const unsigned char dh_pub[] = {
- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
+ 0x32
};
static const unsigned char dh_peer_pub[] = {
- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
+ 0x64
};
static const unsigned char dh_secret_expected[] = {
- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
};
static const ST_KAT_PARAM dh_group[] = {
--
2.35.3

298
0076-FIPS-140-3-DRBG.patch
View File

@ -1,298 +0,0 @@
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
size_t entropy_available;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
- bytes_needed = (entropy + 7) / 8;
+ /*
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
+ * + 128 bits during initial seeding
+ */
+ bytes_needed = (entropy + 128 + 7) / 8;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
#endif
}
+#ifdef FIPS_MODULE
+ prediction_resistance = 1;
+#endif
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
+#else
reseed_required = 1;
+#endif
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
@@ -38,7 +38,7 @@
*
* The value is in bytes.
*/
-#define CRNGT_BUFSIZ 16
+#define CRNGT_BUFSIZ 32
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
@@ -48,6 +48,8 @@
# include <fcntl.h>
# include <unistd.h>
# include <sys/time.h>
+# include <sys/random.h>
+# include <openssl/evp.h>
static uint64_t get_time_stamp(void);
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
* between size_t and ssize_t is safe even without a range check.
*/
-
- /*
- * Do runtime detection to find getentropy().
- *
- * Known OSs that should support this:
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
- * - Solaris since 11.3
- * - OpenBSD since 5.6
- * - Linux since 3.17 with glibc 2.25
- * - FreeBSD since 12.0 (1200061)
- *
- * Note: Sometimes getentropy() can be provided but not implemented
- * internally. So we need to check errno for ENOSYS
- */
-# if !defined(__DragonFly__) && !defined(__NetBSD__)
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-
- if (getentropy != NULL) {
- if (getentropy(buf, buflen) == 0)
- return (ssize_t)buflen;
- if (errno != ENOSYS)
- return -1;
- }
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
-
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
- return (ssize_t)buflen;
-
- return -1;
-# else
- union {
- void *p;
- int (*f)(void *buffer, size_t length);
- } p_getentropy;
-
- /*
- * We could cache the result of the lookup, but we normally don't
- * call this function often.
- */
- ERR_set_mark();
- p_getentropy.p = DSO_global_lookup("getentropy");
- ERR_pop_to_mark();
- if (p_getentropy.p != NULL)
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
-# endif
-# endif /* !__DragonFly__ */
-
- /* Linux supports this since version 3.17 */
-# if defined(__linux) && defined(__NR_getrandom)
- return syscall(__NR_getrandom, buf, buflen, 0);
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
- return sysctl_random(buf, buflen);
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
- return getrandom(buf, buflen, 0);
-# elif defined(__wasi__)
- if (getentropy(buf, buflen) == 0)
- return (ssize_t)buflen;
- return -1;
-# else
- errno = ENOSYS;
- return -1;
-# endif
+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
return 0;
}
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;
@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
size_t i;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 14999540ab..b05b84717b 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -11,6 +11,7 @@
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/opensslconf.h>
#include <openssl/core_names.h>
#include "internal/cryptlib.h"
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
return ret;
}
-#ifndef FIPS_MODULE
- if (dgbl->seed == NULL) {
- ERR_set_mark();
- dgbl->seed = rand_new_seed(ctx);
- ERR_pop_to_mark();
- }
-#endif
-
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
PRIMARY_RESEED_INTERVAL,
PRIMARY_RESEED_TIME_INTERVAL, 1);
/*
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL, 0);
CRYPTO_THREAD_set_local(&dgbl->public, rand);
}
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
return NULL;
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
SECONDARY_RESEED_TIME_INTERVAL, 0);
CRYPTO_THREAD_set_local(&dgbl->private, rand);
}
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
reseed_when = time(NULL);
/* Generate random output from the public and private DRBG */
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
+ before_reseed = 0;
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
RANDOM_SIZE), expect_success)
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
*/
/* Test whether reseeding succeeded as expected */
- if (!TEST_int_eq(state(primary), expected_state)
- || !TEST_int_eq(state(public), expected_state)
+ if (/*!TEST_int_eq(state(primary), expected_state)
+ ||*/ !TEST_int_eq(state(public), expected_state)
|| !TEST_int_eq(state(private), expected_state))
return 0;
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
if (expect_public_reseed >= 0) {
/* Test whether public DRBG was reseeded as expected */
if (!TEST_int_ge(reseed_counter(public), public_reseed)
- || !TEST_uint_ge(reseed_counter(public),
- reseed_counter(primary)))
+ /*|| !TEST_uint_ge(reseed_counter(public),
+ reseed_counter(primary))*/)
return 0;
}
if (expect_private_reseed >= 0) {
/* Test whether public DRBG was reseeded as expected */
if (!TEST_int_ge(reseed_counter(private), private_reseed)
- || !TEST_uint_ge(reseed_counter(private),
- reseed_counter(primary)))
+ /*|| !TEST_uint_ge(reseed_counter(private),
+ reseed_counter(primary))*/)
return 0;
}
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
if (!TEST_ptr_ne(public, private)
|| !TEST_ptr_ne(public, primary)
|| !TEST_ptr_ne(private, primary)
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
return 0;
/* Disable CRNG testing for the primary DRBG */

76
0077-FIPS-140-3-zeroization.patch
View File

@ -1,76 +0,0 @@
diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c
--- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200
+++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c
--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200
+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
CRYPTO_FREE_REF(&r->references);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c
--- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200
+++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200
@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c
--- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200
+++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200
@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c
--- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
void EC_POINT_free(EC_POINT *point)
{
+#ifdef FIPS_MODULE
+ EC_POINT_clear_free(point);
+#else
if (point == NULL)
return;
if (point->meth->point_finish != 0)
point->meth->point_finish(point);
OPENSSL_free(point);
+#endif
}
void EC_POINT_clear_free(EC_POINT *point)

