diff --git a/.gitignore b/.gitignore index c47bf28..dc08e9b 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.7.tar.gz /openssl-3.2.1.tar.gz /openssl-3.2.2.tar.gz +/openssl-3.5.0.tar.gz diff --git a/0001-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch similarity index 58% rename from 0001-Aarch64-and-ppc64le-use-lib64.patch rename to 0001-RH-Aarch64-and-ppc64le-use-lib64.patch index e5d23ba..6cb27b1 100644 --- a/0001-Aarch64-and-ppc64le-use-lib64.patch +++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch @@ -1,18 +1,23 @@ -From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:01:41 +0200 -Subject: Aarch64 and ppc64le use lib64 +From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 01/50] RH: Aarch64 and ppc64le use lib64 -(Was openssl-1.1.1-build.patch) +Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch +Patch-id: 1 +Patch-status: | + # # Patches exported from source git + # # Aarch64 and ppc64le use lib64 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- Configurations/10-main.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index d7580bf3e1..a7dbfd7f40 100644 +index cba57b4127..3e327017ef 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -723,6 +723,7 @@ my %targets = ( +@@ -726,6 +726,7 @@ my %targets = ( lib_cppflags => add("-DL_ENDIAN"), asm_arch => 'ppc64', perlasm_scheme => "linux64le", @@ -20,7 +25,7 @@ index d7580bf3e1..a7dbfd7f40 100644 }, "linux-armv4" => { -@@ -765,6 +766,7 @@ my %targets = ( +@@ -768,6 +769,7 @@ my %targets = ( inherit_from => [ "linux-generic64" ], asm_arch => 'aarch64', perlasm_scheme => "linux64", @@ -29,5 +34,5 @@ index d7580bf3e1..a7dbfd7f40 100644 "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32" ], -- -2.26.2 +2.49.0 diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch new file mode 100644 index 0000000..f0808db --- /dev/null +++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch @@ -0,0 +1,456 @@ +From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 6 Mar 2025 08:40:29 -0500 +Subject: [PATCH 02/50] Add a separate config file to use for rpm installs + +In RHEL/Fedora systems we want to use a slightly different set +of defaults, but we do not want to change the standard config file +because there are many assumptions about its configuration in +openssl upstream tests. + +So we create a separate one to use to override the default on on +installation. + +This config file differs from upstream for: +- CA directory tree paths +- Instructions about legacy provider +- Default certificate digest (set to sha256) + +Signed-off-by: Simo Sorce +--- + doc/man5/config.pod | 8 + + rh-openssl.cnf | 403 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 411 insertions(+) + create mode 100644 rh-openssl.cnf + +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index e24ea0c595..39fa468320 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -284,6 +284,14 @@ Note this setting defaults to off if not provided + All parameters in the section as well as sub-sections are made + available to the provider. + ++=head3 Loading the legacy provider ++ ++Uncomment the sections that start with ## in openssl.cnf ++to enable the legacy provider. ++Note: In general it is not recommended to use the above mentioned algorithms for ++security critical operations, as they are cryptographically weak or vulnerable ++to side-channel attacks and as such have been deprecated. ++ + =head3 Default provider and its activation + + If no providers are activated explicitly, the default one is activated implicitly. +diff --git a/rh-openssl.cnf b/rh-openssl.cnf +new file mode 100644 +index 0000000000..20f5962541 +--- /dev/null ++++ b/rh-openssl.cnf +@@ -0,0 +1,403 @@ ++# ++# OpenSSL example configuration file. ++# See doc/man5/config.pod for more info. ++# ++# This is mostly being used for generation of certificate requests, ++# but may be used for auto loading of providers ++ ++# Note that you can include other files from the main configuration ++# file using the .include directive. ++#.include filename ++ ++# This definition stops the following lines choking if HOME isn't ++# defined. ++HOME = . ++ ++# Use this in order to automatically load providers. ++openssl_conf = openssl_init ++ ++# Comment out the next line to ignore configuration errors ++config_diagnostics = 0 ++ ++# Extra OBJECT IDENTIFIER info: ++# oid_file = $ENV::HOME/.oid ++oid_section = new_oids ++ ++# To use this configuration file with the "-extfile" option of the ++# "openssl x509" utility, name here the section containing the ++# X.509v3 extensions to use: ++# extensions = ++# (Alternatively, use a configuration file that has only ++# X.509v3 extensions in its main [= default] section.) ++ ++[ new_oids ] ++# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. ++# Add a simple OID like this: ++# testoid1=1.2.3.4 ++# Or use config file substitution like this: ++# testoid2=${testoid1}.5.6 ++ ++# Policies used by the TSA examples. ++tsa_policy1 = 1.2.3.4.1 ++tsa_policy2 = 1.2.3.4.5.6 ++tsa_policy3 = 1.2.3.4.5.7 ++ ++[openssl_init] ++providers = provider_sect ++# Uncomment the sections that start with ## below to enable the legacy provider. ++# Loading the legacy provider enables support for the following algorithms: ++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 ++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED ++# Key Derivation Function (KDF): PBKDF1 ++# In general it is not recommended to use the above mentioned algorithms for ++# security critical operations, as they are cryptographically weak or vulnerable ++# to side-channel attacks and as such have been deprecated. ++ ++# Load default TLS policy configuration ++ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++#This section is intentionally added empty here ++#to be tuned on particular systems ++ ++# List of providers to load ++[provider_sect] ++default = default_sect ++##legacy = legacy_sect ++## ++[default_sect] ++activate = 1 ++ ++##[legacy_sect] ++##activate = 1 ++ ++#Place the third party provider configuration files into this folder ++.include /etc/pki/tls/openssl.d ++ ++ ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include = /etc/crypto-policies/back-ends/opensslcnf.config ++ ++#################################################################### ++[ ca ] ++default_ca = CA_default # The default ca section ++ ++#################################################################### ++[ CA_default ] ++ ++dir = /etc/pki/CA # Where everything is kept ++certs = $dir/certs # Where the issued certs are kept ++crl_dir = $dir/crl # Where the issued crl are kept ++database = $dir/index.txt # database index file. ++#unique_subject = no # Set to 'no' to allow creation of ++ # several certs with same subject. ++new_certs_dir = $dir/newcerts # default place for new certs. ++ ++certificate = $dir/cacert.pem # The CA certificate ++serial = $dir/serial # The current serial number ++crlnumber = $dir/crlnumber # the current crl number ++ # must be commented out to leave a V1 CRL ++crl = $dir/crl.pem # The current CRL ++private_key = $dir/private/cakey.pem # The private key ++ ++x509_extensions = usr_cert # The extensions to add to the cert ++ ++# Comment out the following two lines for the "traditional" ++# (and highly broken) format. ++name_opt = ca_default # Subject Name options ++cert_opt = ca_default # Certificate field options ++ ++# Extension copying option: use with caution. ++# copy_extensions = copy ++ ++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs ++# so this is commented out by default to leave a V1 CRL. ++# crlnumber must also be commented out to leave a V1 CRL. ++# crl_extensions = crl_ext ++ ++default_days = 365 # how long to certify for ++default_crl_days= 30 # how long before next CRL ++default_md = sha256 # use SHA-256 by default ++preserve = no # keep passed DN ordering ++ ++# A few difference way of specifying how similar the request should look ++# For type CA, the listed attributes must be the same, and the optional ++# and supplied fields are just that :-) ++policy = policy_match ++ ++# For the CA policy ++[ policy_match ] ++countryName = match ++stateOrProvinceName = match ++organizationName = match ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++# For the 'anything' policy ++# At this point in time, you must list all acceptable 'object' ++# types. ++[ policy_anything ] ++countryName = optional ++stateOrProvinceName = optional ++localityName = optional ++organizationName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++#################################################################### ++[ req ] ++default_bits = 2048 ++default_keyfile = privkey.pem ++distinguished_name = req_distinguished_name ++attributes = req_attributes ++x509_extensions = v3_ca # The extensions to add to the self signed cert ++ ++# Passwords for private keys if not present they will be prompted for ++# input_password = secret ++# output_password = secret ++ ++# This sets a mask for permitted string types. There are several options. ++# default: PrintableString, T61String, BMPString. ++# pkix : PrintableString, BMPString (PKIX recommendation before 2004) ++# utf8only: only UTF8Strings (PKIX recommendation after 2004). ++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). ++# MASK:XXXX a literal mask value. ++# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. ++string_mask = utf8only ++ ++# req_extensions = v3_req # The extensions to add to a certificate request ++ ++[ req_distinguished_name ] ++countryName = Country Name (2 letter code) ++countryName_default = XX ++countryName_min = 2 ++countryName_max = 2 ++ ++stateOrProvinceName = State or Province Name (full name) ++#stateOrProvinceName_default = Default Province ++ ++localityName = Locality Name (eg, city) ++localityName_default = Default City ++ ++0.organizationName = Organization Name (eg, company) ++0.organizationName_default = Default Company Ltd ++ ++# we can do this but it is not needed normally :-) ++#1.organizationName = Second Organization Name (eg, company) ++#1.organizationName_default = World Wide Web Pty Ltd ++ ++organizationalUnitName = Organizational Unit Name (eg, section) ++#organizationalUnitName_default = ++ ++commonName = Common Name (eg, your name or your server\'s hostname) ++commonName_max = 64 ++ ++emailAddress = Email Address ++emailAddress_max = 64 ++ ++# SET-ex3 = SET extension number 3 ++ ++[ req_attributes ] ++challengePassword = A challenge password ++challengePassword_min = 4 ++challengePassword_max = 20 ++ ++unstructuredName = An optional company name ++ ++[ usr_cert ] ++ ++# These extensions are added when 'ca' signs a request. ++ ++# This goes against PKIX guidelines but some CAs do it and some software ++# requires this to avoid interpreting an end user certificate as a CA. ++ ++basicConstraints=CA:FALSE ++ ++# This is typical in keyUsage for a client certificate. ++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment ++ ++# PKIX recommendations harmless if included in all certificates. ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid,issuer ++ ++# This stuff is for subjectAltName and issuerAltname. ++# Import the email address. ++# subjectAltName=email:copy ++# An alternative to produce certificates that aren't ++# deprecated according to PKIX. ++# subjectAltName=email:move ++ ++# Copy subject details ++# issuerAltName=issuer:copy ++ ++# This is required for TSA certificates. ++# extendedKeyUsage = critical,timeStamping ++ ++[ v3_req ] ++ ++# Extensions to add to a certificate request ++ ++basicConstraints = CA:FALSE ++keyUsage = nonRepudiation, digitalSignature, keyEncipherment ++ ++[ v3_ca ] ++ ++ ++# Extensions for a typical CA ++ ++ ++# PKIX recommendation. ++ ++subjectKeyIdentifier=hash ++ ++authorityKeyIdentifier=keyid:always,issuer ++ ++basicConstraints = critical,CA:true ++ ++# Key usage: this is typical for a CA certificate. However since it will ++# prevent it being used as an test self-signed certificate it is best ++# left out by default. ++# keyUsage = cRLSign, keyCertSign ++ ++# Include email address in subject alt name: another PKIX recommendation ++# subjectAltName=email:copy ++# Copy issuer details ++# issuerAltName=issuer:copy ++ ++# DER hex encoding of an extension: beware experts only! ++# obj=DER:02:03 ++# Where 'obj' is a standard or added object ++# You can even override a supported extension: ++# basicConstraints= critical, DER:30:03:01:01:FF ++ ++[ crl_ext ] ++ ++# CRL extensions. ++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. ++ ++# issuerAltName=issuer:copy ++authorityKeyIdentifier=keyid:always ++ ++[ proxy_cert_ext ] ++# These extensions should be added when creating a proxy certificate ++ ++# This goes against PKIX guidelines but some CAs do it and some software ++# requires this to avoid interpreting an end user certificate as a CA. ++ ++basicConstraints=CA:FALSE ++ ++# This is typical in keyUsage for a client certificate. ++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment ++ ++# PKIX recommendations harmless if included in all certificates. ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid,issuer ++ ++# This stuff is for subjectAltName and issuerAltname. ++# Import the email address. ++# subjectAltName=email:copy ++# An alternative to produce certificates that aren't ++# deprecated according to PKIX. ++# subjectAltName=email:move ++ ++# Copy subject details ++# issuerAltName=issuer:copy ++ ++# This really needs to be in place for it to be a proxy certificate. ++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo ++ ++#################################################################### ++[ tsa ] ++ ++default_tsa = tsa_config1 # the default TSA section ++ ++[ tsa_config1 ] ++ ++# These are used by the TSA reply generation only. ++dir = /etc/pki/CA # TSA root directory ++serial = $dir/tsaserial # The current serial number (mandatory) ++crypto_device = builtin # OpenSSL engine to use for signing ++signer_cert = $dir/tsacert.pem # The TSA signing certificate ++ # (optional) ++certs = $dir/cacert.pem # Certificate chain to include in reply ++ # (optional) ++signer_key = $dir/private/tsakey.pem # The TSA private key (optional) ++signer_digest = sha256 # Signing digest to use. (Optional) ++default_policy = tsa_policy1 # Policy if request did not specify it ++ # (optional) ++other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) ++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) ++accuracy = secs:1, millisecs:500, microsecs:100 # (optional) ++clock_precision_digits = 0 # number of digits after dot. (optional) ++ordering = yes # Is ordering defined for timestamps? ++ # (optional, default: no) ++tsa_name = yes # Must the TSA name be included in the reply? ++ # (optional, default: no) ++ess_cert_id_chain = no # Must the ESS cert id chain be included? ++ # (optional, default: no) ++ess_cert_id_alg = sha256 # algorithm to compute certificate ++ # identifier (optional, default: sha256) ++ ++[insta] # CMP using Insta Demo CA ++# Message transfer ++server = pki.certificate.fi:8700 ++# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 ++# tls_use = 0 ++path = pkix/ ++ ++# Server authentication ++recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer ++ignore_keyusage = 1 # potentially needed quirk ++unprotected_errors = 1 # potentially needed quirk ++extracertsout = insta.extracerts.pem ++ ++# Client authentication ++ref = 3078 # user identification ++secret = pass:insta # can be used for both client and server side ++ ++# Generic message options ++cmd = ir # default operation, can be overridden on cmd line with, e.g., kur ++ ++# Certificate enrollment ++subject = "/CN=openssl-cmp-test" ++newkey = insta.priv.pem ++out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature ++certout = insta.cert.pem ++ ++[pbm] # Password-based protection for Insta CA ++# Server and client authentication ++ref = $insta::ref # 3078 ++secret = $insta::secret # pass:insta ++ ++[signature] # Signature-based protection for Insta CA ++# Server authentication ++trusted = $insta::out_trusted # apps/insta.ca.crt ++ ++# Client authentication ++secret = # disable PBM ++key = $insta::newkey # insta.priv.pem ++cert = $insta::certout # insta.cert.pem ++ ++[ir] ++cmd = ir ++ ++[cr] ++cmd = cr ++ ++[kur] ++# Certificate update ++cmd = kur ++oldcert = $insta::certout # insta.cert.pem ++ ++[rr] ++# Certificate revocation ++cmd = rr ++oldcert = $insta::certout # insta.cert.pem +-- +2.49.0 + diff --git a/0002-Use-more-general-default-values-in-openssl.cnf.patch b/0002-Use-more-general-default-values-in-openssl.cnf.patch deleted file mode 100644 index 83ed599..0000000 --- a/0002-Use-more-general-default-values-in-openssl.cnf.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:03:40 +0200 -Subject: Use more general default values in openssl.cnf - -Also set sha256 as default hash, although that should not be -necessary anymore. - -(was openssl-1.1.1-defaults.patch) ---- - apps/openssl.cnf | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 97567a67be..eb25a0ac48 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options - - default_days = 365 # how long to certify for - default_crl_days= 30 # how long before next CRL --default_md = default # use public key default MD -+default_md = sha256 # use SHA-256 by default - preserve = no # keep passed DN ordering - - # A few difference way of specifying how similar the request should look -@@ -136,6 +136,7 @@ emailAddress = optional - #################################################################### - [ req ] - default_bits = 2048 -+default_md = sha256 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -158,17 +159,18 @@ string_mask = utf8only - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = XX - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+#stateOrProvinceName_default = Default Province - - localityName = Locality Name (eg, city) -+localityName_default = Default City - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = Default Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city) - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (e.g. server FQDN or YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address --- -2.26.2 - diff --git a/0003-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch similarity index 57% rename from 0003-Do-not-install-html-docs.patch rename to 0003-RH-Do-not-install-html-docs.patch index 6aabf8b..52ebff1 100644 --- a/0003-Do-not-install-html-docs.patch +++ b/0003-RH-Do-not-install-html-docs.patch @@ -1,18 +1,22 @@ -From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:05:55 +0200 -Subject: Do not install html docs +From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 03/50] RH: Do not install html docs -(was openssl-1.1.1-no-html.patch) +Patch-name: 0003-Do-not-install-html-docs.patch +Patch-id: 3 +Patch-status: | + # # Do not install html docs +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 342e46d24d..9f369edf0e 100644 +index e85763ccf8..8a829be037 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime +@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries @@ -22,5 +26,5 @@ index 342e46d24d..9f369edf0e 100644 uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" -- -2.26.2 +2.49.0 diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch deleted file mode 100644 index f16e22b..0000000 --- a/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:17:26 +0200 -Subject: Override default paths for the CA directory tree - -Also add default section to load crypto-policies configuration -for TLS. - -It needs to be reverted before running tests. - -(was openssl-1.1.1-conf-paths.patch) ---- - apps/CA.pl.in | 2 +- - apps/openssl.cnf | 20 ++++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/apps/CA.pl.in b/apps/CA.pl.in -index c0afb96716..d6a5fabd16 100644 ---- a/apps/CA.pl.in -+++ b/apps/CA.pl.in -@@ -29,7 +29,7 @@ my $X509 = "$openssl x509"; - my $PKCS12 = "$openssl pkcs12"; - - # Default values for various configuration settings. --my $CATOP = "./demoCA"; -+my $CATOP = "/etc/pki/CA"; - my $CAKEY = "cakey.pem"; - my $CAREQ = "careq.pem"; - my $CACERT = "cacert.pem"; -diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf ---- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 -+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 -@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7 - - [openssl_init] - providers = provider_sect -+# Load default TLS policy configuration -+ssl_conf = ssl_module -+alg_section = evp_properties -+ -+[ evp_properties ] -+#This section is intentionally added empty here -+#to be tuned on particular systems - - # List of providers to load - [provider_sect] -@@ -64,6 +66,13 @@ default = default_sect - [default_sect] - # activate = 1 - -+[ ssl_module ] -+ -+system_default = crypto_policy -+ -+[ crypto_policy ] -+ -+.include = /etc/crypto-policies/back-ends/opensslcnf.config - - #################################################################### - [ ca ] -@@ -72,7 +81,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default - [ tsa_config1 ] - - # These are used by the TSA reply generation only. --dir = ./demoCA # TSA root directory -+dir = /etc/pki/CA # TSA root directory - serial = $dir/tsaserial # The current serial number (mandatory) - crypto_device = builtin # OpenSSL engine to use for signing - signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/0005-apps-ca-fix-md-option-help-text.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch similarity index 53% rename from 0005-apps-ca-fix-md-option-help-text.patch rename to 0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch index 1fed4c4..f0c1852 100644 --- a/0005-apps-ca-fix-md-option-help-text.patch +++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch @@ -1,20 +1,22 @@ -From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:27:18 +0200 -Subject: apps/ca: fix md option help text +From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 04/50] RH: apps ca fix md option help text.patch - DROP? -upstreamable - -(was openssl-1.1.1-apps-dgst.patch) +Patch-name: 0005-apps-ca-fix-md-option-help-text.patch +Patch-id: 5 +Patch-status: | + # # apps/ca: fix md option help text +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- apps/ca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/ca.c b/apps/ca.c -index 0f21b4fa1c..3d4b2c1673 100755 +index 6d1d1c0a6e..a7553ba609 100644 --- a/apps/ca.c +++ b/apps/ca.c -@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { +@@ -216,7 +216,7 @@ const OPTIONS ca_options[] = { {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, OPT_SECTION("Signing"), @@ -24,5 +26,5 @@ index 0f21b4fa1c..3d4b2c1673 100755 {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, -- -2.26.2 +2.49.0 diff --git a/0006-Disable-signature-verification-with-totally-unsafe-h.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch similarity index 54% rename from 0006-Disable-signature-verification-with-totally-unsafe-h.patch rename to 0005-RH-Disable-signature-verification-with-bad-digests-R.patch index f9dd2dd..ac6b340 100644 --- a/0006-Disable-signature-verification-with-totally-unsafe-h.patch +++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch @@ -1,18 +1,23 @@ -From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:51:34 +0200 -Subject: Disable signature verification with totally unsafe hash algorithms +From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 05/50] RH: Disable signature verification with bad digests - + REVIEW -(was openssl-1.1.1-no-weak-verify.patch) +Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch +Patch-id: 6 +Patch-status: | + # # Disable signature verification with totally unsafe hash algorithms +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- crypto/asn1/a_verify.