911
0078-KDF-Add-FIPS-indicators.patch
View File

@ -1,911 +0,0 @@
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 Aug 2022 09:27:12 +0200
Subject: KDF: Add FIPS indicators
FIPS requires a number of restrictions on the parameters of the various
key derivation functions implemented in OpenSSL. The KDFs that use
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
C.C). Additionally, some application-specific KDFs have further
restrictions defined in SP 800-135r1.
Generally, all KDFs shall use a key-derivation key length of at least
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
to generate and output length of less than 112 bits will also set the
indicator to unapproved.
Add explicit indicators to all KDFs usable in FIPS mode except for
PBKDF2 (which has its specific FIPS limits already implemented). The
indicator can be queried using EVP_KDF_CTX_get_params() after setting
the required parameters and keys for the KDF.
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
truncated versions -224 and -384), as well as SHAKE-128 and -256.
The SHAKE functions are generally not allowed in KDFs. For the rest, the
support matrix is:
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
==========================================================================
KBKDF | x | x | x | x | x
HKDF | x | x | x | x | x
TLS1PRF | | SHA-{256,384,512} only | |
SSHKDF | x | x | x | |
SSKDF | x | x | x | x | x
X9.63KDF | | x | x | x | x
X9.42-ASN1 | x | x | x | x | x
TLS1.3PRF | | SHA-{256,384} only | |
Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2160733 rhbz#2164763
Related: rhbz#2114772 rhbz#2141695
---
include/crypto/evp.h | 7 ++
include/openssl/kdf.h | 4 +
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
9 files changed, 487 insertions(+), 22 deletions(-)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index e70d8e9e84..76fb990de4 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st {
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
};
+#ifdef FIPS_MODULE
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
+#endif
+
struct evp_kdf_st {
OSSL_PROVIDER *prov;
int name_id;
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
index 0983230a48..86171635ea 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index dfa7786bde..f01e40ff5a 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
@@ -85,6 +86,10 @@ typedef struct {
size_t data_len;
unsigned char *info;
size_t info_len;
+ int is_tls13;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_HKDF;
static void *kdf_hkdf_new(void *provctx)
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
switch (ctx->mode) {
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
default:
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
{
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
size_t sz = kdf_hkdf_size(ctx);
+ any_valid = 1;
if (sz == 0)
return 0;
return OSSL_PARAM_set_size_t(p, sz);
}
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ any_valid = 1;
if (ctx->info == NULL || ctx->info_len == 0) {
p->return_size = 0;
return 1;
}
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
}
- return -2;
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
+ != NULL) {
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (ctx->is_tls13) {
+ if (md != NULL
+ && !EVP_MD_is_a(md, "SHA2-256")
+ && !EVP_MD_is_a(md, "SHA2-384")) {
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
+ * key derivation function documented in Section 7.1 of RFC
+ * 8446. This is considered an approved CVL because the
+ * underlying functions performed within the TLS 1.3 KDF map to
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
+ * Option #3), SP 800-56Crev2, and SP 800-108."
+ *
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ } else {
+ if (md != NULL
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
+ EVP_MD_is_a(md, "SHAKE-256"))) {
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the
+ * standalone algorithms." */
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif /* defined(FIPS_MODULE) */
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
return ret;
}
+static void *kdf_tls1_3_new(void *provctx)
+{
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
+
+ if (hkdf != NULL)
+ hkdf->is_tls13 = 1;
+
+ return hkdf;
+}
+
+
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
const OSSL_PARAM params[])
{
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
switch (ctx->mode) {
default:
return 0;
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
}
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index a542f84dfa..6b6dfb94ac 100644
--- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c
@@ -59,6 +59,9 @@ typedef struct {
kbkdf_mode mode;
EVP_MAC_CTX *ctx_init;
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
+ PROV_DIGEST digest;
+
/* Names are lowercased versions of those found in SP800-108. */
int r;
unsigned char *ki;
@@ -73,6 +76,9 @@ typedef struct {
int use_l;
int is_kmac;
int use_separator;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KBKDF;
/* Definitions needed for typechecking. */
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
void *provctx = ctx->provctx;
EVP_MAC_CTX_free(ctx->ctx_init);
+ ossl_prov_digest_reset(&ctx->digest);
OPENSSL_clear_free(ctx->context, ctx->context_len);
OPENSSL_clear_free(ctx->label, ctx->label_len);
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
goto done;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
if (h == 0)
goto done;
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
}
}
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
if (p != NULL
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
- if (p == NULL)
+ if (p != NULL) {
+ any_valid = 1;
+
+ /* KBKDF can produce results as large as you like. */
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ KBKDF *ctx = (KBKDF *)vctx;
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." Note that the digest is only used when the MAC
+ * algorithm is HMAC. */
+ if (ctx->ctx_init != NULL
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ if (md != NULL
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
return -2;
- /* KBKDF can produce results as large as you like. */
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return 1;
}
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
ossl_unused void *provctx)
{
- static const OSSL_PARAM known_gettable_ctx_params[] =
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
return known_gettable_ctx_params;
}
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
index c592ba72f1..4a52b38266 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -48,6 +48,9 @@ typedef struct {
char type; /* X */
unsigned char *session_id;
size_t session_id_len;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_SSHKDF;
static void *kdf_sshkdf_new(void *provctx)
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
return 0;
}
+
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
return SSHKDF(md, ctx->key, ctx->key_len,
ctx->xcghash, ctx->xcghash_len,
ctx->session_id, ctx->session_id_len,
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ KDF_SSHKDF *ctx = vctx;
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms."
+ *
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
+ * function used in SSHKDF "is one of the hash functions specified in
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
+ * */
+ if (ctx->digest.md != NULL
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
index eb54972e1c..23865cd70f 100644
--- a/providers/implementations/kdfs/sskdf.c
+++ b/providers/implementations/kdfs/sskdf.c
@@ -64,6 +64,10 @@ typedef struct {
size_t salt_len;
size_t out_len; /* optional KMAC parameter */
int is_kmac;
+ int is_x963kdf;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_SSKDF;
#define SSKDF_MAX_INLEN (1<<30)
@@ -73,6 +77,7 @@ typedef struct {
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
return ctx;
}
+static void *x963kdf_new(void *provctx)
+{
+ KDF_SSKDF *ctx = sskdf_new(provctx);
+
+ if (ctx)
+ ctx->is_x963kdf = 1;
+
+ return ctx;
+}
+
static void sskdf_reset(void *vctx)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
}
md = ossl_prov_digest_md(&ctx->digest);
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */
int ret;
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
ctx->info, ctx->info_len, 1, key, keylen);
}
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
+ return 0;
+ }
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
- return -2;
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." */
+ if (ctx->macctx == NULL
+ || (ctx->macctx != NULL &&
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
+ if (ctx->digest.md != NULL
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
+ * should only be used for 80-bit key agreement, but FIPS 140-3
+ * requires a security strength of 112 bits, so SHA-1 cannot be
+ * used with X9.63. See the discussion in
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
+ */
+ if (ctx->is_x963kdf
+ && ctx->digest.md != NULL
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
};
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index a4d64b9352..f6782a6ca2 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -93,6 +93,13 @@ typedef struct {
/* Buffer of concatenated seed data */
unsigned char seed[TLS1_PRF_MAXBUF];
size_t seedlen;
+
+ /* MAC digest algorithm; used to compute FIPS indicator */
+ PROV_DIGEST digest;
+
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} TLS1_PRF;
static void *kdf_tls1_prf_new(void *provctx)
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
EVP_MAC_CTX_free(ctx->P_sha1);
OPENSSL_clear_free(ctx->sec, ctx->seclen);
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
+ ossl_prov_digest_reset(&ctx->digest);
memset(ctx, 0, sizeof(*ctx));
ctx->provctx = provctx;
}
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
/*
* The seed buffer is prepended with a label.
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
}
}
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
OPENSSL_clear_free(ctx->sec, ctx->seclen);
ctx->sec = NULL;
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+ TLS1_PRF *ctx = vctx;
+#endif /* defined(FIPS_MODULE) */
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
+ if (ctx->digest.md != NULL
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index b1bc6f7e1b..8173fc2cc7 100644
--- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c
@@ -13,11 +13,13 @@
#include <openssl/core_dispatch.h>
#include <openssl/err.h>
#include <openssl/evp.h>
+#include <openssl/kdf.h>
#include <openssl/params.h>
#include <openssl/proverr.h>
#include "internal/packet.h"
#include "internal/der.h"
#include "internal/nelem.h"
+#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -47,6 +50,9 @@ typedef struct {
const unsigned char *cek_oid;
size_t cek_oid_len;
int use_keybits;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_X942;
/*
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
der, der_len, ctr, key, keylen);
OPENSSL_free(der);
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
KDF_X942 *ctx = (KDF_X942 *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
- return -2;
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." */
+ if (ctx->digest.md != NULL
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 70f7c50fe4..6618122417 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -183,6 +183,7 @@ my %params = (
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
'KDF_PARAM_THREADS' => "threads", # uint32_t
--
2.39.2