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c -index b7eed914b0..af62f0ef08 100644 +index f6cac80962..fbc6ce6e30 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c -@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, +@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); if (ret <= 1) goto err; @@ -25,5 +30,5 @@ index b7eed914b0..af62f0ef08 100644 const EVP_MD *type = NULL; -- -2.26.2 +2.49.0 diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch similarity index 79% rename from 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch rename to 0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch index 9decdce..12a7dfc 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch @@ -1,24 +1,29 @@ -From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 10:16:46 +0200 -Subject: Add support for PROFILE=SYSTEM system default cipherlist +From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 06/50] RH: Add support for PROFILE SYSTEM system default + cipher -(was openssl-1.1.1-system-cipherlist.patch) +Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +Patch-id: 7 +Patch-status: | + # # Add support for PROFILE=SYSTEM system default cipherlist +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- Configurations/unix-Makefile.tmpl | 5 ++ Configure | 11 +++- doc/man1/openssl-ciphers.pod.in | 9 ++++ include/openssl/ssl.h.in | 5 ++ - ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++---- + ssl/ssl_ciph.c | 83 +++++++++++++++++++++++++++---- ssl/ssl_lib.c | 4 +- test/cipherlist_test.c | 2 + - 7 files changed, 109 insertions(+), 13 deletions(-) + 7 files changed, 105 insertions(+), 14 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 9f369edf0e..c52389f831 100644 +index 8a829be037..ba1266659a 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man +@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -29,7 +34,7 @@ index 9f369edf0e..c52389f831 100644 # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -38,7 +43,7 @@ index 9f369edf0e..c52389f831 100644 @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} diff --git a/Configure b/Configure -index cca1ac8d16..2ae1cd0bc2 100755 +index 15054f9403..7945d6b750 100755 --- a/Configure +++ b/Configure @@ -27,7 +27,7 @@ use OpenSSL::config; @@ -61,7 +66,7 @@ index cca1ac8d16..2ae1cd0bc2 100755 # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -394,6 +398,7 @@ $config{prefix}=""; +@@ -408,6 +412,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -69,7 +74,7 @@ index cca1ac8d16..2ae1cd0bc2 100755 my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -1047,6 +1052,10 @@ while (@argvcopy) +@@ -1104,6 +1109,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } @@ -81,10 +86,10 @@ index cca1ac8d16..2ae1cd0bc2 100755 { $banner = $1 . "\n"; diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in -index b4ed3e51d5..2122e6bdfd 100644 +index 69195bcdcb..a6e0ede570 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in -@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. +@@ -189,6 +189,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. The cipher suites not enabled by B, currently B. @@ -101,7 +106,7 @@ index b4ed3e51d5..2122e6bdfd 100644 "High" encryption cipher suites. This currently means those with key lengths diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index f9a61609e4..c6f95fed3f 100644 +index b342079968..0b2232b01c 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -209,6 +209,11 @@ extern "C" { @@ -117,17 +122,24 @@ index f9a61609e4..c6f95fed3f 100644 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index b1d3f7919e..f7cc7fed48 100644 +index 6127cb7a4b..19420d6c6a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -9,6 +9,7 @@ + * https://www.openssl.org/source/license.html + */ + ++#define _GNU_SOURCE + #include + #include + #include +@@ -1421,6 +1422,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } +#ifdef SYSTEM_CIPHERS_FILE +static char *load_system_str(const char *suffix) +{ -+ FILE *fp; + char buf[1024]; + char *new_rules; + const char *ciphers_path; @@ -135,29 +147,26 @@ index b1d3f7919e..f7cc7fed48 100644 + + if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; -+ fp = fopen(ciphers_path, "r"); -+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { -+ /* cannot open or file is empty */ ++ ERR_set_mark(); ++ if (access(ciphers_path, R_OK) == 0) { ++ CONF *conf = NCONF_new_ex(NULL, NCONF_default()); ++ char *value = NULL; ++ ++ if (NCONF_load(conf, ciphers_path, NULL) > 0) ++ value = NCONF_get_string(conf, "global", "CipherString"); ++ ++ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST); ++ ++ NCONF_free(conf); ++ } else { + snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); + } -+ -+ if (fp) -+ fclose(fp); -+ ++ ERR_pop_to_mark(); + slen = strlen(suffix); + len = strlen(buf); + -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) ++ new_rules = OPENSSL_zalloc(len + slen + 1); ++ if (new_rules == NULL) + return NULL; + + memcpy(new_rules, buf, len); @@ -174,7 +183,7 @@ index b1d3f7919e..f7cc7fed48 100644 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1435,15 +1479,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -182,7 +191,7 @@ index b1d3f7919e..f7cc7fed48 100644 + char *new_rules = NULL; + + if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char *p = rule_str + 14; ++ const char *p = rule_str + 14; + + new_rules = load_system_str(p); + rule_str = new_rules; @@ -202,7 +211,7 @@ index b1d3f7919e..f7cc7fed48 100644 /* * To reduce the work to do we only want to process the compiled -@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1465,7 +1519,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, if (num_of_ciphers > 0) { co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) @@ -211,7 +220,7 @@ index b1d3f7919e..f7cc7fed48 100644 } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1531,8 +1585,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -221,16 +230,17 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1576,8 +1629,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(co_list); +- OPENSSL_free(co_list); - return NULL; /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1603,8 +1655,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -240,7 +250,7 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1612,10 +1663,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -256,7 +266,7 @@ index b1d3f7919e..f7cc7fed48 100644 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, +@@ -1667,6 +1721,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, *cipher_list = cipherstack; return cipherstack; @@ -267,15 +277,14 @@ index b1d3f7919e..f7cc7fed48 100644 + OPENSSL_free(new_rules); +#endif + return NULL; -+ } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index d14d5819ba..48d491219a 100644 +index 4c7b62e142..7af3f29cd8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) +@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -284,7 +293,7 @@ index d14d5819ba..48d491219a 100644 if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, +@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -294,10 +303,10 @@ index d14d5819ba..48d491219a 100644 ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err; diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c -index 380f0727fc..6922a87c30 100644 +index c46e431b00..19d05e860b 100644 --- a/test/cipherlist_test.c +++ b/test/cipherlist_test.c -@@ -244,7 +244,9 @@ end: +@@ -261,7 +261,9 @@ end: int setup_tests(void) { @@ -308,5 +317,5 @@ index 380f0727fc..6922a87c30 100644 ADD_TEST(test_default_cipherlist_clear); ADD_TEST(test_stdname_cipherlist); -- -2.26.2 +2.49.0 diff --git a/0008-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch similarity index 63% rename from 0008-Add-FIPS_mode-compatibility-macro.patch rename to 0007-RH-Add-FIPS_mode-compatibility-macro.patch index 2e72999..cc5fe88 100644 --- a/0008-Add-FIPS_mode-compatibility-macro.patch +++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch @@ -1,20 +1,22 @@ -From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 26 Nov 2020 14:00:16 +0100 -Subject: Add FIPS_mode() compatibility macro +From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 07/50] RH: Add FIPS_mode compatibility macro -The macro calls EVP_default_properties_is_fips_enabled() on the -default context. +Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch +Patch-id: 8 +Patch-status: | + # # Add FIPS_mode() compatibility macro +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - include/openssl/crypto.h.in | 1 + - include/openssl/fips.h | 25 +++++++++++++++++++++++++ - test/property_test.c | 13 +++++++++++++ - 3 files changed, 39 insertions(+) + include/openssl/fips.h | 26 ++++++++++++++++++++++++++ + test/property_test.c | 14 ++++++++++++++ + 2 files changed, 40 insertions(+) create mode 100644 include/openssl/fips.h diff --git a/include/openssl/fips.h b/include/openssl/fips.h new file mode 100644 -index 0000000000..c64f0f8e8f +index 0000000000..4162cbf88e --- /dev/null +++ b/include/openssl/fips.h @@ -0,0 +1,26 @@ @@ -44,13 +46,14 @@ index 0000000000..c64f0f8e8f +} +# endif +#endif -diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c ---- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 -+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 -@@ -488,6 +488,19 @@ static int test_property_list_to_string( +diff --git a/test/property_test.c b/test/property_test.c +index 18f8cc8740..6864b1a3c1 100644 +--- a/test/property_test.c ++++ b/test/property_test.c +@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i) return ret; } - + +#include +static int test_downstream_FIPS_mode(void) +{ @@ -67,7 +70,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1 int setup_tests(void) { ADD_TEST(test_property_string); -@@ -500,6 +512,7 @@ int setup_tests(void) +@@ -700,6 +713,7 @@ int setup_tests(void) ADD_TEST(test_property); ADD_TEST(test_query_cache_stochastic); ADD_TEST(test_fips_mode); @@ -75,3 +78,6 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1 ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); return 1; } +-- +2.49.0 + diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch new file mode 100644 index 0000000..aaebff7 --- /dev/null +++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch @@ -0,0 +1,92 @@ +From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 08/50] RH: Add Kernel FIPS mode flag support - FIXSTYLE + +Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch-id: 9 +Patch-status: | + # # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/context.c | 35 +++++++++++++++++++++++++++++++++++ + include/internal/provider.h | 3 +++ + 2 files changed, 38 insertions(+) + +diff --git a/crypto/context.c b/crypto/context.c +index f15bc3d755..614c8a2c88 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -7,6 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + ++#define _GNU_SOURCE /* needed for secure_getenv */ + #include "crypto/cryptlib.h" + #include + #include +@@ -19,6 +20,38 @@ + #include "crypto/decoder.h" + #include "crypto/context.h" + ++# include ++# include ++# include ++# include ++# include ++ ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static int kernel_fips_flag; ++ ++static void read_kernel_fips_flag(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } ++} ++ ++int ossl_get_kernel_fips_flag() ++{ ++ return kernel_fips_flag; ++} ++ + struct ossl_lib_ctx_st { + CRYPTO_RWLOCK *lock; + OSSL_EX_DATA_GLOBAL global; +@@ -393,6 +426,8 @@ static int default_context_inited = 0; + + DEFINE_RUN_ONCE_STATIC(default_context_do_init) + { ++ read_kernel_fips_flag(); ++ + if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) + goto err; + +diff --git a/include/internal/provider.h b/include/internal/provider.h +index 6909a1919c..9d2e355251 100644 +--- a/include/internal/provider.h ++++ b/include/internal/provider.h +@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, + const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); + ++/* FIPS flag access */ ++int ossl_get_kernel_fips_flag(void); ++ + # ifdef __cplusplus + } + # endif +-- +2.49.0 + diff --git a/0009-Add-Kernel-FIPS-mode-flag-support.patch b/0009-Add-Kernel-FIPS-mode-flag-support.patch deleted file mode 100644 index 0848473..0000000 --- a/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ /dev/null @@ -1,86 +0,0 @@ -From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch - -Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch -Patch-id: 9 -Patch-status: | - # Add check to see if fips flag is enabled in kernel -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ - include/internal/provider.h | 3 +++ - 2 files changed, 39 insertions(+) - -diff --git a/crypto/context.c b/crypto/context.c -index e294ea1512..51002ba79a 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -16,6 +16,41 @@ - #include "crypto/decoder.h" - #include "crypto/context.h" - -+# include -+# include -+# include -+# include -+# include -+ -+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static int kernel_fips_flag; -+ -+static void read_kernel_fips_flag(void) -+{ -+ char buf[2] = "0"; -+ int fd; -+ -+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } -+ -+ if (buf[0] == '1') { -+ kernel_fips_flag = 1; -+ } -+ -+ return; -+} -+ -+int ossl_get_kernel_fips_flag() -+{ -+ return kernel_fips_flag; -+} -+ -+ - struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock, *rand_crngt_lock; - OSSL_EX_DATA_GLOBAL global; -@@ -336,6 +371,7 @@ static int default_context_inited = 0; - - DEFINE_RUN_ONCE_STATIC(default_context_do_init) - { -+ read_kernel_fips_flag(); - if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) - goto err; - -diff --git a/include/internal/provider.h b/include/internal/provider.h -index 18937f84c7..1446bf7afb 100644 ---- a/include/internal/provider.h -+++ b/include/internal/provider.h -@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, - const OSSL_DISPATCH *in); - void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); - -+/* FIPS flag access */ -+int ossl_get_kernel_fips_flag(void); -+ - # ifdef __cplusplus - } - # endif --- -2.41.0 - diff --git a/0010-Add-changes-to-ectest-and-eccurve.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch similarity index 80% rename from 0010-Add-changes-to-ectest-and-eccurve.patch rename to 0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch index 63a2ca2..9fd2610 100644 --- a/0010-Add-changes-to-ectest-and-eccurve.patch +++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch @@ -1,21 +1,74 @@ -From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 09/50] RH: Drop weak curve definitions - RENAMED/SQUASHED Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | - # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so - # that new modifications made to these files by upstream are not lost. -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/ec/ec_curve.c | 844 ------------------------------------------- - test/ectest.c | 174 +-------- - 2 files changed, 8 insertions(+), 1010 deletions(-) + # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +commit #2: +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # # remove unsupported EC curves +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + apps/speed.c | 8 +- + crypto/ec/ec_curve.c | 844 ------------------ + crypto/evp/ec_support.c | 87 -- + test/acvp_test.inc | 9 - + test/ecdsatest.h | 17 - + test/ectest.c | 174 +--- + test/recipes/15-test_genec.t | 27 - + test/recipes/30-test_evp_data/evppkey_ecc.txt | 1 + + 8 files changed, 10 insertions(+), 1157 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index f52f2c839d..1edf9b8485 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ + #endif /* OPENSSL_NO_DH */ + + enum ec_curves_t { +- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -415,8 +415,6 @@ enum ec_curves_t { + }; + /* list of ecdsa curves */ + static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, +@@ -449,8 +447,6 @@ enum { + }; + /* list of ecdh curves, extension of |ecdsa_choices| list above */ + static const OPT_PAIR ecdh_choices[EC_NUM] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, +@@ -1966,8 +1962,6 @@ int speed_main(int argc, char **argv) + */ + static const EC_CURVE ec_curves[EC_NUM] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index b5b2f3342d..d32a768fe6 100644 +index f46aac5d33..8c5ba5b839 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -30,38 +30,6 @@ typedef struct { @@ -244,8 +297,8 @@ index b5b2f3342d..d32a768fe6 100644 - static const struct { EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -@@ -421,294 +208,6 @@ static const struct { + unsigned char data[20 + 32 * 8]; +@@ -429,294 +216,6 @@ static const struct { #ifndef FIPS_MODULE /* the secg prime curves (minus the nist and x9.62 prime curves) */ @@ -540,7 +593,7 @@ index b5b2f3342d..d32a768fe6 100644 static const struct { EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; -@@ -745,102 +244,6 @@ static const struct { +@@ -753,102 +252,6 @@ static const struct { } }; @@ -643,7 +696,7 @@ index b5b2f3342d..d32a768fe6 100644 #endif /* FIPS_MODULE */ #ifndef OPENSSL_NO_EC2M -@@ -2236,198 +1639,6 @@ static const struct { +@@ -2244,198 +1647,6 @@ static const struct { */ #ifndef FIPS_MODULE @@ -842,7 +895,7 @@ index b5b2f3342d..d32a768fe6 100644 static const struct { EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; -@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { +@@ -2864,8 +2075,6 @@ static const ec_list_element curve_list[] = { "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -851,7 +904,7 @@ index b5b2f3342d..d32a768fe6 100644 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { +@@ -2909,25 +2118,6 @@ static const ec_list_element curve_list[] = { static const ec_list_element curve_list[] = { /* prime field curves */ /* secg curves */ @@ -877,7 +930,7 @@ index b5b2f3342d..d32a768fe6 100644 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"}, -@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { +@@ -2957,18 +2147,6 @@ static const ec_list_element curve_list[] = { # endif "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -896,7 +949,7 @@ index b5b2f3342d..d32a768fe6 100644 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { +@@ -3065,22 +2243,12 @@ static const ec_list_element curve_list[] = { {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, # endif @@ -919,7 +972,7 @@ index b5b2f3342d..d32a768fe6 100644 # ifndef OPENSSL_NO_EC2M /* IPSec curves */ {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, -@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { +@@ -3091,18 +2259,6 @@ static const ec_list_element curve_list[] = { "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, # endif /* brainpool curves */ @@ -938,8 +991,177 @@ index b5b2f3342d..d32a768fe6 100644 {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, +diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c +index 1ec10143d2..82b95294b4 100644 +--- a/crypto/evp/ec_support.c ++++ b/crypto/evp/ec_support.c +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp112r1", NID_secp112r1 }, +- {"secp112r2", NID_secp112r2 }, +- {"secp128r1", NID_secp128r1 }, +- {"secp128r2", NID_secp128r2 }, +- {"secp160k1", NID_secp160k1 }, +- {"secp160r1", NID_secp160r1 }, +- {"secp160r2", NID_secp160r2 }, +- {"secp192k1", NID_secp192k1 }, +- {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, + {"secp521r1", NID_secp521r1 }, + /* X9.62 curves */ +- {"prime192v1", NID_X9_62_prime192v1 }, +- {"prime192v2", NID_X9_62_prime192v2 }, +- {"prime192v3", NID_X9_62_prime192v3 }, +- {"prime239v1", NID_X9_62_prime239v1 }, +- {"prime239v2", NID_X9_62_prime239v2 }, +- {"prime239v3", NID_X9_62_prime239v3 }, + {"prime256v1", NID_X9_62_prime256v1 }, + /* characteristic two field curves */ + /* NIST/SECG curves */ +- {"sect113r1", NID_sect113r1 }, +- {"sect113r2", NID_sect113r2 }, +- {"sect131r1", NID_sect131r1 }, +- {"sect131r2", NID_sect131r2 }, +- {"sect163k1", NID_sect163k1 }, +- {"sect163r1", NID_sect163r1 }, +- {"sect163r2", NID_sect163r2 }, +- {"sect193r1", NID_sect193r1 }, +- {"sect193r2", NID_sect193r2 }, +- {"sect233k1", NID_sect233k1 }, +- {"sect233r1", NID_sect233r1 }, +- {"sect239k1", NID_sect239k1 }, +- {"sect283k1", NID_sect283k1 }, +- {"sect283r1", NID_sect283r1 }, +- {"sect409k1", NID_sect409k1 }, +- {"sect409r1", NID_sect409r1 }, +- {"sect571k1", NID_sect571k1 }, +- {"sect571r1", NID_sect571r1 }, +- /* X9.62 curves */ +- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, +- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, +- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, +- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, +- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, +- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, +- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, +- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, +- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, +- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, +- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, +- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, +- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, +- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, +- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, +- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, +- /* +- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves +- * from X9.62] +- */ +- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, +- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, +- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, +- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, +- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, +- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, +- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, +- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, +- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, +- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, +- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, +- /* IPSec curves */ +- {"Oakley-EC2N-3", NID_ipsec3 }, +- {"Oakley-EC2N-4", NID_ipsec4 }, + /* brainpool curves */ +- {"brainpoolP160r1", NID_brainpoolP160r1 }, +- {"brainpoolP160t1", NID_brainpoolP160t1 }, +- {"brainpoolP192r1", NID_brainpoolP192r1 }, +- {"brainpoolP192t1", NID_brainpoolP192t1 }, +- {"brainpoolP224r1", NID_brainpoolP224r1 }, +- {"brainpoolP224t1", NID_brainpoolP224t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { + {"brainpoolP384t1", NID_brainpoolP384t1 }, + {"brainpoolP512r1", NID_brainpoolP512r1 }, + {"brainpoolP512t1", NID_brainpoolP512t1 }, +- /* SM2 curve */ +- {"SM2", NID_sm2 }, + }; + + const char *OSSL_EC_curve_nid2name(int nid) +@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index 67787f3740..97ec1ff3e5 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -217,15 +217,6 @@ static const unsigned char ecdsa_sigver_s1[] = { + 0xB1, 0xAC, + }; + static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { +- { +- "SHA-1", +- "P-192", +- ITM(ecdsa_sigver_msg0), +- ITM(ecdsa_sigver_pub0), +- ITM(ecdsa_sigver_r0), +- ITM(ecdsa_sigver_s0), +- PASS, +- }, + { + "SHA2-512", + "P-521", +diff --git a/test/ecdsatest.h b/test/ecdsatest.h +index 63fe319025..06b5c0aac5 100644 +--- a/test/ecdsatest.h ++++ b/test/ecdsatest.h +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; + + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" diff --git a/test/ectest.c b/test/ectest.c -index afef85b0e6..4890b0555e 100644 +index 70df89ee2f..0ddbba3b98 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -175,184 +175,26 @@ static int prime_field_tests(void) @@ -1134,7 +1356,7 @@ index afef85b0e6..4890b0555e 100644 "FFFFFFFF000000000000000000000001")) || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" -@@ -3015,7 +2857,7 @@ int setup_tests(void) +@@ -3128,7 +2970,7 @@ int setup_tests(void) ADD_TEST(parameter_test); ADD_TEST(ossl_parameter_test); @@ -1143,6 +1365,65 @@ index afef85b0e6..4890b0555e 100644 ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); #ifndef OPENSSL_NO_EC2M +diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t +index 4d5090fa39..0a90a602d8 100644 +--- a/test/recipes/15-test_genec.t ++++ b/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 +diff --git a/test/recipes/30-test_evp_data/evppkey_ecc.txt b/test/recipes/30-test_evp_data/evppkey_ecc.txt +index e6a2c9eb59..861c01e177 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecc.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecc.txt +@@ -4561,3 +4561,4 @@ KeyName = ec3 + Ctrl = group:P-192 + Unapproved = 1 + Ctrl = key-check:0 ++Result = KEYGEN_GENERATE_ERROR -- -2.41.0 +2.49.0 diff --git a/0012-Disable-explicit-ec.patch b/0010-RH-Disable-explicit-ec-curves.patch similarity index 75% rename from 0012-Disable-explicit-ec.patch rename to 0010-RH-Disable-explicit-ec-curves.patch index aea4ccf..527503c 100644 --- a/0012-Disable-explicit-ec.patch +++ b/0010-RH-Disable-explicit-ec-curves.patch @@ -1,7 +1,27 @@ -diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c ---- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100 -+++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100 -@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP ** +From 325f426bdeb49dd36868e009e99abb641300af96 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 10/50] RH: Disable explicit ec curves + +Patch-name: 0012-Disable-explicit-ec.patch +Patch-id: 12 +Patch-status: | + # # Disable explicit EC curves + # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/ec/ec_asn1.c | 11 ++++++++++ + crypto/ec/ec_lib.c | 6 +++++ + test/ectest.c | 22 ++++++++++--------- + test/endecode_test.c | 20 ++++++++--------- + .../30-test_evp_data/evppkey_ecdsa.txt | 12 ---------- + 5 files changed, 39 insertions(+), 32 deletions(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 643d2d8d7b..5895606176 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) group->decoded_from_explicit_params = 1; @@ -14,7 +34,7 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry if (a) { EC_GROUP_free(*a); *a = group; -@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con +@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) goto err; } @@ -27,10 +47,10 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry if (priv_key->privateKey) { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index a84e088c19..6c37bf78ae 100644 +index b55677fb1f..dcfdef408e 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c -@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], +@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], goto err; } if (named_group == group) { @@ -42,7 +62,7 @@ index a84e088c19..6c37bf78ae 100644 /* * If we did not find a named group then the encoding should be explicit * if it was specified -@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], +@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], goto err; } EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); @@ -51,10 +71,10 @@ index a84e088c19..6c37bf78ae 100644 EC_GROUP_free(group); group = named_group; diff --git a/test/ectest.c b/test/ectest.c -index 4890b0555e..e11aec5b3b 100644 +index 0ddbba3b98..f736d13feb 100644 --- a/test/ectest.c +++ b/test/ectest.c -@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, +@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) @@ -68,7 +88,7 @@ index 4890b0555e..e11aec5b3b 100644 /*- Check that all the set values are retrievable -*/ /* There should be no match to a group name since the generator changed */ -@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, +@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, #endif ) goto err; @@ -76,7 +96,7 @@ index 4890b0555e..e11aec5b3b 100644 ret = 1; err: BN_free(order_out); -@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) +@@ -2826,21 +2828,21 @@ static int custom_params_test(int id) /* Compute keyexchange in both directions */ if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) @@ -105,7 +125,7 @@ index 4890b0555e..e11aec5b3b 100644 /* Both sides should expect the same shared secret */ if (!TEST_mem_eq(buf1, sslen, buf2, t)) goto err; -@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) +@@ -2892,7 +2894,7 @@ static int custom_params_test(int id) /* compare with previous result */ || !TEST_mem_eq(buf1, t, buf2, sslen)) goto err; @@ -114,10 +134,11 @@ index 4890b0555e..e11aec5b3b 100644 ret = 1; err: -diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c ---- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100 -+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100 -@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL; +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 028deb4ed1..85c84f6592 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL; static OSSL_PARAM_BLD *bld_prime_nc = NULL; static OSSL_PARAM_BLD *bld_prime = NULL; static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; @@ -126,7 +147,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M static OSSL_PARAM_BLD *bld_tri_nc = NULL; -@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") +@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") DOMAIN_KEYS(ECExplicitPrimeNamedCurve); IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") @@ -139,7 +160,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M DOMAIN_KEYS(ECExplicitTriNamedCurve); IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) -@@ -1318,7 +1318,7 @@ int setup_tests(void) +@@ -1445,7 +1445,7 @@ int setup_tests(void) || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) || !create_ec_explicit_prime_params(bld_prime) || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) @@ -148,7 +169,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) -@@ -1346,7 +1346,7 @@ int setup_tests(void) +@@ -1473,7 +1473,7 @@ int setup_tests(void) TEST_info("Generating EC keys..."); MAKE_DOMAIN_KEYS(EC, "EC", EC_params); MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); @@ -157,7 +178,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); -@@ -1389,8 +1389,8 @@ int setup_tests(void) +@@ -1553,8 +1553,8 @@ int setup_tests(void) ADD_TEST_SUITE_LEGACY(EC); ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); @@ -168,7 +189,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M ADD_TEST_SUITE(ECExplicitTriNamedCurve); ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); -@@ -1427,7 +1427,7 @@ void cleanup_tests(void) +@@ -1631,7 +1631,7 @@ void cleanup_tests(void) { #ifndef OPENSSL_NO_EC OSSL_PARAM_free(ec_explicit_prime_params_nc); @@ -177,7 +198,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te OSSL_PARAM_BLD_free(bld_prime_nc); OSSL_PARAM_BLD_free(bld_prime); # ifndef OPENSSL_NO_EC2M -@@ -1449,7 +1449,7 @@ void cleanup_tests(void) +@@ -1653,7 +1653,7 @@ void cleanup_tests(void) #ifndef OPENSSL_NO_EC FREE_DOMAIN_KEYS(EC); FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); @@ -186,10 +207,11 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te # ifndef OPENSSL_NO_EC2M FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); FREE_DOMAIN_KEYS(ECExplicitTri2G); -diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ---- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100 -+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100 -@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +index 54b143bead..06ec905be0 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl -----END PRIVATE KEY----- @@ -208,3 +230,6 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_e PrivateKey = B-163 -----BEGIN PRIVATE KEY----- MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K +-- +2.49.0 + diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch new file mode 100644 index 0000000..b912ddd --- /dev/null +++ b/0011-RH-skipped-tests-EC-curves.patch @@ -0,0 +1,82 @@ +From ec22400267e5accaacb24eec8fd6be5e73f1833d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 11/50] RH: skipped tests EC curves + +Patch-name: 0013-skipped-tests-EC-curves.patch +Patch-id: 13 +Patch-status: | + # # Skipped tests from former 0011-Remove-EC-curves.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + test/recipes/15-test_ec.t | 2 +- + .../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 12 ------------ + test/recipes/65-test_cmp_protect.t | 2 +- + test/recipes/65-test_cmp_vfy.t | 2 +- + 4 files changed, 3 insertions(+), 15 deletions(-) + +diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t +index c953fad9f1..906769a12e 100644 +--- a/test/recipes/15-test_ec.t ++++ b/test/recipes/15-test_ec.t +@@ -94,7 +94,7 @@ SKIP: { + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +index 7c339c272b..0ff482e4e8 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +@@ -132,18 +132,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj + 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl + -----END PRIVATE KEY----- + +-PrivateKey = EC_EXPLICIT +------BEGIN PRIVATE KEY----- +-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG +-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A +-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk +-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL +-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg +------END PRIVATE KEY----- +- + PrivateKey = B-163 + -----BEGIN PRIVATE KEY----- + MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K +diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t +index 92c91d8b88..294491fff4 100644 +--- a/test/recipes/65-test_cmp_protect.t ++++ b/test/recipes/65-test_cmp_protect.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("prot_RSA.pem"), +diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t +index f722800e27..26a01786bb 100644 +--- a/test/recipes/65-test_cmp_vfy.t ++++ b/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), +-- +2.49.0 + diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch deleted file mode 100644 index 561714e..0000000 --- a/0011-Remove-EC-curves.patch +++ /dev/null @@ -1,279 +0,0 @@ -From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 11:46:40 +0200 -Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch - -Patch-name: 0011-Remove-EC-curves.patch -Patch-id: 11 -Patch-status: | - # remove unsupported EC curves ---- - apps/speed.c | 8 +--- - crypto/evp/ec_support.c | 87 ------------------------------------ - test/acvp_test.inc | 9 ---- - test/ecdsatest.h | 17 ------- - test/recipes/15-test_genec.t | 27 ----------- - 5 files changed, 1 insertion(+), 147 deletions(-) - -diff --git a/apps/speed.c b/apps/speed.c -index cace25eda1..d527f12f18 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ - #endif /* OPENSSL_NO_DH */ - - enum ec_curves_t { -- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, - #ifndef OPENSSL_NO_EC2M - R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, - R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -395,8 +395,6 @@ enum ec_curves_t { - }; - /* list of ecdsa curves */ - static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { -- {"ecdsap160", R_EC_P160}, -- {"ecdsap192", R_EC_P192}, - {"ecdsap224", R_EC_P224}, - {"ecdsap256", R_EC_P256}, - {"ecdsap384", R_EC_P384}, -@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { - }; - /* list of ecdh curves, extension of |ecdsa_choices| list above */ - static const OPT_PAIR ecdh_choices[EC_NUM] = { -- {"ecdhp160", R_EC_P160}, -- {"ecdhp192", R_EC_P192}, - {"ecdhp224", R_EC_P224}, - {"ecdhp256", R_EC_P256}, - {"ecdhp384", R_EC_P384}, -@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) - */ - static const EC_CURVE ec_curves[EC_NUM] = { - /* Prime Curves */ -- {"secp160r1", NID_secp160r1, 160}, -- {"nistp192", NID_X9_62_prime192v1, 192}, - {"nistp224", NID_secp224r1, 224}, - {"nistp256", NID_X9_62_prime256v1, 256}, - {"nistp384", NID_secp384r1, 384}, -diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c -index 1ec10143d2..82b95294b4 100644 ---- a/crypto/evp/ec_support.c -+++ b/crypto/evp/ec_support.c -@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp112r1", NID_secp112r1 }, -- {"secp112r2", NID_secp112r2 }, -- {"secp128r1", NID_secp128r1 }, -- {"secp128r2", NID_secp128r2 }, -- {"secp160k1", NID_secp160k1 }, -- {"secp160r1", NID_secp160r1 }, -- {"secp160r2", NID_secp160r2 }, -- {"secp192k1", NID_secp192k1 }, -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, - {"secp521r1", NID_secp521r1 }, - /* X9.62 curves */ -- {"prime192v1", NID_X9_62_prime192v1 }, -- {"prime192v2", NID_X9_62_prime192v2 }, -- {"prime192v3", NID_X9_62_prime192v3 }, -- {"prime239v1", NID_X9_62_prime239v1 }, -- {"prime239v2", NID_X9_62_prime239v2 }, -- {"prime239v3", NID_X9_62_prime239v3 }, - {"prime256v1", NID_X9_62_prime256v1 }, - /* characteristic two field curves */ - /* NIST/SECG curves */ -- {"sect113r1", NID_sect113r1 }, -- {"sect113r2", NID_sect113r2 }, -- {"sect131r1", NID_sect131r1 }, -- {"sect131r2", NID_sect131r2 }, -- {"sect163k1", NID_sect163k1 }, -- {"sect163r1", NID_sect163r1 }, -- {"sect163r2", NID_sect163r2 }, -- {"sect193r1", NID_sect193r1 }, -- {"sect193r2", NID_sect193r2 }, -- {"sect233k1", NID_sect233k1 }, -- {"sect233r1", NID_sect233r1 }, -- {"sect239k1", NID_sect239k1 }, -- {"sect283k1", NID_sect283k1 }, -- {"sect283r1", NID_sect283r1 }, -- {"sect409k1", NID_sect409k1 }, -- {"sect409r1", NID_sect409r1 }, -- {"sect571k1", NID_sect571k1 }, -- {"sect571r1", NID_sect571r1 }, -- /* X9.62 curves */ -- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, -- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, -- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, -- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, -- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, -- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, -- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, -- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, -- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, -- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, -- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, -- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, -- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, -- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, -- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, -- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, -- /* -- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves -- * from X9.62] -- */ -- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, -- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, -- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, -- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, -- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, -- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, -- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, -- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, -- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, -- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, -- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, -- /* IPSec curves */ -- {"Oakley-EC2N-3", NID_ipsec3 }, -- {"Oakley-EC2N-4", NID_ipsec4 }, - /* brainpool curves */ -- {"brainpoolP160r1", NID_brainpoolP160r1 }, -- {"brainpoolP160t1", NID_brainpoolP160t1 }, -- {"brainpoolP192r1", NID_brainpoolP192r1 }, -- {"brainpoolP192t1", NID_brainpoolP192t1 }, -- {"brainpoolP224r1", NID_brainpoolP224r1 }, -- {"brainpoolP224t1", NID_brainpoolP224t1 }, - {"brainpoolP256r1", NID_brainpoolP256r1 }, - {"brainpoolP256t1", NID_brainpoolP256t1 }, - {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { - {"brainpoolP384t1", NID_brainpoolP384t1 }, - {"brainpoolP512r1", NID_brainpoolP512r1 }, - {"brainpoolP512t1", NID_brainpoolP512t1 }, -- /* SM2 curve */ -- {"SM2", NID_sm2 }, - }; - - const char *OSSL_EC_curve_nid2name(int nid) -@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) - /* Functions to translate between common NIST curve names and NIDs */ - - static const EC_NAME2NID nist_curves[] = { -- {"B-163", NID_sect163r2}, -- {"B-233", NID_sect233r1}, -- {"B-283", NID_sect283r1}, -- {"B-409", NID_sect409r1}, -- {"B-571", NID_sect571r1}, -- {"K-163", NID_sect163k1}, -- {"K-233", NID_sect233k1}, -- {"K-283", NID_sect283k1}, -- {"K-409", NID_sect409k1}, -- {"K-571", NID_sect571k1}, -- {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, -diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index ad11d3ae1e..894a0bff9d 100644 ---- a/test/acvp_test.inc -+++ b/test/acvp_test.inc -@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { - 0xB1, 0xAC, - }; - static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { -- { -- "SHA-1", -- "P-192", -- ITM(ecdsa_sigver_msg0), -- ITM(ecdsa_sigver_pub0), -- ITM(ecdsa_sigver_r0), -- ITM(ecdsa_sigver_s0), -- PASS, -- }, - { - "SHA2-512", - "P-521", -diff --git a/test/ecdsatest.h b/test/ecdsatest.h -index 63fe319025..06b5c0aac5 100644 ---- a/test/ecdsatest.h -+++ b/test/ecdsatest.h -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t -index 2dfed387ca..c733b68f83 100644 ---- a/test/recipes/15-test_genec.t -+++ b/test/recipes/15-test_genec.t -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 - brainpoolP256r1 - brainpoolP256t1 - brainpoolP320r1 -@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 --- -2.41.0 - diff --git a/0115-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch similarity index 73% rename from 0115-skip-quic-pairwise.patch rename to 0012-RH-skip-quic-pairwise.patch index 90f8cb8..5ca0801 100644 --- a/0115-skip-quic-pairwise.patch +++ b/0012-RH-skip-quic-pairwise.patch @@ -1,7 +1,7 @@ -From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001 +From 2f327785a69b62eac55a94d49441994cbaf941d5 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 7 Mar 2024 17:37:09 +0100 -Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch +Subject: [PATCH 12/50] RH: skip quic pairwise Patch-name: 0115-skip-quic-pairwise.patch Patch-id: 115 @@ -14,10 +14,10 @@ Patch-status: | 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/test/quicapitest.c b/test/quicapitest.c -index 41cf0fc7a8..0fb7492700 100644 +index 38dd42c184..b2e18522ab 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c -@@ -2139,7 +2139,9 @@ int setup_tests(void) +@@ -2761,7 +2761,9 @@ int setup_tests(void) ADD_TEST(test_cipher_find); ADD_TEST(test_version); #if defined(DO_SSL_TRACE_TEST) @@ -28,8 +28,20 @@ index 41cf0fc7a8..0fb7492700 100644 #endif ADD_TEST(test_quic_forbidden_apis_ctx); ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 222b1886ae..7e2f65cccb 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t -index c837d48fb4..6291c08c49 100644 +index a101a26fb1..43e5396766 100644 --- a/test/recipes/30-test_pairwise_fail.t +++ b/test/recipes/30-test_pairwise_fail.t @@ -9,7 +9,7 @@ @@ -41,18 +53,7 @@ index c837d48fb4..6291c08c49 100644 use OpenSSL::Test::Utils; BEGIN { -@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config" - SKIP: { - skip "Skip RSA test because of no rsa in this build", 1 - if disabled("rsa"); -+ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, -+ sub { - ok(run(test(["pairwise_fail_test", "-config", $provconf, - "-pairwise", "rsa"])), - "fips provider rsa keygen pairwise failure test"); -+ }); - } - +@@ -39,20 +39,26 @@ SKIP: { SKIP: { skip "Skip EC test because of no ec in this build", 2 if disabled("ec"); @@ -81,5 +82,5 @@ index c837d48fb4..6291c08c49 100644 "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), "fips provider dsa keygen pairwise failure test"); -- -2.44.0 +2.49.0 diff --git a/0116-version-aliasing.patch b/0013-RH-version-aliasing.patch similarity index 75% rename from 0116-version-aliasing.patch rename to 0013-RH-version-aliasing.patch index 73f7981..8b67dc4 100644 --- a/0116-version-aliasing.patch +++ b/0013-RH-version-aliasing.patch @@ -1,7 +1,7 @@ -From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001 +From dcea5128f4a6ff30eedca8442b8e3cdc18bac216 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:17 +0100 -Subject: [PATCH 46/49] 0116-version-aliasing.patch +Subject: [PATCH 13/50] RH: version aliasing Patch-name: 0116-version-aliasing.patch Patch-id: 116 @@ -17,11 +17,11 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index 42331703da..3a280acc0e 100644 +index 6fc201bcfe..3c80b9dfe1 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c -@@ -553,7 +553,12 @@ legacy: - return ret; +@@ -572,7 +572,12 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size) + return ctx->digest->dsqueeze(ctx->algctx, md, &size, size); } -EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) @@ -35,10 +35,10 @@ index 42331703da..3a280acc0e 100644 EVP_MD_CTX *out = EVP_MD_CTX_new(); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index e9faf31057..5a29b8dbb7 100644 +index eee00a0780..7c51786515 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c -@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) +@@ -1762,7 +1762,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) #endif /* FIPS_MODULE */ } @@ -53,20 +53,19 @@ index e9faf31057..5a29b8dbb7 100644 EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 222b1886ae..7e2f65cccb 100644 +index 7e2f65cccb..cc947d4821 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t -@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) { - } - } - my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; -+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; -+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates; - if (@duplicates) { - note "Duplicates:"; - note join('\n', @duplicates); +@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/util/libcrypto.num b/util/libcrypto.num -index 8046454025..068e9904e2 100644 +index ceb4948839..eab3987a6b 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION: @@ -80,5 +79,5 @@ index 8046454025..068e9904e2 100644 BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION: BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION: -- -2.44.0 +2.49.0 diff --git a/0013-skipped-tests-EC-curves.patch b/0013-skipped-tests-EC-curves.patch deleted file mode 100644 index 5bdef1e..0000000 --- a/0013-skipped-tests-EC-curves.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t ---- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100 -+++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100 -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key - - subtest 'Check loading of fips and non-fips keys' => sub { - plan skip_all => "FIPS is disabled" -- if $no_fips; -+ if 1; #Red Hat specific, original value is $no_fips; - - plan tests => 2; - -diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t ---- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100 -+++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100 -@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_protect_test", - data_file("prot_RSA.pem"), -diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t -index f722800e27..26a01786bb 100644 ---- a/test/recipes/65-test_cmp_vfy.t -+++ b/test/recipes/65-test_cmp_vfy.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" - plan skip_all => "This test is not supported in a no-ec build" - if disabled("ec"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_vfy_test", - data_file("server.crt"), data_file("client.crt"), diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch new file mode 100644 index 0000000..bcdad9d --- /dev/null +++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch @@ -0,0 +1,80 @@ +From 1c440ca60081777e618eaecb31ef92b692cc2444 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 13 Feb 2025 16:09:09 -0500 +Subject: [PATCH 14/50] RH: Export two symbols for OPENSSL_str[n]casecmp + +We accidentally exported the symbols with the incorrect verison number +in an early version of RHEL-9 so we need to keep the wrong symbols for +ABI backwards compatibility and the correct symbols to be compatible +with upstream. +--- + crypto/o_str.c | 14 ++++++++++++-- + test/recipes/01-test_symbol_presence.t | 2 +- + util/libcrypto.num | 2 ++ + 3 files changed, 15 insertions(+), 3 deletions(-) + mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t + +diff --git a/crypto/o_str.c b/crypto/o_str.c +index 93af73561f..86442a939e 100644 +--- a/crypto/o_str.c ++++ b/crypto/o_str.c +@@ -403,7 +403,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) + #endif + } + +-int OPENSSL_strcasecmp(const char *s1, const char *s2) ++int ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strcasecmp(const char *s1, const char *s2) + { + int t; + +@@ -413,7 +418,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2) + return t; + } + +-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) ++int ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) + { + int t; + size_t i; +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +old mode 100644 +new mode 100755 +index cc947d4821..de2dcd90c2 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -186,7 +186,7 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; +-@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") && ($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp")} @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); +diff --git a/util/libcrypto.num b/util/libcrypto.num +index eab3987a6b..d377d542db 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5426,7 +5426,9 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: + EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: + EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: + OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: ++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: + OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: ++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: + EVP_RAND_CTX_up_ref 5558 3_1_0 EXIST::FUNCTION: + RAND_set0_public 5559 3_1_0 EXIST::FUNCTION: + RAND_set0_private 5560 3_1_0 EXIST::FUNCTION: +-- +2.49.0 + diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch new file mode 100644 index 0000000..5c7bf73 --- /dev/null +++ b/0015-RH-TMP-KTLS-test-skip.patch @@ -0,0 +1,30 @@ +From 73574d1847777d0c93d9ebe353d235ebb165eeae Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 13 Feb 2025 18:11:19 -0500 +Subject: [PATCH 15/50] RH: TMP KTLS test skip + +From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9 +--- + test/sslapitest.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 38d58e9387..39118a9162 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth, + /* sock must be connected */ + static int ktls_chk_platform(int sock) + { +- if (!ktls_enable(sock)) ++/* if (!ktls_enable(sock)) + return 0; +- return 1; ++ return 1; */ ++ return 0; + } + + static int ping_pong_query(SSL *clientssl, SSL *serverssl) +-- +2.49.0 + diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch similarity index 61% rename from 0049-Selectively-disallow-SHA1-signatures.patch rename to 0016-RH-Allow-disabling-of-SHA1-signatures.patch index 4131512..27429dc 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch @@ -1,45 +1,72 @@ -From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch +From 81b507715dded07f61f6d2bd7d498cc16ae04e38 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 13:07:07 +0200 +Subject: [PATCH 16/50] RH: Allow disabling of SHA1 signatures Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch Patch-id: 49 Patch-status: | - # # Selectively disallow SHA1 signatures rhbz#2070977 -From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce + # Selectively disallow SHA1 signatures rhbz#2070977 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd --- - crypto/context.c | 14 ++++ - crypto/evp/evp_cnf.c | 13 +++ - crypto/evp/m_sigver.c | 79 +++++++++++++++++++ + crypto/context.c | 76 +++++++++++++++++++ + crypto/evp/evp_cnf.c | 13 ++++ + crypto/evp/m_sigver.c | 13 ++++ crypto/evp/pmeth_lib.c | 15 ++++ - doc/man5/config.pod | 13 +++ - include/crypto/context.h | 3 + + doc/man5/config.pod | 13 ++++ + include/crypto/context.h | 8 ++ include/internal/cryptlib.h | 3 +- include/internal/sslconf.h | 4 + - providers/common/securitycheck.c | 20 +++++ - providers/common/securitycheck_default.c | 9 ++- - providers/implementations/signature/dsa_sig.c | 11 ++- - .../implementations/signature/ecdsa_sig.c | 4 + - providers/implementations/signature/rsa_sig.c | 20 ++++- + providers/common/include/prov/securitycheck.h | 2 + + providers/common/securitycheck.c | 14 ++++ + providers/common/securitycheck_default.c | 1 + + providers/implementations/signature/dsa_sig.c | 1 + + .../implementations/signature/ecdsa_sig.c | 5 +- + providers/implementations/signature/rsa_sig.c | 17 ++++- ssl/t1_lib.c | 8 ++ util/libcrypto.num | 2 + - 15 files changed, 209 insertions(+), 9 deletions(-) + 16 files changed, 189 insertions(+), 6 deletions(-) diff --git a/crypto/context.c b/crypto/context.c -index fb4816d89b..c04920fe14 100644 +index 614c8a2c88..6859146510 100644 --- a/crypto/context.c +++ b/crypto/context.c -@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st { - void *fips_prov; +@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st { #endif + STACK_OF(SSL_COMP) *comp_methods; + void *legacy_digest_signatures; + - unsigned int ischild:1; + int ischild; + int conf_diagnostics; }; +@@ -119,6 +121,25 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx) + return ctx->ischild; + } -@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx) ++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; ++ ++ if (ldsigs != NULL) { ++ OPENSSL_free(ldsigs); ++ } ++} ++ ++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ ++ ldsigs->allowed = 0; ++ return ldsigs; ++} ++ + static void context_deinit_objs(OSSL_LIB_CTX *ctx); + + static int context_init(OSSL_LIB_CTX *ctx) +@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ctx) goto err; #endif @@ -50,7 +77,7 @@ index fb4816d89b..c04920fe14 100644 /* Low priority. */ #ifndef FIPS_MODULE ctx->child_provider = ossl_child_prov_ctx_new(ctx); -@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) +@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) } #endif @@ -62,9 +89,9 @@ index fb4816d89b..c04920fe14 100644 /* Low priority. */ #ifndef FIPS_MODULE if (ctx->child_provider != NULL) { -@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) - return ctx->fips_prov; - #endif +@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) + case OSSL_LIB_CTX_COMP_METHODS: + return (void *)&ctx->comp_methods; + case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: + return ctx->legacy_digest_signatures; @@ -72,69 +99,10 @@ index fb4816d89b..c04920fe14 100644 default: return NULL; } -diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c -index 0e7fe64cf9..b9d3b6d226 100644 ---- a/crypto/evp/evp_cnf.c -+++ b/crypto/evp/evp_cnf.c -@@ -10,6 +10,7 @@ - #include - #include - #include "internal/cryptlib.h" -+#include "internal/sslconf.h" - #include - #include - #include -@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) - ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); - return 0; - } -+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { -+ int m; -+ -+ /* Detailed error already reported. */ -+ if (!X509V3_get_value_bool(oval, &m)) -+ return 0; -+ -+ if (!ossl_ctx_legacy_digest_signatures_allowed_set( -+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); -+ return 0; -+ } - } else { - ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, - "name=%s, value=%s", oval->name, oval->value); -diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 3a979f4bd4..fd3a4b79df 100644 ---- a/crypto/evp/m_sigver.c -+++ b/crypto/evp/m_sigver.c -@@ -15,6 +15,73 @@ - #include "internal/provider.h" - #include "internal/numbers.h" /* includes SIZE_MAX */ - #include "evp_local.h" -+#include "crypto/context.h" -+ -+typedef struct ossl_legacy_digest_signatures_st { -+ int allowed; -+} OSSL_LEGACY_DIGEST_SIGNATURES; -+ -+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; -+ -+ if (ldsigs != NULL) { -+ OPENSSL_free(ldsigs); -+ } -+} -+ -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); -+ /* Warning: This patch differs from the same patch in CentOS and RHEL here, -+ * because the default on Fedora is to allow SHA-1 and support disabling -+ * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ ldsigs->allowed = 0; -+ return ldsigs; -+} +@@ -714,3 +747,46 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value) + return; + libctx->conf_diagnostics = value; + } + +static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( + OSSL_LIB_CTX *libctx, int loadconfig) @@ -178,10 +146,50 @@ index 3a979f4bd4..fd3a4b79df 100644 + ldsigs->allowed = allow; + return 1; +} +diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c +index 0e7fe64cf9..b9d3b6d226 100644 +--- a/crypto/evp/evp_cnf.c ++++ b/crypto/evp/evp_cnf.