123
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
View File

@ -1,123 +0,0 @@
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 18:08:24 +0100
Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
specifies key lengths < 112 bytes are disallowed for HMAC generation and
are legacy use for HMAC verification.
Add an explicit indicator that will mark shorter key lengths as
unsupported. The indicator can be queries from the EVP_MAC_CTX object
using EVP_MAC_CTX_get_params() with the
OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
parameter.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/crypto/evp.h | 7 +++++++
include/openssl/evp.h | 3 +++
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
4 files changed, 28 insertions(+)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 76fb990de4..1e2240516e 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
+#ifdef FIPS_MODULE
+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
+ * HMAC verification. */
+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
+#endif
+
struct evp_mac_st {
OSSL_PROVIDER *prov;
int name_id;
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 49e8e1df78..a5e78efd6e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
void *arg);
/* MAC stuff */
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
const char *properties);
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
index 52ebb08b8f..cf5c3ecbe7 100644
--- a/providers/implementations/macs/hmac_prov.c
+++ b/providers/implementations/macs/hmac_prov.c
@@ -21,6 +21,8 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include "crypto/evp.h"
+
#include "internal/ssl3_cbc.h"
#include "prov/implementations.h"
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
return 0;
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
+ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
+ * specifies key lengths < 112 bytes are disallowed for HMAC generation
+ * and legacy use for HMAC verification. */
+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ return OSSL_PARAM_set_int(p, fips_indicator);
+ }
+#endif /* defined(FIPS_MODULE) */
+
return 1;
}
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 6618122417..8b2d430f17 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -137,12 +137,13 @@ my %params = (
# If "engine",or "properties",are specified, they should always be paired
# with "cipher",or "digest".
- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
- 'MAC_PARAM_SIZE' => "size", # size_t
- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
+ 'MAC_PARAM_SIZE' => "size", # size_t
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
# KDF / PRF parameters
'KDF_PARAM_SECRET' => "secret", # octet string
--
2.38.1

138
0088-signature-Add-indicator-for-PSS-salt-length.patch
View File

@ -1,138 +0,0 @@
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 19:33:02 +0100
Subject: [PATCH 1/3] signature: Add indicator for PSS salt length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
the hash function output block (in bytes)."
It is not exactly clear from this text whether hLen refers to the
message digest or the hash function used for the mask generation
function MGF1. PKCS#1 v2.1 suggests it is the former:
| Typical salt lengths in octets are hLen (the length of the output of
| the hash function Hash) and 0. In both cases the security of
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
| Bellare and Rogaway [4] give a tight lower bound for the security of
| the original RSA-PSS scheme, which corresponds roughly to the former
| case, while Coron [12] gives a lower bound for the related Full Domain
| Hashing scheme, which corresponds roughly to the latter case. In [13]
| Coron provides a general treatment with various salt lengths ranging
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
| the security proofs in [4][13] to address the differences between the
| original and the present version of RSA-PSS as listed in Note 1 above.
Since OpenSSL defaults to creating signatures with the maximum salt
length, blocking the use of longer salts would probably lead to
significant problems in practice. Instead, introduce an explicit
indicator that can be obtained from the EVP_PKEY_CTX object using
EVP_PKEY_CTX_get_params() with the
OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
parameter.
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
Dmitry Belyavskiy <dbelyavs@redhat.com>
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/openssl/evp.h | 4 ++++
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
3 files changed, 37 insertions(+), 11 deletions(-)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index a5e78efd6e..f239200465 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 49e7f9158a..0c45008a00 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
}
}
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
+ if (prsactx->md == NULL) {
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
+ if (prsactx->md == NULL) /* Should always be the case */
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ return OSSL_PARAM_set_int(p, fips_indicator);
+ }
+#endif
+
return 1;
}
@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif
OSSL_PARAM_END
};
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 8b2d430f17..a109e44521 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -377,17 +377,18 @@ my %params = (
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
# Signature parameters
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
# Asym cipher parameters
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
--
2.38.1

32
0091-FIPS-RSA-encapsulate.patch
View File

@ -1,32 +0,0 @@
diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c
--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100
+++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100
@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX
*secretlen = nlen;
return 1;
}
+
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/*
* Step (2): Generate a random byte string z of nlen bytes where
* 1 < z < n - 1
@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX *
return 1;
}
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
if (inlen != nlen) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);

105
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
View File

@ -1,105 +0,0 @@
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Feb 2023 15:31:08 +0100
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."
Resolves: rhbz#2168289
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/openssl/evp.h | 4 +++
.../implementations/ciphers/ciphercommon.c | 4 +++
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
util/perl/OpenSSL/paramnames.pm | 5 ++--
4 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 49e8e1df78..ec2ba46fbd 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index fa383165d8..716add7339 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
+ * not work in ciphercommon.c because it is compiled only once into
+ * libcommon.a */
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
OSSL_PARAM_END
};
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
index ed95c97ff4..db7910eb0e 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
break;
}
}
+
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
+ * not work here. */
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section C.H requires guarantees about the
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
+ * this. This provides an indicator for option 2 "The IV may be
+ * generated internally at its entirety randomly." Note that one of the
+ * conditions of this option is that "The IV length shall be at least
+ * 96 bits (per SP 800-38D)." We do not specically check for this
+ * condition here, because gcm_iv_generate will fail in this case. */
+ if (ctx->enc && !ctx->iv_gen_rand)
+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+
return 1;
}
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index a109e44521..64e9809387 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -101,8 +101,9 @@ my %params = (
'CIPHER_PARAM_SPEED' => "speed", # uint
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
# For passing the AlgorithmIdentifier parameter in DER form
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
--
2.39.1

80
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
View File

@ -1,80 +0,0 @@
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 6 Mar 2023 12:32:04 +0100
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
The pbkdf2 implementation in the FIPS provider supports the checks
required by NIST, but allows disabling these checks by setting the
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
that the use of this configuration is not approved in FIPS mode. Add an
explicit indicator to provide this indication.
Resolves: rhbz#2175145
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index aa0adce5e6..6df8c6d321 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
+#ifdef FIPS_MODULE
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
+ != NULL) {
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
+ * those checks are disabled, the PBKDF2 implementation will also
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
+ * NIST SP 800-132 section 5.1). */
+ if (!ctx->lower_bound_checks)
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+
+ any_valid = 1;
+ }
+#endif /* defined(FIPS_MODULE) */
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
--
2.39.2

156
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
View File

@ -1,156 +0,0 @@
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Mar 2023 15:39:15 +0100
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. A request for guidance sent to NIST did clarify
that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
an indicator to mark them as unapproved previously and should thus keep
the indicator available.
This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.
Resolves: rhbz#2179331
Resolves: RHEL-14083
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/openssl/evp.h | 4 +++
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
util/perl/OpenSSL/paramnames.pm | 6 ++--
4 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ec2ba46fbd..3803b03422 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
# endif
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 568452ec56..2e7ea632d7 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
return 0;
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
+
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
+ * explicit key confirmation is not implemented here and cannot be
+ * implemented without protocol changes, and the FIPS provider does not
+ * implement trusted third party validation, since it relies on its
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
+ * we have received clarification from NIST on how library modules such
+ * as OpenSSL should implement TTP validation. */
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif /* defined(FIPS_MODULE) */
+
return 1;
}
@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
#ifdef FIPS_MODULE
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
#endif /* FIPS_MODULE */
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_PARAM_END
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 882cf16125..b4cc0f9237 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
{
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
+#ifdef FIPS_MODULE
+ OSSL_PARAM *p;
+#endif /* defined(FIPS_MODULE) */
+
+ if (ctx == NULL)
+ return 0;
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
+ if (p != NULL) {
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
+ * explicit key confirmation is not implemented here and cannot be
+ * implemented without protocol changes, and the FIPS provider does not
+ * implement trusted third party validation, since it relies on its
+ * callers to do that. We must thus mark RSASVE unapproved until we
+ * have received clarification from NIST on how library modules such as
+ * OpenSSL should implement TTP validation. */
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif /* defined(FIPS_MODULE) */
- return ctx != NULL;
+ return 1;
}
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 64e9809387..45ab0c8dc4 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -406,6 +406,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
# Encoder / decoder parameters
@@ -438,8 +439,9 @@ my %params = (
'SIGNATURE_PARAM_KAT' => "kat",
# KEM parameters
- 'KEM_PARAM_OPERATION' => "operation",
- 'KEM_PARAM_IKME' => "ikme",
+ 'KEM_PARAM_OPERATION' => "operation",
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KEM_PARAM_IKME' => "ikme",
# Capabilities
--
2.39.2