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/sslconf.h" + #include + #include + #include +@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); + return 0; + } ++ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { ++ int m; ++ ++ /* Detailed error already reported. */ ++ if (!X509V3_get_value_bool(oval, &m)) ++ return 0; ++ ++ if (!ossl_ctx_legacy_digest_signatures_allowed_set( ++ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); ++ return 0; ++ } + } else { + ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, + "name=%s, value=%s", oval->name, oval->value); +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index 2d1839fedb..6e4685ecc0 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -15,6 +15,7 @@ + #include "internal/provider.h" + #include "internal/numbers.h" /* includes SIZE_MAX */ + #include "evp_local.h" ++#include "internal/sslconf.h" - #ifndef FIPS_MODULE - -@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) + { +@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } } @@ -201,7 +209,7 @@ index 3a979f4bd4..fd3a4b79df 100644 if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 268b1617e3..248f655d0f 100644 +index 665cafbc21..84fb95d4ca 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -212,7 +220,7 @@ index 268b1617e3..248f655d0f 100644 #include "evp_local.h" #ifndef FIPS_MODULE -@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, return -2; } @@ -234,49 +242,56 @@ index 268b1617e3..248f655d0f 100644 return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index bd05736220..ed34ff4b9c 100644 +index 39fa468320..b994081924 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod -@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: +@@ -315,6 +315,19 @@ Within the algorithm properties section, the following names have meaning: The value may be anything that is acceptable as a property query string for EVP_set_default_properties(). +=item B + +The value is a boolean that can be B or B. If the value is not set, -+it behaves as if it was set to B. ++it behaves as if it was set to B. + +When set to B, any attempt to create or verify a signature with a SHA1 -+digest will fail. For compatibility with older versions of OpenSSL, set this -+option to B. This setting also affects TLS, where signature algorithms -+that use SHA1 as digest will no longer be supported if this option is set to -+B. ++digest will fail. To test whether your software will work with future versions ++of OpenSSL, set this option to B. This setting also affects TLS, where ++signature algorithms that use SHA1 as digest will no longer be supported if ++this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as ++pseudorandom function (PRF) to derive key material, disabling ++B requires the use of TLS 1.2 or newer. + =item B (deprecated) The value is a boolean that can be B or B. If the value is diff --git a/include/crypto/context.h b/include/crypto/context.h -index 7369a730fb..55b74238c8 100644 +index 1c181933e0..35bdfdb52d 100644 --- a/include/crypto/context.h +++ b/include/crypto/context.h -@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void); +@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void); #if defined(OPENSSL_THREADS) void ossl_threads_ctx_free(void *); #endif + -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); -+void ossl_ctx_legacy_digest_signatures_free(void *); ++#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT ++#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT ++typedef struct ossl_legacy_digest_signatures_st { ++ int allowed; ++} OSSL_LEGACY_DIGEST_SIGNATURES; ++#endif ++ diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 64851fd8ed..8e01a77ddc 100644 +index da442f8a86..44a5e8a99a 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h -@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 - # define OSSL_LIB_CTX_THREAD_INDEX 19 +@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 --# define OSSL_LIB_CTX_MAX_INDEXES 20 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 -+# define OSSL_LIB_CTX_MAX_INDEXES 21 + # define OSSL_LIB_CTX_COMP_METHODS 21 + # define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22 +-# define OSSL_LIB_CTX_MAX_INDEXES 22 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23 ++# define OSSL_LIB_CTX_MAX_INDEXES 23 OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); @@ -293,8 +308,18 @@ index fd7f7e3331..05464b0655 100644 +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, + int loadconfig); #endif +diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h +index 29a2b7fbf8..a48cbb03d2 100644 +--- a/providers/common/include/prov/securitycheck.h ++++ b/providers/common/include/prov/securitycheck.h +@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); + /* Functions that have different implementations for the FIPS_MODULE */ + int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md); + int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx); ++ ++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid); diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 0d3acdbe56..fe694c4e96 100644 +index 8ef8dc2a81..79a9c48ce2 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,6 +19,7 @@ @@ -303,26 +328,27 @@ index 0d3acdbe56..fe694c4e96 100644 #include "prov/securitycheck.h" +#include "internal/sslconf.h" - /* - * FIPS requires a minimum security strength of 112 bits (for encryption or -@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, - mdnid = -1; /* disallowed by security checks */ - } - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112 + +@@ -219,3 +220,16 @@ int ossl_dh_check_key(const DH *dh) + return (L == 2048 && (N == 224 || N == 256)); + } + #endif /* OPENSSL_NO_DH */ + ++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid) ++{ +#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)) + /* SHA1 is globally disabled, check whether we want to locally allow + * it. */ -+ if (mdnid == NID_sha1 && !sha1_allowed) -+ mdnid = -1; +#endif ++ if (mdnid == NID_sha1) ++ mdnid = -1; + - return mdnid; - } - ++ return mdnid; ++} diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index 246323493e..2ca7a59f39 100644 +index dd71fd91eb..9019fd2a80 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ @@ -332,78 +358,46 @@ index 246323493e..2ca7a59f39 100644 +#include "internal/sslconf.h" /* Disable the security checks in the default provider */ - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) -@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) - } - - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, -- ossl_unused int sha1_allowed) -+ int sha1_allowed) - { - int mdnid; -+ int ldsigs_allowed; - - static const OSSL_ITEM name_to_nid[] = { - { NID_md5, OSSL_DIGEST_NAME_MD5 }, -@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, - }; - -- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); -+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); -+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); - if (mdnid == NID_undef) - mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); -+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) -+ mdnid = -1; - return mdnid; - } + int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx) diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index b89a0f6836..e0c26a13e4 100644 +index c5adbf8002..52ed52482d 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c -@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, - mdprops = ctx->propq; +@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, - if (mdname != NULL) { -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - WPACKET pkt; - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -- sha1_allowed); -+ int md_nid; - size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE -+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -+ sha1_allowed); + md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + md_nid = ossl_digest_get_approved_nid(md); ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); - if (md == NULL || md_nid < 0) { - if (md == NULL) + if (md == NULL) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index f158105e71..62355b89fe 100644 +index 4018a772ff..80e4115b69 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c -@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, - "%s could not be fetched", mdname); - return 0; +@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, + goto err; } -+#ifdef FIPS_MODULE - sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ sha1_allowed = 0; -+#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - if (md_nid < 0) { + md_nid = ossl_digest_get_approved_nid(md); ++ + #ifdef FIPS_MODULE +- if (md_nid == NID_undef) { ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); ++ if (md_nid <= 0) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; + } + #endif ++ + /* XOF digests don't work */ + if (EVP_MD_xof(md)) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index c1405f47ea..aeda1a7758 100644 +index e75b90840b..c4740128ce 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -25,6 +25,7 @@ +@@ -26,6 +26,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -411,54 +405,56 @@ index c1405f47ea..aeda1a7758 100644 #include "crypto/rsa.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -33,6 +34,7 @@ +@@ -34,6 +35,7 @@ #include "prov/securitycheck.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 - OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, - - if (mdname != NULL) { - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -+ int md_nid; -+ size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, - sha1_allowed); -- size_t mdname_len = strlen(mdname); - - if (md == NULL - || md_nid <= 0 -@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) +@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + goto err; + } + md_nid = ossl_digest_rsa_sign_get_md_nid(md); +- if (md_nid == NID_undef) { ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); ++ if (md_nid <= 0) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; +@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, + "%s could not be fetched", mdname); + return 0; + } +- /* The default for mgf1 is SHA1 - so allow SHA1 */ ++ /* The default for mgf1 is SHA1 - so check if we allow SHA1 */ + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 ++ || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0 + || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { + if (mdnid <= 0) + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, +@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL - && pad_mode == RSA_PKCS1_PSS_PADDING) +- pmdname = RSA_DEFAULT_DIGEST_NAME; + && pad_mode == RSA_PKCS1_PSS_PADDING) { - pmdname = RSA_DEFAULT_DIGEST_NAME; -+#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ pmdname = RSA_DEFAULT_DIGEST_NAME; ++ } else { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } -+#endif + } -+ if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 631e1fdef9..05dd7c5595 100644 +index 8d0c2647b7..f6117a1fc5 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c -@@ -20,6 +20,7 @@ +@@ -21,6 +21,7 @@ #include #include #include @@ -466,15 +462,15 @@ index 631e1fdef9..05dd7c5595 100644 #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) - uint16_t *tls12_sigalgs_list = NULL; +@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) EVP_PKEY *tmpkey = EVP_PKEY_new(); + int istls; int ret = 0; + int ldsigs_allowed; if (ctx == NULL) goto err; -@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) +@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); @@ -482,28 +478,28 @@ index 631e1fdef9..05dd7c5595 100644 /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { -@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) - cache[i].enabled = 0; +@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + cache[i].available = 0; continue; } + if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && !ldsigs_allowed) { -+ cache[i].enabled = 0; ++ cache[i].available = 0; + continue; + } if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { - cache[i].enabled = 0; + cache[i].available = 0; diff --git a/util/libcrypto.num b/util/libcrypto.num -index ef97803327..8046454025 100644 +index d377d542db..c2c55129ae 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num -@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION: - X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: - OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: - BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +@@ -5928,3 +5928,5 @@ OSSL_AA_DIST_POINT_free 6051 3_5_0 EXIST::FUNCTION: + OSSL_AA_DIST_POINT_new 6052 3_5_0 EXIST::FUNCTION: + OSSL_AA_DIST_POINT_it 6053 3_5_0 EXIST::FUNCTION: + PEM_ASN1_write_bio_ctx 6054 3_5_0 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -- -2.44.0 +2.49.0 diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch new file mode 100644 index 0000000..3478880 --- /dev/null +++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch @@ -0,0 +1,34 @@ +From 3e20d4430b34488a06102c30634e7d25d2699290 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:12:33 -0500 +Subject: [PATCH 17/50] FIPS: Red Hat's FIPS module name and version + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 373cd1c2e4..aa1ab85470 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VENDOR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) +-- +2.49.0 + diff --git a/0034.fipsinstall_disable.patch b/0018-FIPS-disable-fipsinstall.patch similarity index 53% rename from 0034.fipsinstall_disable.patch rename to 0018-FIPS-disable-fipsinstall.patch index f1d7b27..875aa37 100644 --- a/0034.fipsinstall_disable.patch +++ b/0018-FIPS-disable-fipsinstall.patch @@ -1,27 +1,33 @@ -From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From 50de3f0a5f2023549aaa9caa2184795e692741b0 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 18/50] FIPS: disable fipsinstall Patch-name: 0034.fipsinstall_disable.patch Patch-id: 34 Patch-status: | - # Comment out fipsinstall command-line utility -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Comment out fipsinstall command-line utility +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - apps/fipsinstall.c | 3 + - doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- - doc/man1/openssl.pod | 4 - - doc/man5/config.pod | 1 - - doc/man5/fips_config.pod | 104 +---------- - doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - - 6 files changed, 10 insertions(+), 375 deletions(-) + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 485 +------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 228 +----------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + test/recipes/00-prep_fipsmodule_cnf.t | 10 +- + test/recipes/01-test_fipsmodule_cnf.t | 7 +- + test/recipes/03-test_fipsinstall.t | 2 + + 9 files changed, 22 insertions(+), 719 deletions(-) + mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t + mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t + mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c -index e1ef645b60..db92cb5fb2 100644 +index 0daa55a1b8..b4e29ac301 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c -@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv) +@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **argv) EVP_MAC *mac = NULL; CONF *conf = NULL; @@ -32,10 +38,10 @@ index e1ef645b60..db92cb5fb2 100644 goto end; diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in -index b1768b7f91..b6b00e27d8 100644 +index 9dd4f5a49f..9a063022a9 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in -@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation +@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation =head1 SYNOPSIS B @@ -53,8 +59,33 @@ index b1768b7f91..b6b00e27d8 100644 -[B<-pedantic>] -[B<-no_conditional_errors>] -[B<-no_security_checks>] +-[B<-hmac_key_check>] +-[B<-kmac_key_check>] -[B<-ems_check>] -[B<-no_drbg_truncated_digests>] +-[B<-signature_digest_check>] +-[B<-hkdf_digest_check>] +-[B<-tls13_kdf_digest_check>] +-[B<-tls1_prf_digest_check>] +-[B<-sshkdf_digest_check>] +-[B<-sskdf_digest_check>] +-[B<-x963kdf_digest_check>] +-[B<-dsa_sign_disabled>] +-[B<-no_pbkdf2_lower_bound_check>] +-[B<-no_short_mac>] +-[B<-tdes_encrypt_disabled>] +-[B<-rsa_pkcs15_padding_disabled>] +-[B<-rsa_pss_saltlen_check>] +-[B<-rsa_sign_x931_disabled>] +-[B<-hkdf_key_check>] +-[B<-kbkdf_key_check>] +-[B<-tls13_kdf_key_check>] +-[B<-tls1_prf_key_check>] +-[B<-sshkdf_key_check>] +-[B<-sskdf_key_check>] +-[B<-x963kdf_key_check>] +-[B<-x942kdf_key_check>] +-[B<-ecdh_cofactor_check>] -[B<-self_test_onload>] -[B<-self_test_oninstall>] -[B<-corrupt_desc> I] @@ -216,11 +247,154 @@ index b1768b7f91..b6b00e27d8 100644 -when using the TLS1_PRF KDF algorithm. This check is disabled by default. -See RFC 7627 for information related to EMS. - +-=item B<-no_short_mac> +- +-Configure the module to not allow short MAC outputs. +-See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details. +- +-=item B<-hmac_key_check> +- +-Configure the module to not allow small keys sizes when using HMAC. +-See SP 800-131Ar2 for details. +- +-=item B<-kmac_key_check> +- +-Configure the module to not allow small keys sizes when using KMAC. +-See SP 800-131Ar2 for details. +- -=item B<-no_drbg_truncated_digests> - -Configure the module to not allow truncated digests to be used with Hash and -HMAC DRBGs. See FIPS 140-3 IG D.R for details. - +-=item B<-signature_digest_check> +- +-Configure the module to enforce signature algorithms to use digests that are +-explicitly permitted by the various standards. +- +-=item B<-hkdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-HKDF. +-See NIST SP 800-56Cr2 for details. +- +-=item B<-tls13_kdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-TLS13 KDF. +-See RFC 8446 for details. +- +-=item B<-tls1_prf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-TLS_PRF. +-See NIST SP 800-135r1 for details. +- +-=item B<-sshkdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-SSHKDF. +-See NIST SP 800-135r1 for details. +- +-=item B<-sskdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-SSKDF. +-See NIST SP 800-56Cr2 for details. +- +-=item B<-x963kdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-X963KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-dsa_sign_disabled> +- +-Configure the module to not allow DSA signing (DSA signature verification is +-still allowed). See FIPS 140-3 IG C.K for details. +- +-=item B<-tdes_encrypt_disabled> +- +-Configure the module to not allow Triple-DES encryption. +-Triple-DES decryption is still allowed for legacy purposes. +-See SP800-131Ar2 for details. +- +-=item B<-rsa_pkcs15_padding_disabled> +- +-Configure the module to not allow PKCS#1 version 1.5 padding to be used with +-RSA for key transport and key agreement. See NIST's SP 800-131A Revision 2 +-for details. +- +-=item B<-rsa_pss_saltlen_check> +- +-Configure the module to enable a run-time salt length check when generating or +-verifying a RSA-PSS signature. +-See FIPS 186-5 5.4 (g) for details. +- +-=item B<-rsa_sign_x931_disabled> +- +-Configure the module to not allow X9.31 padding to be used when signing with +-RSA. See FIPS 140-3 IG C.K for details. +- +-=item B<-hkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by HKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-kbkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by KBKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-tls13_kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by TLS13 KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-tls1_prf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by TLS_PRF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-sshkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by SSHKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-sskdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by SSKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-x963kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by X963KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-x942kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by X942KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-no_pbkdf2_lower_bound_check> +- +-Configure the module to not perform run-time lower bound check for PBKDF2. +-See NIST SP 800-132 for details. +- +-=item B<-ecdh_cofactor_check> +- +-Configure the module to enable a run-time check that ECDH uses the EC curves +-cofactor value when deriving a key. This only affects the 'B' and 'K' curves. +-See SP 800-56A r3 Section 5.7.1.2 for details. +- -=item B<-self_test_onload> - -Do not write the two fields related to the "test status indicator" and @@ -230,14 +404,17 @@ index b1768b7f91..b6b00e27d8 100644 -target machine. Once the self tests have run on the target machine the user -could possibly then add the 2 fields into the configuration using some other -mechanism. -- --This is the default. +-This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X). +-and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no +-longer allowed. - -=item B<-self_test_oninstall> - -The converse of B<-self_test_oninstall>. The two fields related to the -"test status indicator" and "MAC status indicator" are written to the -output configuration file. +-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no +-longer allowed. - -=item B<-quiet> - @@ -308,6 +485,48 @@ index b1768b7f91..b6b00e27d8 100644 -L, -L, -L +- +-=head1 HISTORY +- +-The B application was added in OpenSSL 3.0. +- +-The following options were added in OpenSSL 3.1: +- +-B<-ems_check>, +-B<-self_test_oninstall> +- +-The following options were added in OpenSSL 3.2: +- +-B<-pedantic>, +-B<-no_drbg_truncated_digests> +- +-The following options were added in OpenSSL 3.4: +- +-B<-hmac_key_check>, +-B<-kmac_key_check>, +-B<-signature_digest_check>, +-B<-hkdf_digest_check>, +-B<-tls13_kdf_digest_check>, +-B<-tls1_prf_digest_check>, +-B<-sshkdf_digest_check>, +-B<-sskdf_digest_check>, +-B<-x963kdf_digest_check>, +-B<-dsa_sign_disabled>, +-B<-no_pbkdf2_lower_bound_check>, +-B<-no_short_mac>, +-B<-tdes_encrypt_disabled>, +-B<-rsa_pkcs15_padding_disabled>, +-B<-rsa_pss_saltlen_check>, +-B<-rsa_sign_x931_disabled>, +-B<-hkdf_key_check>, +-B<-kbkdf_key_check>, +-B<-tls13_kdf_key_check>, +-B<-tls1_prf_key_check>, +-B<-sshkdf_key_check>, +-B<-sskdf_key_check>, +-B<-x963kdf_key_check>, +-B<-x942kdf_key_check>, +-B<-ecdh_cofactor_check> +This command is disabled. +Please consult Red Hat Enterprise Linux documentation to learn how to correctly +enable FIPS mode on Red Hat Enterprise @@ -315,10 +534,10 @@ index b1768b7f91..b6b00e27d8 100644 =head1 COPYRIGHT diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod -index d9c22a580f..d5ec3b9a6a 100644 +index edef2ff598..0762a00d74 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod -@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation. +@@ -139,10 +139,6 @@ Engine (loadable module) information and manipulation. Error Number to Error String Conversion. @@ -330,10 +549,10 @@ index d9c22a580f..d5ec3b9a6a 100644 Generation of DSA Private Key from Parameters. Superseded by diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 714a10437b..bd05736220 100644 +index b994081924..7a6d7fab4a 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod -@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified. +@@ -603,7 +603,6 @@ configuration files using that syntax will have to be modified. =head1 SEE ALSO L, L, L, @@ -342,10 +561,10 @@ index 714a10437b..bd05736220 100644 L, L, diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod -index 2255464304..1c15e32a5c 100644 +index a25ced3383..15748c5756 100644 --- a/doc/man5/fips_config.pod +++ b/doc/man5/fips_config.pod -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration +@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration =head1 DESCRIPTION @@ -382,10 +601,6 @@ index 2255464304..1c15e32a5c 100644 -If present, the module is activated. The value assigned to this name is not -significant. - --=item B -- --A version number for the fips install process. Should be 1. -- -=item B - -The FIPS module normally enters an internal error mode if any self test fails. @@ -399,18 +614,14 @@ index 2255464304..1c15e32a5c 100644 -continuous test will return an error code if its continuous test fails. The -operation may then be retried if the error mode has not been triggered. - --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- -=item B - -The calculated MAC of the FIPS provider file. - +-=item B +- +-A version number for the fips install process. Should be 1. +- -=item B - -An indicator that the self-tests were successfully run. @@ -427,6 +638,134 @@ index 2255464304..1c15e32a5c 100644 - -=back - +-=head2 FIPS indicator options +- +-The following FIPS configuration options indicate if run-time checks related to +-enforcement of FIPS security parameters such as minimum security strength of +-keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-See L for further information related to these +-options. +- +-=over 4 +- +-=item B +- +-See L B<-no_security_checks> +- +-=item B +- +-See L B<-ems_check> +- +-=item B +- +-See L B<-no_short_mac> +- +-=item B +- +-See L B<-no_drbg_truncated_digests> +- +-=item B +- +-See L B<-signature_digest_check> +- +-=item B +- +-See L B<-hkdf_digest_check> +- +-=item B +- +-See L B<-tls13_kdf_digest_check> +- +-=item B +- +-See L B<-tls1_prf_digest_check> +- +-=item B +- +-See L B<-sshkdf_digest_check> +- +-=item B +- +-See L B<-sskdf_digest_check> +- +-=item B +- +-See L B<-x963kdf_digest_check> +- +-=item B +- +-See L B<-dsa_sign_disabled> +- +-=item B +- +-See L B<-tdes_encrypt_disabled> +- +-=item B +- +-See L B<-rsa_pkcs15_pad_disabled> +- +-=item B +- +-See L B<-rsa_pss_saltlen_check> +- +-=item B +- +-See L B<-rsa_sign_x931_disabled> +- +-=item B +- +-See L B<-hkdf_key_check> +- +-=item B +- +-See L B<-kbkdf_key_check> +- +-=item B +- +-See L B<-tls13_kdf_key_check> +- +-=item B +- +-See L B<-tls1_prf_key_check> +- +-=item B +- +-See L B<-sshkdf_key_check> +- +-=item B +- +-See L B<-sskdf_key_check> +- +-=item B +- +-See L B<-x963kdf_key_check> +- +-=item B +- +-See L B<-x942kdf_key_check> +- +-=item B +- +-See L B<-no_pbkdf2_lower_bound_check> +- +-=item B +- +-See L B<-ecdh_cofactor_check> +- +-=item B +- +-See L B<-hmac_key_check> +- +-=item B +- +-See L B<-kmac_key_check> +- +-=back +- -For example: - - [fips_sect] @@ -449,18 +788,22 @@ index 2255464304..1c15e32a5c 100644 - -L -L +- +-=head1 HISTORY +- +-This functionality was added in OpenSSL 3.0. +This command is disabled in Red Hat Enterprise Linux. The FIPS provider is +automatically loaded when the system is booted in FIPS mode, or when the +environment variable B is set. See the documentation +for more information. - =head1 HISTORY + =head1 COPYRIGHT diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod -index 4f908888ba..ef00247770 100644 +index 20d35fada8..f8f219d647 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod -@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are: +@@ -575,7 +575,6 @@ want to operate in a FIPS approved manner. The algorithms are: =head1 SEE ALSO @@ -468,6 +811,60 @@ index 4f908888ba..ef00247770 100644 L, L, L, +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +old mode 100644 +new mode 100755 +index 4e3a6d85e8..48869b2568 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -29,8 +29,10 @@ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf'); + + plan tests => 1; + ++ok(1 == 1); ++ + # Create the $fipsmoduleconf file +-ok(run(app(['openssl', 'fipsinstall', '-pedantic', +- '-module', $fipsmodule, '-provider_name', 'fips', +- '-section_name', 'fips_sect', '-out', $fipsmoduleconf])), +- "fips install"); ++#ok(run(app(['openssl', 'fipsinstall', '-pedantic', ++# '-module', $fipsmodule, '-provider_name', 'fips', ++# '-section_name', 'fips_sect', '-out', $fipsmoduleconf])), ++# "fips install"); +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +old mode 100644 +new mode 100755 +index ce594817d5..4530a46dd0 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -31,7 +31,8 @@ plan tests => 1; + my $fipsmodule = bldtop_file('providers', platform->dso('fips')); + my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf'); + ++ok(1 == 1) + # verify the $fipsconf file +-ok(run(app(['openssl', 'fipsinstall', +- '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])), +- "fipsinstall verify"); ++#ok(run(app(['openssl', 'fipsinstall', ++# '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])), ++# "fipsinstall verify"); +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +old mode 100644 +new mode 100755 +index 1f9110ef60..7e80637bd5 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + ++plan skip_all => "Fipsinstall not available in Red Hat FIPS build"; ++ + plan skip_all => "Test only supported in a fips build" if disabled("fips"); + + # Compatible options for pedantic FIPS compliance -- -2.41.0 +2.49.0 diff --git a/0032-Force-fips.patch b/0019-FIPS-Force-fips-provider-on.patch similarity index 71% rename from 0032-Force-fips.patch rename to 0019-FIPS-Force-fips-provider-on.patch index 985fadf..08e2432 100644 --- a/0032-Force-fips.patch +++ b/0019-FIPS-Force-fips-provider-on.patch @@ -1,18 +1,19 @@ -From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 11:59:02 +0200 -Subject: [PATCH 16/48] 0032-Force-fips.patch +From a5f2ab969455d591327ea41cac9ffb64234ca38c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 19/50] FIPS: Force fips provider on Patch-name: 0032-Force-fips.patch Patch-id: 32 Patch-status: | - # We load FIPS provider and set FIPS properties implicitly + # # We load FIPS provider and set FIPS properties implicitly +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) + crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c -index 058fb58837..5274265a70 100644 +index 5ec50f97e4..a2a9786e1c 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -10,6 +10,8 @@ @@ -24,7 +25,7 @@ index 058fb58837..5274265a70 100644 #include #include #include -@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, +@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, if (path != NULL) ossl_provider_set_module_path(prov, path); @@ -33,7 +34,7 @@ index 058fb58837..5274265a70 100644 if (ok == 1) { if (!ossl_provider_activate(prov, 1, 0)) { -@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L +@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, if (ok <= 0) ossl_provider_free(prov); @@ -42,7 +43,7 @@ index 058fb58837..5274265a70 100644 } CRYPTO_THREAD_unlock(pcgbl->lock); -@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) +@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) return 0; } @@ -64,9 +65,6 @@ index 058fb58837..5274265a70 100644 + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } -+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ -+ if (OSSL_PROVIDER_available(libctx, "fips") != 1) -+ return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) @@ -77,5 +75,5 @@ index 058fb58837..5274265a70 100644 } -- -2.41.0 +2.49.0 diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch new file mode 100644 index 0000000..62f5058 --- /dev/null +++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch @@ -0,0 +1,265 @@ +From 01427603bda0c44624b57c284e731c539828444e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 20/50] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE + +Corrected by squashing in: +0052-Restore-the-correct-verify_integrity-function.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 170 ++++++++++++++++++++++++++++++++++--- + test/fipsmodule.cnf | 2 + + 2 files changed, 161 insertions(+), 11 deletions(-) + create mode 100644 test/fipsmodule.cnf + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index ef7be26ca7..8b17b8ca94 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -235,13 +235,137 @@ err: + return ok; + } + ++#define HMAC_LEN 32 ++/* ++ * The __attribute__ ensures we've created the .rodata1 section ++ * static ensures it's zero filled ++*/ ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++ + /* + * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify + * the result matches the expected value. + * Return 1 if verified, or 0 if it fails. + */ ++ ++#ifndef __USE_GNU ++#define __USE_GNU ++#include ++#undef __USE_GNU ++#else ++#include ++#endif ++#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ const unsigned char *expected, ++ size_t expected_len, OSSL_LIB_CTX *libctx, ++ OSSL_SELF_TEST *ev, const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++# ifdef OPENSSL_PEDANTIC_ZEROIZATION ++ OPENSSL_cleanse(out, sizeof(out)); ++# endif ++ return ret; ++} ++ + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, +- unsigned char *expected, size_t expected_len, ++ const unsigned char *expected, size_t expected_len, + OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, + const char *event_type) + { +@@ -253,6 +377,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; + ++ if (expected_len != HMAC_LEN) ++ goto err; ++ + if (!integrity_self_test(ev, libctx)) + goto err; + +@@ -316,7 +443,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + int ok = 0; + long checksum_len; + OSSL_CORE_BIO *bio_module = NULL; +- unsigned char *module_checksum = NULL; ++ const unsigned char *module_checksum = NULL; ++ unsigned char *alloc_checksum = NULL; + OSSL_SELF_TEST *ev = NULL; + EVP_RAND *testrand = NULL; + EVP_RAND_CTX *rng; +@@ -352,8 +480,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -362,8 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ alloc_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ module_checksum = alloc_checksum; ++ } ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -371,14 +505,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } + ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, st->libctx, ++ ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } ++ + if (!SELF_TEST_kats(ev, st->libctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); + goto end; +@@ -398,7 +546,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + end: + EVP_RAND_free(testrand); + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); ++ OPENSSL_free(alloc_checksum); + + if (st != NULL) + (*st->bio_free_cb)(bio_module); +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +-- +2.49.0 + diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch new file mode 100644 index 0000000..3f894dc --- /dev/null +++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch @@ -0,0 +1,32 @@ +From e5fa1a36fb4786a29e5e0ffcafc1198a18ef2a1c Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 20 Feb 2025 15:30:32 -0500 +Subject: [PATCH 21/50] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so + +This script rewrites the fips.so binary to embed the hmac result into it +so that after a build it can be called to make the fips.so as modified +by Red Hat to properly pass the integrty test + +Signed-off-by: Simo Sorce +--- + fips-hmacify.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100755 fips-hmacify.sh + +diff --git a/fips-hmacify.sh b/fips-hmacify.sh +new file mode 100755 +index 0000000000..54ae60b07f +--- /dev/null ++++ b/fips-hmacify.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++ ++dd if=/dev/zero bs=1 count=32 of=tmp.mac >/dev/null 2>&1 ++objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac ++mv providers/fips.so.zeromac providers/fips.so ++LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac ++objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac ++mv providers/fips.so.mac providers/fips.so +-- +2.49.0 + diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch new file mode 100644 index 0000000..1058cf5 --- /dev/null +++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch @@ -0,0 +1,49 @@ +From 2c0a4a02d274997dcc969ec8a7f13922aa3a4d7b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 22/50] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index 8b17b8ca94..0f5074936f 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + ++ /* ++ * Run the KAT's before HMAC verification according to FIPS-140-3 ++ * requirements ++ */ ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; ++ } ++ + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -527,11 +536,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + } + } + +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; +- } +- + /* Verify that the RNG has been restored properly */ + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) +-- +2.49.0 + diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch similarity index 89% rename from 0058-FIPS-limit-rsa-encrypt.patch rename to 0023-FIPS-RSA-encrypt-limits-REVIEW.patch index c4f952b..5fa29ca 100644 --- a/0058-FIPS-limit-rsa-encrypt.patch +++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch @@ -1,7 +1,7 @@ -From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001 +From e3def0e0439297fdfb9d17ede9f5e38e829d5d86 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch +Subject: [PATCH 23/50] FIPS: RSA: encrypt limits - REVIEW Patch-name: 0058-FIPS-limit-rsa-encrypt.patch Patch-id: 58 @@ -10,53 +10,50 @@ Patch-status: | From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- providers/common/securitycheck.c | 1 + - .../implementations/asymciphers/rsa_enc.c | 35 +++++ - .../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++----- + .../fips/include/fips_indicator_params.inc | 2 +- + .../implementations/asymciphers/rsa_enc.c | 26 ++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 146 +++++++++++++----- test/recipes/80-test_cms.t | 5 +- test/recipes/80-test_ssl_old.t | 27 +++- - 5 files changed, 168 insertions(+), 40 deletions(-) + 6 files changed, 164 insertions(+), 43 deletions(-) + mode change 100644 => 100755 test/recipes/80-test_ssl_old.t diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index fe694c4e96..f635b5aec8 100644 +index 79a9c48ce2..0e517542bc 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c -@@ -27,6 +27,7 @@ +@@ -65,6 +65,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect) * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ +/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ - int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) + int ossl_rsa_check_key_size(const RSA *rsa, int protect) { - int protect = 0; + int sz = RSA_bits(rsa); +diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc +index 78f9fc0655..6bd783eb0a 100644 +--- a/providers/fips/include/fips_indicator_params.inc ++++ b/providers/fips/include/fips_indicator_params.inc +@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0) + OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0) + OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0) + OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0) +-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0) ++OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1) + OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0) + OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0) + OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0) diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 71bfa344d4..d548560f1f 100644 +index 6ee127caff..2a7c2f159e 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, - return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); - } +@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + #endif +# ifdef FIPS_MODULE -+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) -+{ -+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING -+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) -+ return 0; -+ -+ return 1; -+} -+# endif -+ - static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - size_t outsize, const unsigned char *in, size_t inlen) - { -@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - if (!ossl_prov_is_running()) - return 0; - -+# ifdef FIPS_MODULE -+ if (fips_padding_allowed(prsactx) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ if (prsactx->pad_mode == RSA_NO_PADDING) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); + return 0; + } + @@ -69,13 +66,15 @@ index 71bfa344d4..d548560f1f 100644 if (out == NULL) { size_t len = RSA_size(prsactx->rsa); -@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, +@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, if (!ossl_prov_is_running()) return 0; +# ifdef FIPS_MODULE -+ if (fips_padding_allowed(prsactx) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ if ((prsactx->pad_mode == RSA_PKCS1_PADDING ++ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING ++ || prsactx->pad_mode == RSA_NO_PADDING)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); + return 0; + } + @@ -89,7 +88,7 @@ index 71bfa344d4..d548560f1f 100644 if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index 76ddc1ec60..62d55308b0 100644 +index 18e11bdaa9..17ceb59148 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377 @@ -126,7 +125,31 @@ index 76ddc1ec60..62d55308b0 100644 # Corrupted ciphertext # Note: disable the Bleichenbacher workaround to see if it fails Decrypt = RSA-2048 -@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC +@@ -296,13 +296,14 @@ Input = 0000000000000000000000000000000000000001 + Result = KEYOP_ERROR + + # RSADP Ciphertext = 2 should pass ++Availablein = default + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = 0000000000000000000000000000000000000002 + Output = 93d0bae8ad0d94de400eb078dd10edd7418ef1bf11b8e8b5d2b86b142e77d603e108fbcca2b976aa7b5326e5369db3bb73bf74f8d47c36a6318e913888c873502a561fc69329e7c24a0a016d81310449a52b29e49a6a41bdfe6c10a8d90072d64b4486756fd007c0071da2a8c7107a904621c11f0d81aa80b655a713c28170594ece28133dfbfddd61d4e4dad0d6781f6145a351a994054993fd57cd1330966ce97d7ac259b15616fd7235e2cac29fdc1c05f1612c61785614b80e7b650c03ef77d64163d75fa637cc2a9a7e570b3176fdcfb6ad6d25e8515f6ced02cfb3a441c87220044110fd27dcb53888f0377e1797bf297b7da27d3f033cd8b5d60ececc + + # RSADP Ciphertext = n-2 should pass +-Availablein = fips ++Availablein = none + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44d +@@ -317,6 +318,7 @@ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b0 + Result = KEYOP_ERROR + + # RSADP Ciphertext = n should fail ++Availablein = default + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f +@@ -406,82 +408,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC # RSA decrypt # a random positive test case @@ -223,7 +246,7 @@ index 76ddc1ec60..62d55308b0 100644 # an otherwise correct plaintext, but with wrong first byte # (0x01 instead of 0x00), generates a random 11 byte long plaintext Decrypt = RSA-2048-2 -@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc +@@ -489,7 +499,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc Output = a1f8c9255c35cfba403ccc # The old FIPS provider doesn't include the workaround (#13817) @@ -232,7 +255,7 @@ index 76ddc1ec60..62d55308b0 100644 # an otherwise correct plaintext, but with wrong second byte # (0x01 instead of 0x02), generates a random 11 byte long plaintext Decrypt = RSA-2048-2 -@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d +@@ -497,7 +507,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d Output = e6d700309ca0ed62452254 # The old FIPS provider doesn't include the workaround (#13817) @@ -241,7 +264,7 @@ index 76ddc1ec60..62d55308b0 100644 # an invalid ciphertext, with a zero byte in first byte of # ciphertext, decrypts to a random 11 byte long synthetic # plaintext -@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a +@@ -506,7 +516,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a Output = ba27b1842e7c21c0e7ef6a # The old FIPS provider doesn't include the workaround (#13817) @@ -250,7 +273,7 @@ index 76ddc1ec60..62d55308b0 100644 # an invalid ciphertext, with a zero byte removed from first byte of # ciphertext, decrypts to a random 11 byte long synthetic # plaintext -@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3 +@@ -515,7 +525,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3 Output = ba27b1842e7c21c0e7ef6a # The old FIPS provider doesn't include the workaround (#13817) @@ -259,7 +282,7 @@ index 76ddc1ec60..62d55308b0 100644 # an invalid ciphertext, with two zero bytes in first bytes of # ciphertext, decrypts to a random 11 byte long synthetic # plaintext -@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f +@@ -524,7 +534,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f Output = d5cf555b1d6151029a429a # The old FIPS provider doesn't include the workaround (#13817) @@ -268,7 +291,7 @@ index 76ddc1ec60..62d55308b0 100644 # an invalid ciphertext, with two zero bytes removed from first bytes of # ciphertext, decrypts to a random 11 byte long synthetic # plaintext -@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c +@@ -533,7 +543,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c Output = d5cf555b1d6151029a429a # The old FIPS provider doesn't include the workaround (#13817) @@ -277,7 +300,7 @@ index 76ddc1ec60..62d55308b0 100644 # and invalid ciphertext, otherwise valid but starting with 000002, decrypts # to random 11 byte long synthetic plaintext Decrypt = RSA-2048-2 -@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802 +@@ -541,7 +551,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802 Output = 3d4a054d9358209e9cbbb9 # The old FIPS provider doesn't include the workaround (#13817) @@ -286,7 +309,7 @@ index 76ddc1ec60..62d55308b0 100644 # negative test with otherwise valid padding but a zero byte in first byte # of padding Decrypt = RSA-2048-2 -@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94 +@@ -549,7 +559,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94 Output = 1f037dd717b07d3e7f7359 # The old FIPS provider doesn't include the workaround (#13817) @@ -295,7 +318,7 @@ index 76ddc1ec60..62d55308b0 100644 # negative test with otherwise valid padding but a zero byte at the eighth # byte of padding Decrypt = RSA-2048-2 -@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646 +@@ -557,7 +567,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646 Output = 63cb0bf65fc8255dd29e17 # The old FIPS provider doesn't include the workaround (#13817) @@ -304,7 +327,7 @@ index 76ddc1ec60..62d55308b0 100644 # negative test with an otherwise valid plaintext but with missing separator # byte Decrypt = RSA-2048-2 -@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC +@@ -612,53 +622,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC # RSA decrypt # The old FIPS provider doesn't include the workaround (#13817) @@ -367,7 +390,7 @@ index 76ddc1ec60..62d55308b0 100644 # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) Decrypt = RSA-2049 Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 -@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= +@@ -722,14 +737,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC # The old FIPS provider doesn't include the workaround (#13817) @@ -384,7 +407,7 @@ index 76ddc1ec60..62d55308b0 100644 # a random invalid that has PRF output with a length one byte too long # in the last value Decrypt = RSA-3072 -@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa +@@ -737,46 +752,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa Output = 56a3bea054e01338be9b7d7957539c # The old FIPS provider doesn't include the workaround (#13817) @@ -439,7 +462,7 @@ index 76ddc1ec60..62d55308b0 100644 # a random negative test case that generates a 9 byte long message based on # second to last value from PRF Decrypt = RSA-3072 -@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0 +@@ -784,7 +804,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0 Output = 043383c929060374ed # The old FIPS provider doesn't include the workaround (#13817) @@ -448,7 +471,7 @@ index 76ddc1ec60..62d55308b0 100644 # a random negative test that generates message based on 3rd last value from # PRF Decrypt = RSA-3072 -@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48 +@@ -792,35 +812,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48 Output = 70263fa6050534b9e0 # The old FIPS provider doesn't include the workaround (#13817) @@ -489,7 +512,18 @@ index 76ddc1ec60..62d55308b0 100644 # an otherwise valid plaintext, but with null separator missing Decrypt = RSA-3072 Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 -@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 +@@ -912,9 +932,9 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD + + # Verify of above signature + Verify = RSA-2048-PUBLIC ++Ctrl = digest:sha256 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:0 +-Ctrl = digest:sha256 + Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + +@@ -1207,36 +1227,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 h90qjKHS9PvY4Q== -----END PRIVATE KEY----- @@ -532,7 +566,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-1 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 +@@ -1261,36 +1287,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 eG2e4XlBcKjI6A== -----END PRIVATE KEY----- @@ -575,7 +609,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-2 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z +@@ -1315,36 +1347,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z Ya4qnqZe1onjY5o= -----END PRIVATE KEY----- @@ -618,7 +652,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-3 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq +@@ -1369,36 +1407,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq aD0x7TDrmEvkEro= -----END PRIVATE KEY----- @@ -661,7 +695,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-4 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B +@@ -1423,36 +1467,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B MSwGUGLx60i3nRyDyw== -----END PRIVATE KEY----- @@ -704,7 +738,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-5 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC +@@ -1477,36 +1527,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC Yejn5Ly8mU2q+jBcRQ== -----END PRIVATE KEY----- @@ -747,7 +781,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-6 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS +@@ -1531,36 +1587,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS FMlxv0gq65dqc3DC -----END PRIVATE KEY----- @@ -790,7 +824,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-7 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM +@@ -1585,36 +1647,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM 2MiPa249Z+lh3Luj0A== -----END PRIVATE KEY----- @@ -833,7 +867,7 @@ index 76ddc1ec60..62d55308b0 100644 Decrypt=RSA-OAEP-8 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo +@@ -1645,36 +1713,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo tKo5Eb69iFQvBb4= -----END PRIVATE KEY----- @@ -877,19 +911,19 @@ index 76ddc1ec60..62d55308b0 100644 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 4e368c730b..879d5d76eb 100644 +index 5c967c5818..d13dceaac5 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t -@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], +@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( -- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", -+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", - [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - "-aes256", "-stream", "-out", "{output}.cms", - $smrsa1, -@@ -1118,6 +1118,9 @@ sub check_availability { + if ($no_fips || $old_fips) { + push(@smime_pkcs7_tests, +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1267,6 +1267,9 @@ sub check_availability { return "$tnam: skipped, DSA disabled\n" if ($no_dsa && $tnam =~ / DSA/); @@ -900,10 +934,12 @@ index 4e368c730b..879d5d76eb 100644 } diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index e2dcb68fb5..0775112b40 100644 +old mode 100644 +new mode 100755 +index f7be2e1872..568a1ddba4 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t -@@ -493,6 +493,18 @@ sub testssl { +@@ -561,6 +561,18 @@ sub testssl { # the default choice if TLSv1.3 enabled my $flag = $protocol eq "-tls1_3" ? "" : $protocol; my $ciphersuites = ""; @@ -920,9 +956,9 @@ index e2dcb68fb5..0775112b40 100644 +AES128-SHA:@SECLEVEL=0 + ); foreach my $cipher (@{$ciphersuites{$protocol}}) { - if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { - note "*****SKIPPING $protocol $cipher"; -@@ -504,11 +516,16 @@ sub testssl { + if ($dsaallow == '0' && index($cipher, "DSS") != -1) { + # DSA is not allowed in FIPS 140-3 +@@ -576,11 +588,16 @@ sub testssl { } else { $cipher = $cipher.':@SECLEVEL=0'; } @@ -945,5 +981,5 @@ index e2dcb68fb5..0775112b40 100644 } next if $protocol eq "-tls1_3"; -- -2.44.0 +2.49.0 diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch new file mode 100644 index 0000000..08fdb73 --- /dev/null +++ b/0024-FIPS-RSA-PCTs.patch @@ -0,0 +1,157 @@ +From 77fdffb56f9194fe81d7e91bf9a7ac06be02e250 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 24 Mar 2025 10:50:37 -0400 +Subject: [PATCH 24/50] FIPS: RSA: PCTs + +Signed-off-by: Simo Sorce +--- + providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ + providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- + 2 files changed, 61 insertions(+), 4 deletions(-) + +diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c +index 77d0950094..f0e71beb43 100644 +--- a/providers/implementations/keymgmt/rsa_kmgmt.c ++++ b/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -433,6 +433,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx) + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index c4740128ce..b08c9685dd 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -37,7 +37,7 @@ + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + #define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -54,7 +54,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; +@@ -226,7 +226,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -1317,7 +1317,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, + return ok; + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1867,6 +1867,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +-- +2.49.0 + diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch deleted file mode 100644 index 52ac5d5..0000000 --- a/0024-load-legacy-prov.