318
0117-ignore-unknown-sigalgorithms-groups.patch
View File

@ -1,318 +0,0 @@
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Thu, 14 Dec 2023 17:08:56 +0100
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
Patch-id: 117
Patch-status: |
# https://github.com/openssl/openssl/issues/23050
---
CHANGES.md | 13 +++++++
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
5 files changed, 132 insertions(+), 15 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index ca29762ac2..4e21d0ddf9 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -27,6 +27,19 @@ OpenSSL 3.2
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ Similarly unknown entries that start with `?` character in a TLS
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
+ and the configuration will still be used.
+
+ In both cases if the resulting list is empty, an error is returned.
+
+ *Tomáš Mráz*
+
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
index c26ef00306..f0566e148e 100644
--- a/doc/man3/SSL_CTX_set1_curves.pod
+++ b/doc/man3/SSL_CTX_set1_curves.pod
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
-added by external providers.
+added by external providers. If a group name is preceded with the C<?>
+character, it will be ignored if an implementation is missing.
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
supported groups for the SSL structure B<ssl>.
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
was added in OpenSSL 3.0.0.
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
+SSL_set1_groups_list() was added in OpenSSL 3.3.
+
=head1 COPYRIGHT
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
index eb31006346..5b7de7d956 100644
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
must be a null terminated string consisting of a colon separated list of
elements, where each element is either a combination of a public key
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
-SignatureScheme such as rsa_pss_pss_sha256.
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
+with the C<?> character, it will be ignored if an implementation is missing.
+
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
@@ -106,6 +108,13 @@ using a string:
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
L<SSL_CONF_CTX_new(3)>
+=head1 HISTORY
+
+Support for ignoring unknown signature algorithms in
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
+was added in OpenSSL 3.3.
+
=head1 COPYRIGHT
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 056aae3863..fe680449c5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
size_t i;
uint16_t gid = 0;
char etmp[GROUP_NAME_BUFFER_LENGTH];
+ int ignore_unknown = 0;
if (elem == NULL)
return 0;
+ if (elem[0] == '?') {
+ ignore_unknown = 1;
+ ++elem;
+ --len;
+ }
if (garg->gidcnt == garg->gidmax) {
uint16_t *tmp =
OPENSSL_realloc(garg->gid_arr,
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
gid = tls1_group_name2id(garg->ctx, etmp);
if (gid == 0) {
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
- "group '%s' cannot be set", etmp);
- return 0;
+ /* Unknown group - ignore, if ignore_unknown */
+ return ignore_unknown;
}
for (i = 0; i < garg->gidcnt; i++)
- if (garg->gid_arr[i] == gid)
- return 0;
+ if (garg->gid_arr[i] == gid) {
+ /* Duplicate group - ignore */
+ return 1;
+ }
garg->gid_arr[garg->gidcnt++] = gid;
return 1;
}
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
gcb.ctx = ctx;
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
goto end;
+ if (gcb.gidcnt == 0) {
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
+ "No valid groups in '%s'", str);
+ goto end;
+ }
if (pext == NULL) {
ret = 1;
goto end;
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
const SIGALG_LOOKUP *s;
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
int sig_alg = NID_undef, hash_alg = NID_undef;
+ int ignore_unknown = 0;
+
if (elem == NULL)
return 0;
+ if (elem[0] == '?') {
+ ignore_unknown = 1;
+ ++elem;
+ --len;
+ }
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
return 0;
if (len > (int)(sizeof(etmp) - 1))
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
break;
}
}
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
- return 0;
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
}
} else {
*p = 0;
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
return 0;
get_sigorhash(&sig_alg, &hash_alg, etmp);
get_sigorhash(&sig_alg, &hash_alg, p);
- if (sig_alg == NID_undef || hash_alg == NID_undef)
- return 0;
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
i++, s++) {
if (s->hash == hash_alg && s->sig == sig_alg) {
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
break;
}
}
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
- return 0;
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
+ /* Ignore unknown algorithms if ignore_unknown */
+ return ignore_unknown;
+ }
}
- /* Reject duplicates */
+ /* Ignore duplicates */
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
sarg->sigalgcnt--;
- return 0;
+ return 1;
}
}
return 1;
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
}
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0;
+ if (sig.sigalgcnt == 0) {
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
+ "No valid signature algorithms in '%s'", str);
+ return 0;
+ }
if (c == NULL)
return 1;
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 1c14f93ed1..184a0f1055 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -39,6 +39,7 @@
#include "testutil.h"
#include "testutil/output.h"
#include "internal/nelem.h"
+#include "internal/tlsgroups.h"
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
#include "../ssl/record/methods/recmethod_local.h"
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
# endif
{NULL, 0, "RSA+SHA256", 1, 1},
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
# ifndef OPENSSL_NO_EC
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
{NULL, 0, "ECDSA+SHA512", 1, 0},
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
return testresult;
}
+static int test_unknown_sigalgs_groups(void)
+{
+ int ret = 0;
+ SSL_CTX *ctx = NULL;
+
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
+ goto end;
+
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
+ 0))
+ goto end;
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
+ goto end;
+
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
+ 0))
+ goto end;
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
+ goto end;
+
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
+ "nonexistent"),
+ 0))
+ goto end;
+
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
+ 0))
+ goto end;
+
+#ifndef OPENSSL_NO_EC
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
+ "P-256:nonexistent"),
+ 0))
+ goto end;
+
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
+ "P-384:?nonexistent:?P-521"),
+ 0))
+ goto end;
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
+ goto end;
+#endif
+
+ ret = 1;
+ end:
+ SSL_CTX_free(ctx);
+ return ret;
+}
+
#if !defined(OPENSSL_NO_EC) \
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
/*
@@ -11519,6 +11579,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
#endif
ADD_ALL_TESTS(test_servername, 10);
+ ADD_TEST(test_unknown_sigalgs_groups);
#if !defined(OPENSSL_NO_EC) \
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
ADD_ALL_TESTS(test_sigalgs_available, 6);
--
2.44.0