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf ---- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 -+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 -@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 - tsa_policy2 = 1.2.3.4.5.6 - tsa_policy3 = 1.2.3.4.5.7 - --# For FIPS --# Optionally include a file that is generated by the OpenSSL fipsinstall --# application. This file contains configuration data required by the OpenSSL --# fips provider. It contains a named section e.g. [fips_sect] which is --# referenced from the [provider_sect] below. --# Refer to the OpenSSL security policy for more information. --# .include fipsmodule.cnf -- - [openssl_init] - providers = provider_sect - # Load default TLS policy configuration -@@ -42,23 +42,27 @@ [ evp_properties ] - #This section is intentionally added empty here - #to be tuned on particular systems - --# List of providers to load --[provider_sect] --default = default_sect --# The fips section name should match the section name inside the --# included fipsmodule.cnf. --# fips = fips_sect -+# Uncomment the sections that start with ## below to enable the legacy provider. -+# Loading the legacy provider enables support for the following algorithms: -+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 -+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED -+# Key Derivation Function (KDF): PBKDF1 -+# In general it is not recommended to use the above mentioned algorithms for -+# security critical operations, as they are cryptographically weak or vulnerable -+# to side-channel attacks and as such have been deprecated. - --# If no providers are activated explicitly, the default one is activated implicitly. --# See man 7 OSSL_PROVIDER-default for more details. --# --# If you add a section explicitly activating any other provider(s), you most --# probably need to explicitly activate the default provider, otherwise it --# becomes unavailable in openssl. As a consequence applications depending on --# OpenSSL may not work correctly which could lead to significant system --# problems including inability to remotely access the system. --[default_sect] --# activate = 1 -+[provider_sect] -+default = default_sect -+##legacy = legacy_sect -+## -+[default_sect] -+activate = 1 -+ -+##[legacy_sect] -+##activate = 1 -+ -+#Place the third party provider configuration files into this folder -+.include /etc/pki/tls/openssl.d - - [ ssl_module ] - -diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 -+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 -@@ -273,6 +273,14 @@ significant. - All parameters in the section as well as sub-sections are made - available to the provider. - -+=head3 Loading the legacy provider -+ -+Uncomment the sections that start with ## in openssl.cnf -+to enable the legacy provider. -+Note: In general it is not recommended to use the above mentioned algorithms for -+security critical operations, as they are cryptographically weak or vulnerable -+to side-channel attacks and as such have been deprecated. -+ - =head3 Default provider and its activation - - If no providers are activated explicitly, the default one is activated implicitly. diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch new file mode 100644 index 0000000..65f4d51 --- /dev/null +++ b/0025-FIPS-RSA-encapsulate-limits.patch @@ -0,0 +1,59 @@ +From 1ba2caa0c71e45e5ccc9cec2e389d3ee7c68a252 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 25/50] FIPS: RSA: encapsulate limits + +Patch-name: 0091-FIPS-RSA-encapsulate.patch +Patch-id: 91 +Patch-status: | + # 0091-FIPS-RSA-encapsulate.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/implementations/kem/rsa_kem.c | 14 ++++++++++++++ + test/recipes/30-test_evp_data/evppkey_rsa_kem.txt | 1 + + 2 files changed, 15 insertions(+) + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 7494dcc010..5d6123e8cb 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -284,6 +284,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, + /* Step (1): nlen = Ceil(len(n)/8) */ + nlen = RSA_size(prsactx->rsa); + ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + if (out == NULL) { + if (nlen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); +@@ -360,6 +367,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, + /* Step (1): get the byte length of n */ + nlen = RSA_size(prsactx->rsa); + ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + if (out == NULL) { + if (nlen == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt +index ecab1454e7..8e5edd35fe 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt +@@ -108,3 +108,4 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = key-check:0 + Op = RSASVE ++Result = TEST_ENCAPSULATE_LEN_ERROR +-- +2.49.0 + diff --git a/0025-for-tests.patch b/0025-for-tests.patch deleted file mode 100644 index 0e0146c..0000000 --- a/0025-for-tests.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf ---- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100 -+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100 -@@ -55,17 +55,17 @@ providers = provider_sect - # to side-channel attacks and as such have been deprecated. - - [provider_sect] --default = default_sect -+##default = default_sect - ##legacy = legacy_sect - ## --[default_sect] --activate = 1 -+##[default_sect] -+##activate = 1 - - ##[legacy_sect] - ##activate = 1 - --#Place the third party provider configuration files into this folder --.include /etc/pki/tls/openssl.d -+##Place the third party provider configuration files into this folder -+#.include /etc/pki/tls/openssl.d - - -#################################################################### diff --git a/0085-FIPS-RSA-disable-shake.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch similarity index 61% rename from 0085-FIPS-RSA-disable-shake.patch rename to 0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch index 8aa3d45..6211eab 100644 --- a/0085-FIPS-RSA-disable-shake.patch +++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch @@ -1,7 +1,7 @@ -From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Wed, 11 Jan 2023 12:52:59 +0100 -Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov +From 3b61e3b98c1c0110e9c55fb14a967c69d8efdda8 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 26/50] FIPS: RSA: Disallow SHAKE in OAEP and PSS According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms must not be used in higher-level algorithms (such as RSA-OAEP and @@ -17,68 +17,52 @@ Add a check to prevent their use as message digest in PSS signatures and as MGF1 hash function in both OAEP and PSS. Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++ + crypto/rsa/rsa_oaep.c | 16 ++++++++++++++++ crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ - 2 files changed, 44 insertions(+) + 2 files changed, 32 insertions(+) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index d9be1a4f98..dfe9c9f0e8 100644 +index 5a1c080fcd..11cd78618b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c -@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, - return 0; - #endif - } -+ -+#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); -+ return 0; -+ } -+#endif +@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") || ++ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return 0; + } +#endif + - mdlen = EVP_MD_get_size(md); - if (mdlen <= 0) { - ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); -@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - #endif - } - -+#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); -+ return -1; -+ } -+#endif -+ + #ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if (EVP_MD_xof(md)) { +@@ -194,6 +202,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") || ++ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return -1; + } +#endif + - mdlen = EVP_MD_get_size(md); - - if (tlen <= 0 || flen <= 0) + #ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if (EVP_MD_xof(md)) { diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c -index 33874bfef8..e8681b0351 100644 +index a2bc198a89..2833ca50f3 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c -@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, +@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -91,9 +75,9 @@ index 33874bfef8..e8681b0351 100644 +#endif + hLen = EVP_MD_get_size(Hash); - if (hLen < 0) + if (hLen <= 0) goto err; -@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, +@@ -186,6 +194,14 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -106,8 +90,8 @@ index 33874bfef8..e8681b0351 100644 +#endif + hLen = EVP_MD_get_size(Hash); - if (hLen < 0) + if (hLen <= 0) goto err; -- -2.39.0 +2.49.0 diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch new file mode 100644 index 0000000..dd1e11e --- /dev/null +++ b/0027-FIPS-RSA-size-mode-restrictions.patch @@ -0,0 +1,443 @@ +From 8cb662f002e33c6fb99b96ef24733e16e3dc48ad Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:20:30 -0500 +Subject: [PATCH 27/50] FIPS: RSA: size/mode restrictions + +Signed-off-by: Simo Sorce +--- + providers/implementations/signature/rsa_sig.c | 26 +++++++++ + ssl/ssl_ciph.c | 3 + + test/recipes/30-test_evp_data/evppkey_rsa.txt | 55 ++++++++++++++++++- + .../30-test_evp_data/evppkey_rsa_common.txt | 8 +-- + 4 files changed, 87 insertions(+), 5 deletions(-) + +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index b08c9685dd..0e0810f60a 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -940,6 +940,19 @@ static int rsa_verify_recover(void *vprsactx, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +@@ -1034,6 +1047,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx, + const unsigned char *tbs, size_t tbslen) + { + size_t rslen; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 19420d6c6a..5ab1ccee93 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -350,6 +350,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if these algorithms are not available. +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt +index f1dc5dd2a2..103556c750 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt +@@ -268,8 +268,8 @@ TwIDAQAB + + PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT + +- + # Wrong MGF1 digest ++Availablein = default + Verify = RSA-2048 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:0 +@@ -279,7 +279,19 @@ Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + Result = VERIFY_ERROR + ++# Wrong MGF1 digest - In RHEL FIPS errors as set ctx before verify ++Availablein = fips ++Verify = RSA-2048 ++Ctrl = rsa_padding_mode:pss ++Ctrl = rsa_pss_saltlen:0 ++Ctrl = digest:sha256 ++Ctrl = rsa_mgf1_md:sha1 ++Input="0123456789ABCDEF0123456789ABCDEF" ++Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A ++Result = PKEY_CTRL_ERROR ++ + # Verify using default parameters ++Availablein = default + Verify = RSA-PSS-DEFAULT + Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF +@@ -303,36 +315,42 @@ fc6CnohE9iWxFeXpxKWc+PgRO2g0M2ov0mibRyy7Xlyr5nQ1DFm2wX4XaHT7Qvj8 + PRdqAX7cYf0ybEszyQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=5c81a3e2a658246628cd0ee8b00bb4c012bc9739 + Output=014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3 + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=27f71611446aa6eabf037f7dedeede3203244991 + Output=010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=03ecc2c33e93f05fc7224fcc0d461356cb897217 + Output=007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4 + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=246c727b4b9494849dddb068d582e179ac20999c + Output=009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912 + Output=00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -348,36 +366,42 @@ nQ6tsIdYbKSJM9o8yVPZW9DtUN4Q3ctnNhB9bIMcf2Y+gzykwJfnAM4PuUX4j7hf + 6OWncxclZbkUpHGkQwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3552be69dd74bdc56d2cf8c38ef7bafe269040fe + Output=0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=609143ff7240e55c062aba8b9e4426a781919bc9 + Output=02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0afd22f879a9cda7c584f4135f8f1c961db114c0 + Output=0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=405dd56d395ef0f01b555c48f748cc32b210650b + Output=0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8 + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=a2c313b0440c8a0c47233b87f0a160c61af3eae7 + Output=021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83 + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -393,36 +417,42 @@ MAz5u2xTrR3IoXi4FdtCNamp2gwG3k5hXqEnfOVZ6cEI3ljBSoGqd/Wm+NEzVJRJ + iEjIuVlAdAvnv3w3BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd + Output=0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948 + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=04a10944bfe11ab801e77889f3fd3d7f4ff0b629 + Output=049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598 + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ba01243db223eb97fb86d746c3148adaaa0ca344 + Output=03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=934bb0d38d6836daec9de82a9648d4593da67cd2 + Output=0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ec35d81abd1cceac425a935758b683465c8bd879 + Output=022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -438,18 +468,21 @@ pLDMjaMl7YqmdrDQ9ibgp38HaSFwrKyAgvQvqn3HzRI+cw4xqHmFIEyry+ZnDUOi + 3Sst3vXgU5L8ITvFBwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=d98b7061943510bc3dd9162f7169aabdbdcd0222 + Output=0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7ae8e699f754988f4fd645e463302e49a2552072 + Output=08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -463,12 +496,14 @@ Ctrl = rsa_mgf1_md:sha1 + Input=ee3de96783fd0a157c8b20bf5566124124dcfe65 + Output=0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1 + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=1204df0b03c2724e2709c23fc71789a21b00ae4c + Output=0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -484,36 +519,42 @@ Kl8QsJwxGvjA/7W3opfy78Y7jWsFEJMfC5jki/X8bsTnuNsf+usIw44CrbjwOkgi + nJnpaUMfYcuMTcaY0QIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6 + Output=04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=92d0bcae82b641f578f040f5151be8eda6d42299 + Output=0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3569bd8fd2e28f2443375efa94f186f6911ffc2b + Output=086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7abbb7b42de335730a0b641f1e314b6950b84f98 + Output=0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=55b7eb27be7a787a59eb7e5fac468db8917a7725 + Output=02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -529,36 +570,42 @@ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTfJ2kpmyMQIuNon0MnXn4zLHq/B + 2LXF01SAItcGTqKaswIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d + Output=187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=402140dc605b2f5c5ec0d15bce9f9ba8857fe117 + Output=10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20 + Output=2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=1fc2201d0c442a4736cd8b2cd00c959c47a3bf42 + Output=32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e4351b66819e5a31501f89acc7faf57030e9aac5 + Output=07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -574,36 +621,42 @@ R1PbPO4O4Gx9+uix1TtZUyGPnM7qaVsIZo7eqtztlGOx15DV6/J+kRW0bK1NmiuO + +rBWGwgQNEc5raBzPwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=a1dd230d8ead860199b6277c2ecfe3d95f6d9160 + Output=0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=f6e68e53c602c5c65fa67b5aa6d786e5524b12ab + Output=2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=d6f9fcd3ae27f32bb2c7c93536782eba52af1f76 + Output=2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7ff2a53ce2e2d900d468e498f230a5f5dd0020de + Output=1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=4eb309f7022ba0b03bb78601b12931ec7c1be8d3 + Output=33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index 17ceb59148..972e90f32f 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -285,7 +285,7 @@ FIPSversion = >=3.4.0 + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = 0000000000000000000000000000000000000000 +-Result = KEYOP_ERROR ++Result = KEYOP_LENGTH_ERROR + + # RSADP Ciphertext = 1 should fail + Availablein = fips +@@ -293,7 +293,7 @@ FIPSversion = >=3.4.0 + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = 0000000000000000000000000000000000000001 +-Result = KEYOP_ERROR ++Result = KEYOP_LENGTH_ERROR + + # RSADP Ciphertext = 2 should pass + Availablein = default +@@ -315,7 +315,7 @@ FIPSversion = >=3.4.0 + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44e +-Result = KEYOP_ERROR ++Result = KEYOP_LENGTH_ERROR + + # RSADP Ciphertext = n should fail + Availablein = default +@@ -2074,7 +2074,7 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = key-check:0 + Input = 550AF55A2904E7B9762352F8FB7FA235 +-Result = KEYOP_MISMATCH ++Result = KEYOP_LENGTH_ERROR + + # Signing with SHA1 is not allowed in fips mode + Availablein = fips +-- +2.49.0 + diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch new file mode 100644 index 0000000..fd145cf --- /dev/null +++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch @@ -0,0 +1,26 @@ +From 325fb1b9829a5731d9807161f077dae684fa58cb Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 24 Mar 2025 11:03:45 -0400 +Subject: [PATCH 28/50] FIPS: RSA: Mark x931 as not approved by default + +Signed-off-by: Simo Sorce +--- + providers/fips/include/fips_indicator_params.inc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc +index 6bd783eb0a..c1b029de86 100644 +--- a/providers/fips/include/fips_indicator_params.inc ++++ b/providers/fips/include/fips_indicator_params.inc +@@ -15,7 +15,7 @@ OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0) + OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0) + OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1) + OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0) +-OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0) ++OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 1) + OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0) + OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0) + OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0) +-- +2.49.0 + diff --git a/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch similarity index 87% rename from 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch rename to 0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch index 83b5b0a..464bf1a 100644 --- a/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch @@ -1,7 +1,7 @@ -From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 13:53:31 +0100 -Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov +From 004971c02760bcddb77954b90a2be4aeeb70ec22 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 29/50] FIPS: RSA: Remove X9.31 padding signatures tests The current draft of FIPS 186-5 [1] no longer contains specifications for X9.31 signature padding. Instead, it contains the following @@ -21,34 +21,17 @@ now. [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf Signed-off-by: Clemens Lang ---- - providers/implementations/signature/rsa_sig.c | 6 + - test/acvp_test.inc | 214 ------------------ - 2 files changed, 6 insertions(+), 214 deletions(-) -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 34f45175e8..49e7f9158a 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - err_extra_text = "No padding not allowed with RSA-PSS"; - goto cont; - case RSA_X931_PADDING: -+#ifndef FIPS_MODULE - err_extra_text = "X.931 padding not allowed with RSA-PSS"; -+#else /* !defined(FIPS_MODULE) */ -+ err_extra_text = "X.931 padding no longer allowed in FIPS mode," -+ " since it was removed from FIPS 186-5"; -+ goto bad_pad; -+#endif /* !defined(FIPS_MODULE) */ - cont: - if (RSA_test_flags(prsactx->rsa, - RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + test/acvp_test.inc | 225 --------------------------------------------- + 1 file changed, 225 deletions(-) + diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index 73b24bdb0c..96a72073f9 100644 +index 97ec1ff3e5..31fa0eafc6 100644 --- a/test/acvp_test.inc +++ b/test/acvp_test.inc -@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = { +@@ -1354,13 +1354,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = { ITM(rsa_siggen0_msg), NO_PSS_SALT_LEN, }, @@ -62,8 +45,8 @@ index 73b24bdb0c..96a72073f9 100644 { "pss", 2048, -@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = { - 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b, +@@ -1772,202 +1765,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = { + 0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1 }; -static const unsigned char rsa_sigverx931_0_n[] = { @@ -265,13 +248,24 @@ index 73b24bdb0c..96a72073f9 100644 static const struct rsa_sigver_st rsa_sigver_data[] = { { "pkcs1", /* pkcs1v1.5 */ -@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { +@@ -1991,28 +1788,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { NO_PSS_SALT_LEN, FAIL }, - { - "x931", - 3072, +- "SHA1", +- ITM(rsa_sigverx931_0_msg), +- ITM(rsa_sigverx931_0_n), +- ITM(rsa_sigverx931_0_e), +- ITM(rsa_sigverx931_0_sig), +- NO_PSS_SALT_LEN, +- PASS +- }, +- { +- "x931", +- 3072, - "SHA256", - ITM(rsa_sigverx931_1_msg), - ITM(rsa_sigverx931_1_n), @@ -284,5 +278,5 @@ index 73b24bdb0c..96a72073f9 100644 "pss", 4096, -- -2.38.1 +2.49.0 diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch new file mode 100644 index 0000000..86d09d0 --- /dev/null +++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch @@ -0,0 +1,387 @@ +From 0d8ac9675eaaf3eaded5f7d2ec304be022eacd10 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 12 Feb 2025 17:12:02 -0500 +Subject: [PATCH 30/50] FIPS: RSA: NEEDS-REWORK: + FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed + +Signed-off-by: Simo Sorce +--- + ...EP-in-KATs-support-fixed-OAEP-seed.p.patch | 348 ++++++++++++++++++ + REBASE.txt | 10 + + 2 files changed, 358 insertions(+) + create mode 100644 Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch + create mode 100644 REBASE.txt + +diff --git a/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch +new file mode 100644 +index 0000000000..793b8a4dac +--- /dev/null ++++ b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch +@@ -0,0 +1,348 @@ ++From a0e92712c141cda0b8321feb492982506b18c612 Mon Sep 17 00:00:00 2001 ++From: rpm-build ++Date: Wed, 6 Mar 2024 19:17:15 +0100 ++Subject: [PATCH 28/55] ++ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch ++ ++Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch ++Patch-id: 73 ++Patch-status: | ++ # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 ++From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce ++--- ++ crypto/rsa/rsa_local.h | 8 ++ ++ crypto/rsa/rsa_oaep.c | 34 ++++++-- ++ providers/fips/self_test_data.inc | 79 ++++++++++--------- ++ providers/fips/self_test_kats.c | 7 ++ ++ .