65
0121-FIPS-cms-defaults.patch
View File

@ -1,65 +0,0 @@
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
@@ -20,6 +20,7 @@
#include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>
#include <openssl/cms.h>
+#include <openssl/fips.h>
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
if (operation == SMIME_ENCRYPT) {
if (!cipher) {
+ if (FIPS_mode()) {
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
+ } else {
#ifndef OPENSSL_NO_DES
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
#else
- BIO_printf(bio_err, "No cipher selected\n");
- goto end;
+ BIO_printf(bio_err, "No cipher selected\n");
+ goto end;
#endif
+ }
}
if (secret_key && !secret_keyid) {
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
@@ -14,6 +14,7 @@
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/evp.h>
+#include <openssl/fips.h>
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
return 0;
+ if (FIPS_mode()) {
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
+ return 0;
+ }
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
return 0;
return 1;
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
if (EVP_PKEY_encrypt_init(pctx) <= 0)
goto err;
+
+ if (FIPS_mode()) {
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
+ goto err;
+ }
}
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)

16
0122-TMP-KTLS-test-skip.patch
View File

@ -1,16 +0,0 @@
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
- if (!ktls_enable(sock))
+/* if (!ktls_enable(sock))
return 0;
- return 1;
+ return 1; */
+ return 0;
}
static int ping_pong_query(SSL *clientssl, SSL *serverssl)

62
0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
View File

@ -1,62 +0,0 @@
From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 17 Jun 2024 16:48:26 +0200
Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
providers
If there is no get_ctx_params() implemented in the key exchange
provider implementation the fallback will not work. Instead
check the gettable_ctx_params() to see if the fallback should be
performed.
Fixes #24611
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24661)
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
---
crypto/evp/pmeth_lib.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 2caff2cd6d..d15e43be05 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
int datalen)
{
OSSL_PARAM os_params[2];
+ const OSSL_PARAM *gettables;
unsigned char *info = NULL;
size_t info_len = 0;
size_t info_alloc = 0;
@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return 1;
}
+ /* Check for older provider that doesn't support getting this parameter */
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
+ data, datalen);
+
/* Get the original value length */
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end();
@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
return 0;
- /* Older provider that doesn't support getting this parameter */
+ /* This should not happen but check to be sure. */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+ return 0;
info_alloc = os_params[0].return_size + datalen;
if (info_alloc == 0)
--
2.45.1

109
0124-Fix-SSL_select_next_proto.patch
View File

@ -1,109 +0,0 @@
From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH 01/10] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 016135fe18..cf52b317cf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.46.0

39
0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch
View File

@ -1,39 +0,0 @@
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:18:27 +0100
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_clnt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 381a6c9d7b..1ab3c13d57 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
&selected, &selected_len,
PACKET_data(pkt), PACKET_remaining(pkt),
- sctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
--
2.46.0

34
0126-Use-correctly-formatted-ALPN-data-in-tserver.patch
View File

@ -1,34 +0,0 @@
From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:22:13 +0100
Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
The QUIC test server was using incorrectly formatted ALPN data. With the
previous implementation of SSL_select_next_proto this went unnoticed. With
the new stricter implemenation it was failing.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/quic/quic_tserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index 86187d06ff..15694e723f 100644
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
if (srv->args.alpn == NULL) {
alpn = alpndeflt;
- alpnlen = sizeof(alpn);
+ alpnlen = sizeof(alpndeflt);
} else {
alpn = srv->args.alpn;
alpnlen = srv->args.alpnlen;
--
2.46.0

78
0127-Clarify-the-SSL_select_next_proto-documentation.patch
View File

@ -1,78 +0,0 @@
From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:46:38 +0100
Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 05fee2fbec..79e1a252f6 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
--
2.46.0

172
0128-Add-a-test-for-SSL_select_next_proto.patch
View File

@ -1,172 +0,0 @@
From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 16:35:16 +0100
Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ce163322cd..15cb9060cb 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
return testresult;
}
+static struct next_proto_st {
+ int serverlen;
+ unsigned char server[40];
+ int clientlen;
+ unsigned char client[40];
+ int expected_ret;
+ size_t selectedlen;
+ unsigned char selected[40];
+} next_proto_tests[] = {
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'b', 'c', 'd' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 0, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ -1, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 0, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ -1, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 3, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 3, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ }
+};
+
+static int test_select_next_proto(int idx)
+{
+ struct next_proto_st *np = &next_proto_tests[idx];
+ int ret = 0;
+ unsigned char *out, *client, *server;
+ unsigned char outlen;
+ unsigned int clientlen, serverlen;
+
+ if (np->clientlen == -1) {
+ client = NULL;
+ clientlen = 0;
+ } else {
+ client = np->client;
+ clientlen = (unsigned int)np->clientlen;
+ }
+ if (np->serverlen == -1) {
+ server = NULL;
+ serverlen = 0;
+ } else {
+ server = np->server;
+ serverlen = (unsigned int)np->serverlen;
+ }
+
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
+ client, clientlen),
+ np->expected_ret))
+ goto err;
+
+ if (np->selectedlen == 0) {
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
+ goto err;
+ } else {
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
+ goto err;
+ }
+
+ ret = 1;
+ err:
+ return ret;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -12053,6 +12189,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_handshake_retry, 16);
ADD_TEST(test_data_retry);
ADD_ALL_TESTS(test_multi_resume, 5);
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
return 1;
err:
--
2.46.0

1169
0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
View File

File diff suppressed because it is too large Load Diff

39
0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch
View File

@ -1,39 +0,0 @@
From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:41:55 +0100
Subject: [PATCH 07/10] Correct return values for
tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_srvr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 800654450e..66ed7dacf2 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.46.0

62
0131-Add-ALPN-validation-in-the-client.patch
View File

@ -1,62 +0,0 @@
From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 11:51:54 +0100
Subject: [PATCH 08/10] Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 1ab3c13d57..ff9c009ee5 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
--
2.46.0

267
0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
View File

@ -1,267 +0,0 @@
From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:09:41 +0100
Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
We already had some tests elsewhere - but this extends that testing with
additional tests.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 229 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 15cb9060cb..7a55a2b721 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
return ret;
}
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
+
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
+ unsigned int *outlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ default:
+ case 0:
+ *out = fooprot;
+ *outlen = sizeof(fooprot);
+ return SSL_TLSEXT_ERR_OK;
+
+ case 1:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+}
+
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ case 1:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 4:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 2:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
+/*
+ * Test the NPN callbacks
+ * Test 0: advert = foo, select = foo
+ * Test 1: advert = <empty>, select = foo
+ * Test 2: no advert
+ * Test 3: advert = foo, select = bar
+ * Test 4: advert = foo, select = <empty> (should fail)
+ */
+static int test_npn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, TLS1_2_VERSION,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 4) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ case 1:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 2:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ case 3:
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
+
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
+ unsigned char *outlen, const unsigned char *in,
+ unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 1:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ return 0;
+}
+
+/*
+ * Test the ALPN callbacks
+ * Test 0: client = foo, select = foo
+ * Test 1: client = <empty>, select = none
+ * Test 2: client = foo, select = bar (should fail)
+ * Test 3: client = foo, select = <empty> (should fail)
+ */
+static int test_alpn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ const unsigned char *prots = fooprot;
+ unsigned int protslen = sizeof(fooprot);
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 1) {
+ prots = NULL;
+ protslen = 0;
+ }
+
+ /* SSL_set_alpn_protos returns 0 for success! */
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
+ goto end;
+
+ if (idx == 2 || idx == 3) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 1:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -12190,6 +12415,10 @@ int setup_tests(void)
ADD_TEST(test_data_retry);
ADD_ALL_TESTS(test_multi_resume, 5);
ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ ADD_ALL_TESTS(test_npn, 5);
+#endif
+ ADD_ALL_TESTS(test_alpn, 4);
return 1;
err:
--
2.46.0

199
0133-Add-a-test-for-an-empty-NextProto-message.patch
View File

@ -1,199 +0,0 @@
From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 14:29:26 +0100
Subject: [PATCH 10/10] Add a test for an empty NextProto message
It is valid according to the spec for a NextProto message to have no
protocols listed in it. The OpenSSL implementation however does not allow
us to create such a message. In order to check that we work as expected
when communicating with a client that does generate such messages we have
to use a TLSProxy test.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
util/perl/TLSProxy/Message.pm | 9 ++++
util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
util/perl/TLSProxy/Proxy.pm | 1 +
4 files changed, 137 insertions(+)
create mode 100644 test/recipes/70-test_npn.t
create mode 100644 util/perl/TLSProxy/NextProto.pm
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
new file mode 100644
index 0000000000..f82e71af6a
--- /dev/null
+++ b/test/recipes/70-test_npn.t
@@ -0,0 +1,73 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test::Utils;
+
+use TLSProxy::Proxy;
+
+my $test_name = "test_npn";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs NPN enabled"
+ if disabled("nextprotoneg");
+
+plan skip_all => "$test_name needs TLSv1.2 enabled"
+ if disabled("tls1_2");
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 1;
+
+my $npnseen = 0;
+
+# Test 1: Check sending an empty NextProto message from the client works. This is
+# valid as per the spec, but OpenSSL does not allow you to send it.
+# Therefore we must be prepared to receive such a message but we cannot
+# generate it except via TLSProxy
+$proxy->clear();
+$proxy->filter(\&npn_filter);
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
+$proxy->serverflags("-nextprotoneg foo");
+$proxy->start();
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
+
+sub npn_filter
+{
+ my $proxy = shift;
+ my $message;
+
+ # The NextProto message always appears in flight 2
+ return if $proxy->flight != 2;
+
+ foreach my $message (@{$proxy->message_list}) {
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
+ # Our TLSproxy NextProto message support doesn't support parsing of
+ # the message. If we repack it just creates an empty NextProto
+ # message - which is exactly the scenario we want to test here.
+ $message->repack();
+ $npnseen = 1;
+ }
+ }
+}
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index ce22187569..fb41b2ffc8 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -384,6 +384,15 @@ sub create_message
[@message_frag_lens]
);
$message->parse();
+ } elsif ($mt == MT_NEXT_PROTO) {
+ $message = TLSProxy::NextProto->new(
+ $server,
+ $data,
+ [@message_rec_list],
+ $startoffset,
+ [@message_frag_lens]
+ );
+ $message->parse();
} else {
#Unknown message type
$message = TLSProxy::Message->new(
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
new file mode 100644
index 0000000000..0e18347546
--- /dev/null
+++ b/util/perl/TLSProxy/NextProto.pm
@@ -0,0 +1,54 @@
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::NextProto;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+ my $class = shift;
+ my ($server,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens) = @_;
+
+ my $self = $class->SUPER::new(
+ $server,
+ TLSProxy::Message::MT_NEXT_PROTO,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens);
+
+ return $self;
+}
+
+sub parse
+{
+ # We don't support parsing at the moment
+}
+
+# This is supposed to reconstruct the on-the-wire message data following changes.
+# For now though since we don't support parsing we just create an empty NextProto
+# message - this capability is used in test_npn
+sub set_message_contents
+{
+ my $self = shift;
+ my $data;
+
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00);
+ $self->data($data);
+}
+1;
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 3de10eccb9..b707722b6b 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
use TLSProxy::CertificateVerify;
use TLSProxy::ServerKeyExchange;
use TLSProxy::NewSessionTicket;
+use TLSProxy::NextProto;
my $have_IPv6;
my $IP_factory;
--
2.46.0

233
0136-CVE-2024-6119.patch
View File

@ -1,233 +0,0 @@
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 1a18174995..a09414c972 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
- NID_id_on_SmtpUTF8Mailbox) {
- san_present = 1;
-
- /*
- * If it is not a UTF8String then that is unexpected and we
- * treat it as no match
- */
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
- cstr = gen->d.otherName->value->value.utf8string;
-
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
- }
- } else
+ switch (gen->type) {
+ default:
+ continue;
+ case GEN_OTHERNAME:
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+ default:
continue;
- } else {
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+ case NID_id_on_SmtpUTF8Mailbox:
+ /*-
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+ *
+ * Due to name constraint compatibility reasons described
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+ * be used unless the local-part of the email address
+ * contains non-ASCII characters. When the local-part is
+ * ASCII, rfc822Name subjectAltName MUST be used instead
+ * of SmtpUTF8Mailbox. This is compatible with legacy
+ * software that supports only rfc822Name (and not
+ * SmtpUTF8Mailbox). [...]
+ *
+ * SmtpUTF8Mailbox is encoded as UTF8String.
+ *
+ * If it is not a UTF8String then that is unexpected, and
+ * we ignore the invalid SAN (neither set san_present nor
+ * consider it a candidate for equality). This does mean
+ * that the subject CN may be considered, as would be the
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
+ * simply absent.
+ *
+ * When CN-ID matching is not desirable, applications can
+ * choose to turn it off, doing so is at this time a best
+ * practice.
+ */
+ if (check_type != GEN_EMAIL
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+ continue;
+ alt_type = 0;
+ cstr = gen->d.otherName->value->value.utf8string;
+ break;
+ }
+ break;
+ case GEN_EMAIL:
+ if (check_type != GEN_EMAIL)
continue;
- }
- san_present = 1;
- if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ break;
+ case GEN_DNS:
+ if (check_type != GEN_DNS)
+ continue;
cstr = gen->d.dNSName;
- else
+ break;
+ case GEN_IPADD:
+ if (check_type != GEN_IPADD)
+ continue;
cstr = gen->d.iPAddress;
+ break;
+ }
+ san_present = 1;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 522982ddfb..e18735d89a 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -21,16 +21,18 @@ setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 12;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
@@ -56,10 +58,18 @@ SKIP: {
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
new file mode 100644
index 0000000000..e8a2c6f55d
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
+oDQ9fKfUOAmUFth2/R/eGA==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
new file mode 100644
index 0000000000..a74c96bf31
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
new file mode 100755
index 0000000000..7a8dbc719f
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc.sh
@@ -0,0 +1,41 @@
+#! /usr/bin/env bash
+
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
+# should likewise lead to ASAN issues with email name checks.
+
+rm -f root-key.pem root-cert.pem
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
+
+exts=$(
+ printf "%s\n%s\n%s\n%s = " \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false" \
+ "subjectAltName"
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
+ printf "%s, " "email:joe@example.com"
+ printf "%s\n" "DNS:mx1.example.com"
+ printf "[kdc_princ_name]\n"
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
+ printf "[kdc_principal_seq]\n"
+ printf "name_type = EXP:0, INTEGER:1\n"
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
+ printf "[kdc_principal_components]\n"
+ printf "princ1 = GeneralString:krbtgt\n"
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
+ )
+
+printf "%s\n" "$exts"
+
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
+ -subj "/CN=TEST.EXAMPLE" |
+ openssl x509 -req -out kdc-cert.pem \
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
+ -set_serial 2 -days 36524 \
+ -extfile <(printf "%s\n" "$exts")

238
0140-CVE-2024-12797.patch
View File

@ -1,238 +0,0 @@
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 436b397346..df2eed7594 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc,
{
size_t certidx;
const SSL_CERT_LOOKUP *clu;
+ int v_ok;
if (sc->session->peer_rpk == NULL) {
SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER,
@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc,
if (sc->rwstate == SSL_RETRY_VERIFY)
sc->rwstate = SSL_NOTHING;
- if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0
- && sc->rwstate == SSL_RETRY_VERIFY)
+
+ ERR_set_mark();
+ v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk);
+ if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) {
+ ERR_clear_last_mark();
+ SSLfatal(sc, ssl_x509err2alert(sc->verify_result),
+ SSL_R_CERTIFICATE_VERIFY_FAILED);
+ return WORK_ERROR;
+ }
+ ERR_pop_to_mark(); /* but we keep s->verify_result */
+ if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) {
return WORK_MORE_A;
+ }
if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx,
SSL_CONNECTION_GET_CTX(sc))) == NULL) {
@@ -2071,10 +2082,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
if (s->rwstate == SSL_RETRY_VERIFY)
s->rwstate = SSL_NOTHING;
- i = ssl_verify_cert_chain(s, s->session->peer_chain);
- if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
- return WORK_MORE_A;
- }
+
/*
* The documented interface is that SSL_VERIFY_PEER should be set in order
* for client side verification of the server certificate to take place.
@@ -2089,12 +2097,17 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s,
* (less clean) historic behaviour of performing validation if any flag is
* set. The *documented* interface remains the same.
*/
- if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+ ERR_set_mark();
+ i = ssl_verify_cert_chain(s, s->session->peer_chain);
+ if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) {
+ ERR_clear_last_mark();
SSLfatal(s, ssl_x509err2alert(s->verify_result),
SSL_R_CERTIFICATE_VERIFY_FAILED);
return WORK_ERROR;
}
- ERR_clear_error(); /* but we keep s->verify_result */
+ ERR_pop_to_mark(); /* but we keep s->verify_result */
+ if (i > 0 && s->rwstate == SSL_RETRY_VERIFY)
+ return WORK_MORE_A;
/*
* Inconsistency alert: cert_chain does include the peer's certificate,
diff --git a/test/rpktest.c b/test/rpktest.c
index ac824798f1..624d366508 100644
--- a/test/rpktest.c
+++ b/test/rpktest.c
@@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx)
* idx = 13 - resumption with client authentication
* idx = 14 - resumption with client authentication, no ticket
* idx = 15 - like 0, but use non-default libctx
+ * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail
+ * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail
*
- * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests
+ * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests
*/
static int test_rpk(int idx)
{
-# define RPK_TESTS 16
+# define RPK_TESTS 18
# define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2)
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -114,6 +116,7 @@ static int test_rpk(int idx)
int idx_cert, idx_prot;
int client_auth = 0;
int resumption = 0;
+ int want_error = SSL_ERROR_NONE;
long server_verify_result = 0;
long client_verify_result = 0;
OSSL_LIB_CTX *test_libctx = NULL;
@@ -188,7 +191,7 @@ static int test_rpk(int idx)
#ifdef OPENSSL_NO_ECDSA
/* Can't get other_key if it's ECDSA */
if (other_pkey == NULL && idx_cert == 0
- && (idx == 4 || idx == 6 || idx == 7)) {
+ && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) {
testresult = TEST_skip("EDCSA disabled");
goto end;
}
@@ -266,8 +269,10 @@ static int test_rpk(int idx)
goto end;
/* Only a private key */
if (idx == 1) {
- if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0)
+ if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) {
expected = 0;
+ want_error = SSL_ERROR_SSL;
+ }
} else {
/* Add certificate */
if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1))
@@ -333,12 +338,14 @@ static int test_rpk(int idx)
client_expected = -1;
if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey)))
goto end;
+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb);
client_verify_result = X509_V_ERR_DANE_NO_MATCH;
break;
case 8:
if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1)
client_expected = -1;
/* no peer keys */
+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb);
client_verify_result = X509_V_ERR_RPK_UNTRUSTED;
break;
case 9:
@@ -370,9 +377,13 @@ static int test_rpk(int idx)
if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1))
goto end;
/* Since there's no cert, this is expected to fail without RPK support */
- if (!idx_server_client_rpk || !idx_client_client_rpk)
+ if (!idx_server_client_rpk || !idx_client_client_rpk) {
expected = 0;
- SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
+ want_error = SSL_ERROR_SSL;
+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+ } else {
+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb);
+ }
client_auth = 1;
break;
case 11:
@@ -449,31 +460,52 @@ static int test_rpk(int idx)
if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey)))
goto end;
break;
+ case 16:
+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) {
+ /* wrong expected server key */
+ expected = 0;
+ want_error = SSL_ERROR_SSL;
+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
+ }
+ if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey)))
+ goto end;
+ break;
+ case 17:
+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) {
+ /* no expected server keys */
+ expected = 0;
+ want_error = SSL_ERROR_SSL;
+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL);
+ }
+ break;
}
- ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
+ ret = create_ssl_connection(serverssl, clientssl, want_error);
if (!TEST_int_eq(expected, ret))
goto end;
+ if (expected <= 0) {
+ testresult = 1;
+ goto end;
+ }
+
/* Make sure client gets RPK or certificate as configured */
- if (expected == 1) {
- if (idx_server_server_rpk && idx_client_server_rpk) {
- if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result))
- goto end;
- if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
- goto end;
- } else {
- if (!TEST_ptr(SSL_get0_peer_certificate(clientssl)))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509))
- goto end;
- }
+ if (idx_server_server_rpk && idx_client_server_rpk) {
+ if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result))
+ goto end;
+ if (!TEST_ptr(SSL_get0_peer_rpk(clientssl)))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk))
+ goto end;
+ } else {
+ if (!TEST_ptr(SSL_get0_peer_certificate(clientssl)))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509))
+ goto end;
}
if (idx == 9) {
@@ -500,8 +532,7 @@ static int test_rpk(int idx)
if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk))
goto end;
} else {
- /* only if connection is expected to succeed */
- if (expected == 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl)))
+ if (!TEST_ptr(SSL_get0_peer_certificate(serverssl)))
goto end;
if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509))
goto end;
@@ -591,7 +622,7 @@ static int test_rpk(int idx)
}
ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
- if (!TEST_int_eq(expected, ret))
+ if (!TEST_true(ret))
goto end;
verify = SSL_get_verify_result(clientssl);
if (!TEST_int_eq(client_expected, verify))

82
Makefile.certificate
View File

@ -1,82 +0,0 @@
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)

9
fips-hmacify.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
dd if=/dev/zero bs=1 count=32 of=tmp.mac >/dev/null 2>&1
objcopy --update-section .rodata1=tmp.mac $1 $1.zeromac
mv $1.zeromac $1
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $1 > $1.hmac
objcopy --update-section .rodata1=$1.hmac $1 $1.mac
rm $1.hmac
mv $1.mac $1

236
openssl.spec
View File

@ -28,152 +28,69 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.2.2
Release: 7%{?dist}
Version: 3.5.0
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
Source3: genpatches
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source9: configuration-switch.h
Source10: configuration-prefix.h
Source14: 0025-for-tests.patch
# Patches exported from source git
# Aarch64 and ppc64le use lib64
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
# Use more general default values in openssl.cnf
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
# Do not install html docs
Patch3: 0003-Do-not-install-html-docs.patch
# Override default paths for the CA directory tree
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
# apps/ca: fix md option help text
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
# Disable signature verification with totally unsafe hash algorithms
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
# Add support for PROFILE=SYSTEM system default cipherlist
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# Add check to see if fips flag is enabled in kernel
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# that new modifications made to these files by upstream are not lost.
Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
#Skipped tests from former 0011-Remove-EC-curves.patch
Patch13: 0013-skipped-tests-EC-curves.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# Embed HMAC into the fips.so
Patch33: 0033-FIPS-embed-hmac.patch
# Comment out fipsinstall command-line utility
Patch34: 0034.fipsinstall_disable.patch
# Skip unavailable algorithms running `openssl speed`
Patch35: 0035-speed-skip-unavailable-dgst.patch
# Extra public/private key checks required by FIPS-140-3
Patch44: 0044-FIPS-140-3-keychecks.patch
# Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
# Selectively disallow SHA1 signatures
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
# Originally from https://github.com/openssl/openssl/pull/18103
# As we rebased to 3.0.7 and used the version of the function
# not matching the upstream one, we have to use aliasing.
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
# should also be removed
Patch56: 0056-strcasecmp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
Patch76: 0076-FIPS-140-3-DRBG.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
# https://bugzilla.redhat.com/show_bug.cgi?id=2141695
# https://bugzilla.redhat.com/show_bug.cgi?id=2160733
# https://bugzilla.redhat.com/show_bug.cgi?id=2164763
Patch78: 0078-KDF-Add-FIPS-indicators.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2141748
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142131
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136250
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2137557
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2142121
Patch85: 0085-FIPS-RSA-disable-shake.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
Patch91: 0091-FIPS-RSA-encapsulate.patch
# FIPS-95
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch0001: 0001-RH-Aarch64-and-ppc64le-use-lib64.patch
Patch0002: 0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
Patch0003: 0003-RH-Do-not-install-html-docs.patch
Patch0004: 0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
Patch0005: 0005-RH-Disable-signature-verification-with-bad-digests-R.patch
Patch0006: 0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
Patch0007: 0007-RH-Add-FIPS_mode-compatibility-macro.patch
Patch0008: 0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
Patch0009: 0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
Patch0010: 0010-RH-Disable-explicit-ec-curves.patch
Patch0011: 0011-RH-skipped-tests-EC-curves.patch
Patch0012: 0012-RH-skip-quic-pairwise.patch
Patch0013: 0013-RH-version-aliasing.patch
Patch0014: 0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
Patch0015: 0015-RH-TMP-KTLS-test-skip.patch
Patch0016: 0016-RH-Allow-disabling-of-SHA1-signatures.patch
Patch0017: 0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
Patch0018: 0018-FIPS-disable-fipsinstall.patch
Patch0019: 0019-FIPS-Force-fips-provider-on.patch
Patch0020: 0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
Patch0021: 0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
Patch0022: 0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
Patch0023: 0023-FIPS-RSA-encrypt-limits-REVIEW.patch
Patch0024: 0024-FIPS-RSA-PCTs.patch
Patch0025: 0025-FIPS-RSA-encapsulate-limits.patch
Patch0026: 0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
Patch0027: 0027-FIPS-RSA-size-mode-restrictions.patch
Patch0028: 0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
Patch0029: 0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
Patch0030: 0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
Patch0031: 0031-FIPS-Deny-SHA-1-signature-verification.patch
Patch0032: 0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
Patch0033: 0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
Patch0034: 0034-FIPS-PBKDF2-Set-minimum-password-length.patch
Patch0035: 0035-FIPS-DH-PCT.patch
Patch0036: 0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
Patch0037: 0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
Patch0038: 0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
Patch0039: 0039-FIPS-PKCS12-PBMAC1-defaults.patch
Patch0040: 0040-FIPS-Fix-encoder-decoder-negative-test.patch
Patch0041: 0041-FIPS-EC-DH-DSA-PCTs.patch
Patch0042: 0042-FIPS-EC-disable-weak-curves.patch
Patch0043: 0043-FIPS-NO-DSA-Support.patch
Patch0044: 0044-FIPS-NO-DES-support.patch
Patch0045: 0045-FIPS-NO-Kmac.patch
Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch
Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0048: 0048-Current-Rebase-status.patch
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2179331
Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2157951
Patch114: 0114-FIPS-enforce-EMS-support.patch
# skip quic and pairwise tests temporarily
Patch115: 0115-skip-quic-pairwise.patch
# Add version aliasing due to
# https://github.com/openssl/openssl/issues/23534
Patch116: 0116-version-aliasing.patch
# https://github.com/openssl/openssl/issues/23050
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
Patch121: 0121-FIPS-cms-defaults.patch
# KTLS regression, temporary skip tests
Patch122: 0122-TMP-KTLS-test-skip.patch
# HKDF regression with older provider implementations
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/pull/24717
Patch124: 0124-Fix-SSL_select_next_proto.patch
Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch
Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch
Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch
Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch
Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch
Patch131: 0131-Add-ALPN-validation-in-the-client.patch
Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch
Patch136: 0136-CVE-2024-6119.patch
Patch140: 0140-CVE-2024-12797.patch
License: ASL 2.0
License: Apache-2.0
URL: http://www.openssl.org/
BuildRequires: gcc g++
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
@ -183,7 +100,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(Time::HiRes), perl(Time::Piece), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
BuildRequires: git-core
Requires: coreutils
@ -306,12 +223,13 @@ export HASHBANGPERL=/usr/bin/perl
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-Wl,--allow-multiple-definition -D_GNU_SOURCE
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips -D_GNU_SOURCE\
no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\
-DREDHAT_FIPS_VENDOR='"\"Red Hat Enterprise Linux OpenSSL FIPS Provider\""' -DREDHAT_FIPS_VERSION='"\"%{fips}\""'\
-Wl,--allow-multiple-definition
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
@ -333,10 +251,6 @@ done
touch -r configdata.pm configdata.pm.new && \
mv -f configdata.pm.new configdata.pm)
# We must revert patch4 before tests otherwise they will fail
patch -p1 -R < %{PATCH4}
#We must disable default provider before tests otherwise they will fail
patch -p1 < %{SOURCE14}
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
@ -345,9 +259,7 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
%{SOURCE1} providers/fips.so
#run tests itself
make test HARNESS_JOBS=8
@ -366,10 +278,7 @@ make test HARNESS_JOBS=8
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
%{SOURCE1} $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \
%{nil}
%endif
@ -386,6 +295,7 @@ for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
mv rh-openssl.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
# Remove static libraries
for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do
@ -396,7 +306,6 @@ done
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
@ -417,8 +326,8 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
@ -467,7 +376,6 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%{_pkgdocdir}/Makefile.certificate
%exclude %{_mandir}/man1/*.pl*
%exclude %{_mandir}/man1/tsget*
@ -495,6 +403,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%{_libdir}/*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%{_libdir}/cmake/OpenSSL/OpenSSLConfig.cmake
%{_libdir}/cmake/OpenSSL/OpenSSLConfigVersion.cmake
%files perl
%{_bindir}/c_rehash
@ -511,6 +421,14 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
* Wed Apr 16 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-1
- Rebasing OpenSSL to 3.5
Resolves: RHEL-80854
Resolves: RHEL-50208
Resolves: RHEL-50210
Resolves: RHEL-50211
Resolves: RHEL-85954
* Wed Jan 29 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-7
- RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797)
Resolves: RHEL-76756

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d
SHA512 (openssl-3.5.0.tar.gz) = 39cc80e2843a2ee30f3f5de25cd9d0f759ad8de71b0b39f5a679afaaa74f4eb58d285ae50e29e4a27b139b49343ac91d1f05478f96fb0c6b150f16d7b634676f