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- ++ util/perl/OpenSSL/paramnames.pm | 1 + ++ 6 files changed, 126 insertions(+), 44 deletions(-) ++ ++diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h ++index ea70da05ad..dde57a1a0e 100644 ++--- a/crypto/rsa/rsa_local.h +++++ b/crypto/rsa/rsa_local.h ++@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to ++ int tlen, const unsigned char *from, ++ int flen); ++ +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md, +++ const char *redhat_st_seed); +++ ++ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ ++diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c ++index b9030440c4..3d665c3860 100644 ++--- a/crypto/rsa/rsa_oaep.c +++++ b/crypto/rsa/rsa_oaep.c ++@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, ++ param, plen, NULL, NULL); ++ } ++ +++#ifdef FIPS_MODULE +++extern int REDHAT_FIPS_asym_cipher_st; +++#endif /* FIPS_MODULE */ +++ ++ /* ++ * Perform the padding as per NIST 800-56B 7.2.2.3 ++ * from (K) is the key material. ++@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, ++ * Step numbers are included here but not in the constant time inverse below ++ * to avoid complicating an already difficult enough function. ++ */ ++-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++- unsigned char *to, int tlen, ++- const unsigned char *from, int flen, ++- const unsigned char *param, ++- int plen, const EVP_MD *md, ++- const EVP_MD *mgf1md) +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md, +++ const char *redhat_st_seed) ++ { ++ int rv = 0; ++ int i, emlen = tlen - 1; ++@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ db[emlen - flen - mdlen - 1] = 0x01; ++ memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); ++ /* step 3d: generate random byte string */ +++#ifdef FIPS_MODULE +++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { +++ memcpy(seed, redhat_st_seed, mdlen); +++ } else +++#endif ++ if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) ++ goto err; ++ ++@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ return rv; ++ } ++ +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md) +++{ +++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, +++ flen, param, plen, md, +++ mgf1md, NULL); +++} +++ ++ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, int plen, ++diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc ++index 4b80bb70b9..c33ecd0791 100644 ++--- a/providers/fips/self_test_data.inc +++++ b/providers/fips/self_test_data.inc ++@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ++ }; ++ ++ /*- ++- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the +++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the ++ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient ++ * HP/UX PA-RISC compilers. ++ */ ++-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; +++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; +++static const char oaep_fixed_seed[] = { +++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, +++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, +++ 0x2e, 0x4b, 0x2c, 0xe6 +++}; ++ ++ static const ST_KAT_PARAM rsa_enc_params[] = { ++- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), +++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), +++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, +++ oaep_fixed_seed), ++ ST_KAT_PARAM_END() ++ }; ++ ++@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = { ++ 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 ++ }; ++ ++-static const unsigned char rsa_asym_plaintext_encrypt[256] = { +++static const unsigned char rsa_asym_plaintext_encrypt[208] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, ++ }; ++ static const unsigned char rsa_asym_expected_encrypt[256] = { ++- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, ++- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, ++- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, ++- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, ++- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, ++- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, ++- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, ++- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, ++- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, ++- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, ++- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, ++- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, ++- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, ++- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, ++- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, ++- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, ++- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, ++- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, ++- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, ++- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, ++- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, ++- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, ++- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, ++- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, ++- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, ++- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, ++- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, ++- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, ++- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, ++- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, ++- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, ++- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, +++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, +++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, +++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, +++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, +++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, +++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, +++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, +++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, +++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, +++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, +++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, +++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, +++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, +++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, +++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, +++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, +++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, +++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, +++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, +++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, +++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, +++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, +++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, +++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, +++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, +++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, +++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, +++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, +++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, +++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, +++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, +++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 ++ }; ++ ++ #ifndef OPENSSL_NO_EC ++diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c ++index f13c41abd6..4ea10670c0 100644 ++--- a/providers/fips/self_test_kats.c +++++ b/providers/fips/self_test_kats.c ++@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ++ return ret; ++ } ++ +++int REDHAT_FIPS_asym_cipher_st = 0; +++ ++ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ++ { ++ int i, ret = 1; ++ +++ REDHAT_FIPS_asym_cipher_st = 1; +++ ++ for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { ++ if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) ++ ret = 0; ++ } +++ +++ REDHAT_FIPS_asym_cipher_st = 0; +++ ++ return ret; ++ } ++ ++diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c ++index d548560f1f..f3443b0c66 100644 ++--- a/providers/implementations/asymciphers/rsa_enc.c +++++ b/providers/implementations/asymciphers/rsa_enc.c ++@@ -30,6 +30,9 @@ ++ #include "prov/implementations.h" ++ #include "prov/providercommon.h" ++ #include "prov/securitycheck.h" +++#ifdef FIPS_MODULE +++# include "crypto/rsa/rsa_local.h" +++#endif ++ ++ #include ++ ++@@ -75,6 +78,9 @@ typedef struct { ++ /* TLS padding */ ++ unsigned int client_version; ++ unsigned int alt_version; +++#ifdef FIPS_MODULE +++ char *redhat_st_oaep_seed; +++#endif /* FIPS_MODULE */ ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; ++ } PROV_RSA_CTX; ++@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, ++ } ++ } ++ ret = ++- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, +++#ifdef FIPS_MODULE +++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( +++#else +++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( +++#endif +++ prsactx->libctx, tbuf, ++ rsasize, in, inlen, ++ prsactx->oaep_label, ++ prsactx->oaep_labellen, ++ prsactx->oaep_md, ++- prsactx->mgf1_md); +++ prsactx->mgf1_md +++#ifdef FIPS_MODULE +++ , prsactx->redhat_st_oaep_seed +++#endif +++ ); ++ ++ if (!ret) { ++ OPENSSL_free(tbuf); ++@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx) ++ EVP_MD_free(prsactx->oaep_md); ++ EVP_MD_free(prsactx->mgf1_md); ++ OPENSSL_free(prsactx->oaep_label); +++#ifdef FIPS_MODULE +++ OPENSSL_free(prsactx->redhat_st_oaep_seed); +++#endif /* FIPS_MODULE */ ++ ++ OPENSSL_free(prsactx); ++ } ++@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ NULL, 0), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), +++#ifdef FIPS_MODULE +++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), +++#endif /* FIPS_MODULE */ ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), ++ OSSL_PARAM_END ++ }; ++@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, ++ return known_gettable_ctx_params; ++ } ++ +++#ifdef FIPS_MODULE +++extern int REDHAT_FIPS_asym_cipher_st; +++#endif /* FIPS_MODULE */ +++ ++ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) ++ { ++ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; ++@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) ++ prsactx->oaep_labellen = tmp_labellen; ++ } ++ +++#ifdef FIPS_MODULE +++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); +++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { +++ void *tmp_oaep_seed = NULL; +++ +++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) +++ return 0; +++ OPENSSL_free(prsactx->redhat_st_oaep_seed); +++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; +++ } +++#endif /* FIPS_MODULE */ +++ ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); ++ if (p != NULL) { ++ unsigned int client_version; ++diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm ++index c37ed7815f..70f7c50fe4 100644 ++--- a/util/perl/OpenSSL/paramnames.pm +++++ b/util/perl/OpenSSL/paramnames.pm ++@@ -401,6 +401,7 @@ my %params = ( ++ 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", ++ 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", ++ 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", +++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", ++ ++ # Encoder / decoder parameters ++ ++-- ++2.48.1 ++ +diff --git a/REBASE.txt b/REBASE.txt +new file mode 100644 +index 0000000000..2833a383c1 +--- /dev/null ++++ b/REBASE.txt +@@ -0,0 +1,10 @@ ++0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch ++ ++Some asym testing has been dropped upstream, unclear if this needs to survive, ++if so we may need to resurrect deleted code in upstream patch: ++ ++ commit 635bf4946a7e948f26a348ddc3b5a8d282354f64 ++ ++ fips: remove redundant RSA encrypt/decrypt KAT ++-- ++ +-- +2.49.0 + diff --git a/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch similarity index 73% rename from 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch rename to 0031-FIPS-Deny-SHA-1-signature-verification.patch index 9991c5c..15ecd81 100644 --- a/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch +++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch @@ -1,7 +1,7 @@ -From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Wed, 18 May 2022 17:25:59 +0200 -Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider +From 446e3e1ec006a55206881c5e7e658918e104a972 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 31/50] FIPS: Deny SHA-1 signature verification For RHEL, we already disable SHA-1 signatures by default in the default provider, so it is unexpected that the FIPS provider would have a more @@ -27,112 +27,83 @@ This requires adjusting a few tests that would otherwise fail: the FIPS provider. Signed-off-by: Clemens Lang + +Bug Id: https://bugzilla.redhat.com/show_bug.cgi?id=2087147 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/implementations/signature/dsa_sig.c | 4 -- - .../implementations/signature/ecdsa_sig.c | 4 -- - providers/implementations/signature/rsa_sig.c | 8 +-- - test/acvp_test.inc | 20 ------- - .../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ - .../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- + providers/implementations/signature/dsa_sig.c | 4 +- + .../implementations/signature/ecdsa_sig.c | 4 +- + providers/implementations/signature/rsa_sig.c | 8 ++- + .../30-test_evp_data/evppkey_ecdsa.txt | 11 +++- + .../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 64 ++++++++++++++++--- + .../30-test_evp_data/evppkey_rsa_common.txt | 58 +++++++++++++++-- test/recipes/80-test_cms.t | 4 +- test/recipes/80-test_ssl_old.t | 4 ++ - test/smime-certs/smdh.pem | 18 +++--- - test/smime-certs/smdsa1.pem | 60 +++++++++---------- - test/smime-certs/smdsa2.pem | 60 +++++++++---------- - test/smime-certs/smdsa3.pem | 60 +++++++++---------- - test/smime-certs/smec1.pem | 30 +++++----- - test/smime-certs/smec2.pem | 30 +++++----- - test/smime-certs/smec3.pem | 30 +++++----- - test/smime-certs/smroot.pem | 38 ++++++------ - test/smime-certs/smrsa1.pem | 38 ++++++------ - test/smime-certs/smrsa2.pem | 38 ++++++------ - test/smime-certs/smrsa3.pem | 38 ++++++------ - 19 files changed, 286 insertions(+), 256 deletions(-) + 8 files changed, 130 insertions(+), 27 deletions(-) diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index fa3822f39f..c365d7b13a 100644 +index 52ed52482d..0d3050dbe9 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c -@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid; - size_t mdname_len = strlen(mdname); --#ifdef FIPS_MODULE -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - int sha1_allowed = 0; --#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); +@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, + } + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 99b228e82c..44a22832ec 100644 +index 80e4115b69..096d944896 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c -@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, - "%s could not be fetched", mdname); - return 0; - } --#ifdef FIPS_MODULE -- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - sha1_allowed = 0; --#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - if (md_nid < 0) { +@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, + + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; + + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index f66d7705c3..34f45175e8 100644 +index 0e0810f60a..ac3888a1b9 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid; - size_t mdname_len = strlen(mdname); --#ifdef FIPS_MODULE -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - int sha1_allowed = 0; --#endif - md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, - sha1_allowed); +@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + } + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; -@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, +@@ -1796,11 +1794,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) if (prsactx->md == NULL && pmdname == NULL && pad_mode == RSA_PKCS1_PSS_PADDING) { +#ifdef FIPS_MODULE + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; +#else - pmdname = RSA_DEFAULT_DIGEST_NAME; --#ifndef FIPS_MODULE - if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + pmdname = RSA_DEFAULT_DIGEST_NAME; + } else { pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; } -diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index ad11d3ae1e..73b24bdb0c 100644 ---- a/test/acvp_test.inc -+++ b/test/acvp_test.inc -@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { - NO_PSS_SALT_LEN, - FAIL - }, -- { -- "x931", -- 3072, -- "SHA1", -- ITM(rsa_sigverx931_0_msg), -- ITM(rsa_sigverx931_0_n), -- ITM(rsa_sigverx931_0_e), -- ITM(rsa_sigverx931_0_sig), -- NO_PSS_SALT_LEN, -- PASS -- }, - { - "x931", - 3072, ++#endif + } + + if (pmgf1mdname != NULL diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -index f36982845d..51e507a61c 100644 +index 06ec905be0..1602f0c521 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC @@ -140,14 +111,14 @@ index f36982845d..51e507a61c 100644 Title = ECDSA tests +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 # Digest too long +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF12345" @@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e @@ -155,7 +126,7 @@ index f36982845d..51e507a61c 100644 # Digest too short +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF123" @@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e @@ -163,7 +134,7 @@ index f36982845d..51e507a61c 100644 # Digest invalid +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1235" @@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e @@ -171,7 +142,7 @@ index f36982845d..51e507a61c 100644 # Invalid signature +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" @@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e @@ -179,7 +150,7 @@ index f36982845d..51e507a61c 100644 # BER signature +Availablein = default - Verify = P-256 + Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 @@ -189,8 +160,151 @@ index f36982845d..51e507a61c 100644 Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" +@@ -237,7 +244,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Key = P-256 + Input = "Hello World" +-Result = SIGNATURE_MISMATCH ++Result = DIGESTSIGNINIT_ERROR + + # Test that SHA1 is not allowed in fips mode for signing + FIPSversion = >=3.4.0 +@@ -247,7 +254,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +-Result = KEYOP_MISMATCH ++Result = PKEY_CTRL_ERROR + + Title = XOF disallowed + +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +index 0ff482e4e8..d407ea1ca8 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF12345" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Digest too short +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF123" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Digest invalid +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1235" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Invalid signature +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7 +@@ -78,16 +78,64 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # BER signature +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = fips ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest too long ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF12345" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest too short ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF123" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest invalid ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1235" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Invalid signature ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7 ++Result = KEYOP_INIT_ERROR ++ ++# BER signature ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 ++Result = KEYOP_INIT_ERROR ++ ++Availablein = fips + FIPSversion = >=3.4.0 + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR + + Title = Sign-Message and Verify-Message + +@@ -236,7 +284,7 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = digest-check:0 + Input = "Hello World" +-Result = KEYOP_MISMATCH ++Result = KEYOP_INIT_ERROR + + # Test that SHA1 is not allowed in fips mode for signing + Availablein = fips +@@ -246,4 +294,4 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = digest-check:0 + Input = "0123456789ABCDEF1234" +-Result = KEYOP_MISMATCH ++Result = KEYOP_INIT_ERROR diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index b8d8bb2993..8dd566067b 100644 +index 972e90f32f..61e2b4e3ac 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -96,6 +96,7 @@ NDL6WCBbets= @@ -304,16 +418,17 @@ index b8d8bb2993..8dd566067b 100644 Verify = RSA-2048-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" -@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" +@@ -939,7 +954,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A # Verify using salt length auto detect +-FIPSversion = <3.4.0 +# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 +Availablein = default Verify = RSA-2048-PUBLIC Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:auto -@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD +@@ -974,6 +990,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD Result = VERIFY_ERROR # Verify using default parameters, explicitly setting parameters @@ -324,7 +439,7 @@ index b8d8bb2993..8dd566067b 100644 Verify = RSA-PSS-DEFAULT Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:20 -@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123" +@@ -982,6 +1002,7 @@ Input="0123456789ABCDEF0123" Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF # Verify explicitly setting parameters "digest" salt length @@ -332,10 +447,11 @@ index b8d8bb2993..8dd566067b 100644 Verify = RSA-PSS-DEFAULT Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:digest -@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123" +@@ -990,20 +1011,21 @@ Input="0123456789ABCDEF0123" Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF # Verify using salt length larger than minimum +-FIPSversion = <3.4.0 +Availablein = default Verify = RSA-PSS-DEFAULT Ctrl = rsa_pss_saltlen:30 @@ -343,6 +459,7 @@ index b8d8bb2993..8dd566067b 100644 Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B # Verify using maximum salt length +-FIPSversion = <3.4.0 +Availablein = default Verify = RSA-PSS-DEFAULT Ctrl = rsa_pss_saltlen:max @@ -354,7 +471,7 @@ index b8d8bb2993..8dd566067b 100644 Verify = RSA-PSS-DEFAULT Ctrl = rsa_pss_saltlen:0 Result = PKEY_CTRL_ERROR -@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR +@@ -1011,21 +1033,25 @@ Result = PKEY_CTRL_ERROR # Attempt to change padding mode # Note this used to return PKEY_CTRL_INVALID # but it is limited because setparams only returns 0 or 1. @@ -380,7 +497,7 @@ index b8d8bb2993..8dd566067b 100644 Verify = RSA-PSS-BAD2 Result = KEYOP_INIT_ERROR Reason = invalid salt length -@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh +@@ -1081,36 +1107,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh 4fINDOjP+yJJvZohNwIDAQAB -----END PUBLIC KEY----- @@ -423,7 +540,7 @@ index b8d8bb2993..8dd566067b 100644 Verify=RSA-PSS-1 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh +@@ -1126,36 +1158,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== -----END PUBLIC KEY----- @@ -466,7 +583,7 @@ index b8d8bb2993..8dd566067b 100644 Verify=RSA-PSS-9 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu +@@ -1173,36 +1211,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu BQIDAQAB -----END PUBLIC KEY----- @@ -509,9 +626,9 @@ index b8d8bb2993..8dd566067b 100644 Verify=RSA-PSS-10 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests - - # FIPS tests +@@ -1999,11 +2043,13 @@ Securitycheck = 1 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Result = KEYOP_INIT_ERROR -# Verifying with SHA1 is permitted in fips mode for older applications +# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode @@ -524,11 +641,29 @@ index b8d8bb2993..8dd566067b 100644 # Verifying with a 1024 bit key is permitted in fips mode for older applications DigestVerify = SHA256 +@@ -2019,7 +2065,7 @@ Securitycheck = 1 + Key = RSA-2048 + Input = "Hello" + Result = DIGESTSIGNINIT_ERROR +-Reason = invalid digest ++Reason = digest not allowed + + # Signing with a 1024 bit key is not allowed in fips mode + Availablein = fips +@@ -2085,7 +2131,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Key = RSA-2048 + Input = "Hello" +-Result = SIGNATURE_MISMATCH ++Result = DIGESTSIGNINIT_ERROR + + Availablein = fips + FIPSversion = >=3.4.0 diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 48a92f735d..34afe91b88 100644 +index d13dceaac5..ece29485f4 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t -@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = ( +@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = ( [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], @@ -537,7 +672,7 @@ index 48a92f735d..34afe91b88 100644 "-CAfile", $smroot, "-out", "{output}.txt" ], \&final_compare ], -@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = ( +@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = ( [ "signed zero-length content S/MIME format, RSA key SHA1", [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], @@ -547,10 +682,10 @@ index 48a92f735d..34afe91b88 100644 \&zero_compare ], diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 8c52b637fc..ff75c5b6ec 100644 +index 568a1ddba4..6332aaec4b 100755 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t -@@ -394,6 +394,9 @@ sub testssl { +@@ -462,6 +462,9 @@ sub testssl { 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } @@ -560,7 +695,7 @@ index 8c52b637fc..ff75c5b6ec 100644 ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 'test sslv2/sslv3 with server authentication'); ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), -@@ -402,6 +405,7 @@ sub testssl { +@@ -470,6 +473,7 @@ sub testssl { 'test sslv2/sslv3 with both client and server authentication via BIO pair'); ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); @@ -568,3 +703,6 @@ index 8c52b637fc..ff75c5b6ec 100644 SKIP: { skip "No IPv4 available on this machine", 4 +-- +2.49.0 + diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch new file mode 100644 index 0000000..532719c --- /dev/null +++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch @@ -0,0 +1,172 @@ +From f33528e229063b98748943d2fddaf83426fcb8eb Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 32/50] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW + +providers/implementations/rands/crngt.c is gone + +Patch-name: 0076-FIPS-140-3-DRBG.patch +Patch-id: 76 +Patch-status: | + # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) + # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/rand/prov_seed.c | 9 ++- + providers/implementations/rands/drbg.c | 11 ++- + providers/implementations/rands/drbg_local.h | 2 +- + .../implementations/rands/seeding/rand_unix.c | 68 ++----------------- + 4 files changed, 23 insertions(+), 67 deletions(-) + +diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c +index 2985c7f2d8..3202a28226 100644 +--- a/crypto/rand/prov_seed.c ++++ b/crypto/rand/prov_seed.c +@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx, + size_t entropy_available; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); + return 0; +diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c +index 4925a3b400..1cdb67b22c 100644 +--- a/providers/implementations/rands/drbg.c ++++ b/providers/implementations/rands/drbg.c +@@ -559,6 +559,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg, + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -680,8 +683,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen, + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h +index e591e0b3d1..c7cafba1ea 100644 +--- a/providers/implementations/rands/drbg_local.h ++++ b/providers/implementations/rands/drbg_local.h +@@ -39,7 +39,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) +diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c +index c3a5d8b3bf..b7b34a9345 100644 +--- a/providers/implementations/rands/seeding/rand_unix.c ++++ b/providers/implementations/rands/seeding/rand_unix.c +@@ -53,6 +53,8 @@ + # include + # include + # include ++# include ++# include + + static uint64_t get_time_stamp(void); + +@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen) + * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion + * between size_t and ssize_t is safe even without a range check. + */ +- +- /* +- * Do runtime detection to find getentropy(). +- * +- * Known OSs that should support this: +- * - Darwin since 16 (OSX 10.12, IOS 10.0). +- * - Solaris since 11.3 +- * - OpenBSD since 5.6 +- * - Linux since 3.17 with glibc 2.25 +- * +- * Note: Sometimes getentropy() can be provided but not implemented +- * internally. So we need to check errno for ENOSYS +- */ +-# if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__) +-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) +- extern int getentropy(void *buffer, size_t length) __attribute__((weak)); +- +- if (getentropy != NULL) { +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- if (errno != ENOSYS) +- return -1; +- } +-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) +- +- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) +- return (ssize_t)buflen; +- +- return -1; +-# else +- union { +- void *p; +- int (*f)(void *buffer, size_t length); +- } p_getentropy; +- +- /* +- * We could cache the result of the lookup, but we normally don't +- * call this function often. +- */ +- ERR_set_mark(); +- p_getentropy.p = DSO_global_lookup("getentropy"); +- ERR_pop_to_mark(); +- if (p_getentropy.p != NULL) +- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; +-# endif +-# endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */ +- +- /* Linux supports this since version 3.17 */ +-# if defined(__linux) && defined(__NR_getrandom) +- return syscall(__NR_getrandom, buf, buflen, 0); +-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ +- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \ +- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061) +- return getrandom(buf, buflen, 0); +-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) +- return sysctl_random(buf, buflen); +-# elif defined(__wasi__) +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- return -1; +-# else +- errno = ENOSYS; +- return -1; +-# endif ++ /* Red Hat uses downstream patch to always seed from getrandom() */ ++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0); + } + # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ + +-- +2.49.0 + diff --git a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch similarity index 95% rename from 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch rename to 0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch index 5903857..140b42b 100644 --- a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch @@ -1,7 +1,7 @@ -From 6aed6931cf50499e778a6d34502f9bf82f5a4c0d Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Wed, 16 Nov 2022 13:53:24 +0100 -Subject: [PATCH] rand: Forbid truncated hashes & SHA-3 in FIPS prov +From c5a417c02dc6f50b8886eac366650c0f0bee38a0 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 33/50] FIPS: RAND: Forbid truncated hashes & SHA-3 Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs" of the Implementation Guidance for FIPS 140-3 [1] notes that there is no @@ -21,18 +21,20 @@ algorithms in the default provider. [1]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- providers/implementations/rands/drbg_hash.c | 12 ++ providers/implementations/rands/drbg_hmac.c | 12 ++ - test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++ - 3 files changed, 153 insertions(+) + test/recipes/30-test_evp_data/evprand.txt | 197 ++++++++++++++++---- + 3 files changed, 187 insertions(+), 34 deletions(-) diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c -index 12faa993d0..5f9602cf84 100644 +index 8bb831ae35..cedf5c3894 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c -@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (!ossl_drbg_verify_digest(libctx, md)) +@@ -579,6 +579,18 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] + if (!ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE @@ -48,14 +50,14 @@ index 12faa993d0..5f9602cf84 100644 +#endif /* defined(FIPS_MODULE) */ + /* These are taken from SP 800-90 10.1 Table 2 */ - hash->blocklen = EVP_MD_get_size(md); - /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ + md_size = EVP_MD_get_size(md); + if (md_size <= 0) diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c -index ffeb70f8c3..79ed96a15a 100644 +index 43b3f8766e..64b7610cd1 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c -@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) +@@ -505,6 +505,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] + if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE @@ -70,11 +72,11 @@ index ffeb70f8c3..79ed96a15a 100644 + } +#endif /* defined(FIPS_MODULE) */ + - if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, - NULL, NULL, NULL, libctx)) - return 0; + if (md != NULL && hmac->ctx != NULL) { + /* These are taken from SP 800-90 10.1 Table 2 */ + md_size = EVP_MD_get_size(md); diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt -index 8cb70247a0..8a0a2dea15 100644 +index 9756859c0e..9baecf6f31 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe @@ -1109,6 +1111,85 @@ index 8cb70247a0..8a0a2dea15 100644 RAND = HMAC-DRBG Digest = SHA-512 PredictionResistance = 1 +@@ -79795,29 +79924,29 @@ Result = EVP_RAND_CTX_set_params + + Title = Test FIPS indicator callbacks for truncated digests + +-Availablein = fips +-FIPSversion = >=3.4.0 +-RAND = HASH-DRBG +-Digest = SHA2-224 +-PredictionResistance = 0 +-GenerateBits = 16 +-Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433 +-Nonce.0 = 15e32abbae6b7433 +-Output.0 = 5af6 +-Result = EVP_RAND_CTX_set_params +-Reason = digest not allowed +- +-Availablein = fips +-FIPSversion = >=3.4.0 +-RAND = HASH-DRBG +-Unapproved = 1 +-CtrlInit = digest-check:0 +-Digest = SHA2-224 +-PredictionResistance = 0 +-GenerateBits = 16 +-Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433 +-Nonce.0 = 15e32abbae6b7433 +-Output.0 = 5af6 ++#Availablein = fips ++#FIPSversion = >=3.4.0 ++#RAND = HASH-DRBG ++#Digest = SHA2-224 ++#PredictionResistance = 0 ++#GenerateBits = 16 ++#Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433 ++#Nonce.0 = 15e32abbae6b7433 ++#Output.0 = 5af6 ++#Result = EVP_RAND_CTX_set_params ++#Reason = digest not allowed ++ ++#Availablein = fips ++#FIPSversion = >=3.4.0 ++#RAND = HASH-DRBG ++#Unapproved = 1 ++#CtrlInit = digest-check:0 ++#Digest = SHA2-224 ++#PredictionResistance = 0 ++#GenerateBits = 16 ++#Entropy.0 = c3ef82ce241f02e4298b118ca4f1622515e32abbae6b7433 ++#Nonce.0 = 15e32abbae6b7433 ++#Output.0 = 5af6 + + Availablein = fips + FIPSversion = >=3.4.0 +@@ -79831,14 +79960,14 @@ Output.0 = ee9f + Result = EVP_RAND_CTX_set_params + Reason = digest not allowed + +-Availablein = fips +-FIPSversion = >=3.4.0 +-RAND = HMAC-DRBG +-Unapproved = 1 +-CtrlInit = digest-check:0 +-Digest = SHA2-384 +-PredictionResistance = 0 +-GenerateBits = 16 +-Entropy.0 = 32c1ca125223de8de569697f92a37c6732c1ca125223de8de569697f92a37c67 +-Nonce.0 = 15e32abbae6b7433 +-Output.0 = ee9f ++#Availablein = fips ++#FIPSversion = >=3.4.0 ++#RAND = HMAC-DRBG ++#Unapproved = 1 ++#CtrlInit = digest-check:0 ++#Digest = SHA2-384 ++#PredictionResistance = 0 ++#GenerateBits = 16 ++#Entropy.0 = 32c1ca125223de8de569697f92a37c6732c1ca125223de8de569697f92a37c67 ++#Nonce.0 = 15e32abbae6b7433 ++#Output.0 = ee9f -- -2.38.1 +2.49.0 diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch deleted file mode 100644 index 0bf3b2d..0000000 --- a/0033-FIPS-embed-hmac.patch +++ /dev/null @@ -1,396 +0,0 @@ -From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch - -Patch-name: 0033-FIPS-embed-hmac.patch -Patch-id: 33 -Patch-status: | - # # Embed HMAC into the fips.so - # Modify fips self test as per - # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a -From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce ---- - providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- - test/fipsmodule.cnf | 2 + - test/recipes/00-prep_fipsmodule_cnf.t | 2 +- - test/recipes/01-test_fipsmodule_cnf.t | 2 +- - test/recipes/03-test_fipsinstall.t | 2 +- - test/recipes/30-test_defltfips.t | 2 +- - test/recipes/80-test_ssl_new.t | 2 +- - test/recipes/90-test_sslapi.t | 2 +- - 8 files changed, 200 insertions(+), 18 deletions(-) - create mode 100644 test/fipsmodule.cnf - -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index b8dc9817b2..28f536d13c 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -230,11 +230,133 @@ err: - return ok; - } - -+#define HMAC_LEN 32 -+/* -+ * The __attribute__ ensures we've created the .rodata1 section -+ * static ensures it's zero filled -+*/ -+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; -+ - /* - * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify - * the result matches the expected value. - * Return 1 if verified, or 0 if it fails. - */ -+ -+#ifndef __USE_GNU -+#define __USE_GNU -+#include -+#undef __USE_GNU -+#else -+#include -+#endif -+#include -+ -+static int verify_integrity_rodata(OSSL_CORE_BIO *bio, -+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, -+ unsigned char *expected, size_t expected_len, -+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -+ const char *event_type) -+{ -+ int ret = 0, status; -+ unsigned char out[MAX_MD_SIZE]; -+ unsigned char buf[INTEGRITY_BUF_SIZE]; -+ size_t bytes_read = 0, out_len = 0; -+ EVP_MAC *mac = NULL; -+ EVP_MAC_CTX *ctx = NULL; -+ OSSL_PARAM params[2], *p = params; -+ Dl_info info; -+ void *extra_info = NULL; -+ struct link_map *lm = NULL; -+ unsigned long paddr; -+ unsigned long off = 0; -+ -+ if (expected_len != HMAC_LEN) -+ goto err; -+ -+ if (!integrity_self_test(ev, libctx)) -+ goto err; -+ -+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); -+ -+ if (!dladdr1 ((const void *)fips_hmac_container, -+ &info, &extra_info, RTLD_DL_LINKMAP)) -+ goto err; -+ lm = extra_info; -+ paddr = (unsigned long)fips_hmac_container - lm->l_addr; -+ -+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); -+ if (mac == NULL) -+ goto err; -+ ctx = EVP_MAC_CTX_new(mac); -+ if (ctx == NULL) -+ goto err; -+ -+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); -+ *p = OSSL_PARAM_construct_end(); -+ -+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) -+ goto err; -+ -+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ if (off < paddr) { -+ int delta = paddr - off; -+ status = read_ex_cb(bio, buf, delta, &bytes_read); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ /* read away the buffer */ -+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); -+ if (status != 1) -+ goto err; -+ -+ /* check that it is the expect bytes, no point in continuing otherwise */ -+ if (memcmp(expected, buf, HMAC_LEN) != 0) -+ goto err; -+ -+ /* replace in-file HMAC buffer with the original zeros */ -+ memset(buf, 0, HMAC_LEN); -+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) -+ goto err; -+ off += HMAC_LEN; -+ -+ while (bytes_read > 0) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) -+ goto err; -+ -+ OSSL_SELF_TEST_oncorrupt_byte(ev, out); -+ if (expected_len != out_len -+ || memcmp(expected, out, out_len) != 0) -+ goto err; -+ ret = 1; -+err: -+ OPENSSL_cleanse(out, MAX_MD_SIZE); -+ OSSL_SELF_TEST_onend(ev, ret); -+ EVP_MAC_CTX_free(ctx); -+ EVP_MAC_free(mac); -+ return ret; -+} -+ - static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, - unsigned char *expected, size_t expected_len, - OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - EVP_MAC *mac = NULL; - EVP_MAC_CTX *ctx = NULL; - OSSL_PARAM params[2], *p = params; -+ Dl_info info; -+ void *extra_info = NULL; -+ struct link_map *lm = NULL; -+ unsigned long paddr; -+ unsigned long off = 0; - - if (!integrity_self_test(ev, libctx)) - goto err; - - OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); - -+ if (!dladdr1 ((const void *)fips_hmac_container, -+ &info, &extra_info, RTLD_DL_LINKMAP)) -+ goto err; -+ lm = extra_info; -+ paddr = (unsigned long)fips_hmac_container - lm->l_addr; -+ - mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); - if (mac == NULL) - goto err; -@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) - goto err; - -- while (1) { -- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); -+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); - if (status != 1) - break; - if (!EVP_MAC_update(ctx, buf, bytes_read)) - goto err; -+ off += bytes_read; - } -+ -+ if (off + INTEGRITY_BUF_SIZE > paddr) { -+ int delta = paddr - off; -+ status = read_ex_cb(bio, buf, delta, &bytes_read); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ -+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); -+ memset(buf, 0, HMAC_LEN); -+ if (status != 1) -+ goto err; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ -+ while (bytes_read > 0) { -+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } -+ - if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) - goto err; - -@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - goto err; - ret = 1; - err: -+ OPENSSL_cleanse(out, sizeof(out)); - OSSL_SELF_TEST_onend(ev, ret); - EVP_MAC_CTX_free(ctx); - EVP_MAC_free(mac); -@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - return 0; - } - -- if (st == NULL -- || st->module_checksum_data == NULL) { -+ if (st == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); - goto end; - } -@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - if (ev == NULL) - goto end; - -- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, -- &checksum_len); -+ if (st->module_checksum_data == NULL) { -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); -+ } else { -+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, -+ &checksum_len); -+ } -+ - if (module_checksum == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); - goto end; -@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); - - /* Always check the integrity of the fips module */ -- if (bio_module == NULL -- || !verify_integrity(bio_module, st->bio_read_ex_cb, -- module_checksum, checksum_len, st->libctx, -- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { -+ if (bio_module == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); - goto end; - } -- -+ if (st->module_checksum_data == NULL) { -+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, -+ module_checksum, checksum_len, -+ st->libctx, ev, -+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); -+ goto end; -+ } -+ } else { -+ if (!verify_integrity(bio_module, st->bio_read_ex_cb, -+ module_checksum, checksum_len, -+ st->libctx, ev, -+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); -+ goto end; -+ } -+ } - /* This will be NULL during installation - so the self test KATS will run */ - if (st->indicator_data != NULL) { - /* -@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - end: - EVP_RAND_free(testrand); - OSSL_SELF_TEST_free(ev); -- OPENSSL_free(module_checksum); - OPENSSL_free(indicator_checksum); - - if (st != NULL) { -diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf -new file mode 100644 -index 0000000000..f05d0dedbe ---- /dev/null -+++ b/test/fipsmodule.cnf -@@ -0,0 +1,2 @@ -+[fips_sect] -+activate = 1 -diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t -index 4e3a6d85e8..e8255ba974 100644 ---- a/test/recipes/00-prep_fipsmodule_cnf.t -+++ b/test/recipes/00-prep_fipsmodule_cnf.t -@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "FIPS module config file only supported in a fips build" - if $no_check; - -diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t -index ce594817d5..00cebacff8 100644 ---- a/test/recipes/01-test_fipsmodule_cnf.t -+++ b/test/recipes/01-test_fipsmodule_cnf.t -@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --my $no_check = disabled("fips"); -+my $no_check = 1; - plan skip_all => "Test only supported in a fips build" - if $no_check; - plan tests => 1; -diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t -index b8b136d110..8242f4ebc3 100644 ---- a/test/recipes/03-test_fipsinstall.t -+++ b/test/recipes/03-test_fipsinstall.t -@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; - --plan skip_all => "Test only supported in a fips build" if disabled("fips"); -+plan skip_all => "Test only supported in a fips build" if 1; - - # Compatible options for pedantic FIPS compliance - my @pedantic_okay = -diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index c8f145405b..56a2ec5dc4 100644 ---- a/test/recipes/30-test_defltfips.t -+++ b/test/recipes/30-test_defltfips.t -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "Configuration loading is turned off" - if disabled("autoload-config"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - plan tests => - ($no_fips ? 1 : 5); -diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t -index 195b85ea8c..92d48dbf7d 100644 ---- a/test/recipes/80-test_ssl_new.t -+++ b/test/recipes/80-test_ssl_new.t -@@ -27,7 +27,7 @@ setup("test_ssl_new"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); - -diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t -index 18d9f3d204..71780d8caa 100644 ---- a/test/recipes/90-test_sslapi.t -+++ b/test/recipes/90-test_sslapi.t -@@ -17,7 +17,7 @@ setup("test_sslapi"); - setup("test_sslapi"); - } - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - my $fipsmodcfg_filename = "fipsmodule.cnf"; - my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); - --- -2.44.0 - diff --git a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch similarity index 56% rename from 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch rename to 0034-FIPS-PBKDF2-Set-minimum-password-length.patch index 3eb6755..a9e94ce 100644 --- a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch @@ -1,7 +1,7 @@ -From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 18:37:17 +0100 -Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes +From 07db6d2bc68c37db2c8b00225c42e3c2e3c8b6cc Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 34/50] FIPS: PBKDF2: Set minimum password length MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -23,15 +23,17 @@ passwords combined with an implicit indicator (i.e., returning an error) would cause the module to fail ACVP testing. Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- - 1 file changed, 26 insertions(+), 1 deletion(-) + providers/implementations/kdfs/pbkdf2.c | 39 +++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c -index 2a0ae63acc..aa0adce5e6 100644 +index b383314064..68f9355b7d 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c -@@ -35,6 +35,21 @@ +@@ -36,6 +36,21 @@ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) @@ -53,8 +55,43 @@ index 2a0ae63acc..aa0adce5e6 100644 static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; -@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - ctx->lower_bound_checks = pkcs5 == 0; +@@ -179,8 +194,8 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, + } + + static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter, +- size_t keylen, int *error, +- const char **desc) ++ size_t keylen, size_t passlen, ++ int *error, const char **desc) + { + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + *error = PROV_R_KEY_SIZE_TOO_SMALL; +@@ -200,7 +215,12 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter, + *desc = "Iteration count"; + return 0; + } +- ++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ *error = PROV_R_INVALID_INPUT_LENGTH; ++ if (desc != NULL) ++ *desc = "Password length"; ++ return 0; ++ } + return 1; + } + +@@ -211,7 +231,8 @@ static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen) + int error = 0; + const char *desc = NULL; + int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter, +- keylen, &error, &desc); ++ keylen, ctx->pass_len, ++ &error, &desc); + + if (!approved) { + if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, +@@ -283,9 +304,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + #endif } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) @@ -70,17 +107,15 @@ index 2a0ae63acc..aa0adce5e6 100644 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { if (ctx->lower_bound_checks != 0 -@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, - } - +@@ -406,7 +433,7 @@ static int pbkdf2_derive(KDF_PBKDF2 *ctx, const char *pass, size_t passlen, if (lower_bound_checks) { -+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { - ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); - return 0; + int error = 0; + int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen, +- &error, NULL); ++ passlen, &error, NULL); + + if (!passed) { + ERR_raise(ERR_LIB_PROV, error); -- -2.38.1 +2.49.0 diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch new file mode 100644 index 0000000..f4ebd31 --- /dev/null +++ b/0035-FIPS-DH-PCT.patch @@ -0,0 +1,73 @@ +From 4201d6a3b23e14885f2703c705166c68db6351ab Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 24 Mar 2025 10:49:00 -0400 +Subject: [PATCH 35/50] FIPS: DH: PCT + +Signed-off-by: Simo Sorce +--- + crypto/dh/dh_key.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 7132b9b68e..189bfc3e8b 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *z = NULL, *pminus1; + int ret = -1; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + return 0; + } + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ return 0; ++ } ++#endif ++ + ctx = BN_CTX_new_ex(dh->libctx); + if (ctx == NULL) + goto err; +@@ -271,6 +281,9 @@ static int generate_key(DH *dh) + #endif + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -369,8 +382,21 @@ static int generate_key(DH *dh) + if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) + goto err; + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ goto err; ++ } ++#endif ++ + dh->pub_key = pub_key; + dh->priv_key = priv_key; ++#ifdef FIPS_MODULE ++ if (ossl_dh_check_pairwise(dh) <= 0) { ++ abort(); ++ } ++#endif ++ + dh->dirty_cnt++; + ok = 1; + err: +-- +2.49.0 + diff --git a/0035-speed-skip-unavailable-dgst.patch b/0035-speed-skip-unavailable-dgst.patch deleted file mode 100644 index 9256f7f..0000000 --- a/0035-speed-skip-unavailable-dgst.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c ---- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100 -+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100 -@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo - for (count = 0; COND(c[algindex][testnum]); count++) { - size_t outl; - -+ if (mctx == NULL) -+ return -1; -+ - if (!EVP_MAC_init(mctx, NULL, 0, NULL) - || !EVP_MAC_update(mctx, buf, lengths[testnum]) - || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) diff --git a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch similarity index 87% rename from 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch rename to 0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch index 65bae6f..c86fcaa 100644 --- a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch @@ -1,7 +1,7 @@ -From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 11 May 2023 12:51:59 +0200 -Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode +From ea3020727f873e14b4ee4c7f94dfa038d4777319 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 36/50] FIPS: DH: Disable FIPS 186-4 type parameters For DH parameter and key pair generation/verification, the DSA procedures specified in FIPS 186-4 are used. With the release of FIPS @@ -20,6 +20,10 @@ fail due to this change. Related: rhbz#2169757, rhbz#2169757 Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce + +NOTE: Dropped changes in test/recipes/80-test_cms.t --- crypto/dh/dh_backend.c | 10 ++++ crypto/dh/dh_check.c | 12 ++-- @@ -31,15 +35,14 @@ Signed-off-by: Clemens Lang test/evp_libctx_test.c | 2 +- test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ test/helpers/predefined_dhparams.h | 1 + - test/recipes/80-test_cms.t | 4 +- test/recipes/80-test_ssl_old.t | 3 + - 12 files changed, 118 insertions(+), 20 deletions(-) + 11 files changed, 116 insertions(+), 18 deletions(-) diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c -index 726843fd30..24c65ca84f 100644 +index 1aaa88daca..aa3a491799 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c -@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) +@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) if (!dh_ffc_params_fromdata(dh, params)) return 0; @@ -57,7 +60,7 @@ index 726843fd30..24c65ca84f 100644 OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); if (param_priv_len != NULL diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 0b391910d6..75581ca347 100644 +index ae23f61839..6e30a9b735 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) @@ -82,10 +85,10 @@ index 0b391910d6..75581ca347 100644 #else int DH_check_params(const DH *dh, int *ret) diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index aec6b85316..9c55121067 100644 +index b73bfb7f3b..275ce2c1af 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c -@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, +@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, BN_GENCB *cb) { @@ -115,10 +118,10 @@ index aec6b85316..9c55121067 100644 dh->dirty_cnt++; return ret; diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 4e9705beef..14c0b0b6b3 100644 +index 189bfc3e8b..023d628502 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c -@@ -308,8 +308,12 @@ static int generate_key(DH *dh) +@@ -336,8 +336,12 @@ static int generate_key(DH *dh) goto err; } else { #ifdef FIPS_MODULE @@ -133,7 +136,7 @@ index 4e9705beef..14c0b0b6b3 100644 #else if (dh->params.q == NULL) { /* secret exponent length, must satisfy 2^(l-1) <= p */ -@@ -330,9 +334,7 @@ static int generate_key(DH *dh) +@@ -358,9 +362,7 @@ static int generate_key(DH *dh) if (!BN_clear_bit(priv_key, 0)) goto err; } @@ -144,7 +147,7 @@ index 4e9705beef..14c0b0b6b3 100644 /* Do a partial check for invalid p, q, g */ if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, FFC_PARAM_TYPE_DH, NULL)) -@@ -348,6 +350,7 @@ static int generate_key(DH *dh) +@@ -376,6 +378,7 @@ static int generate_key(DH *dh) priv_key)) goto err; } @@ -153,10 +156,10 @@ index 4e9705beef..14c0b0b6b3 100644 } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index f201eede0d..30f90d15be 100644 +index c11ada9826..e279e9d60d 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c -@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, +@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, prime_len, subprime_len, &res, pcb); else @@ -178,10 +181,10 @@ index f201eede0d..30f90d15be 100644 DH_free(ret); return NULL; diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 9a7dde7c66..b3e7bca5ac 100644 +index c2ee859355..51c21e436f 100644 --- a/providers/implementations/keymgmt/dh_kmgmt.c +++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) +@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) if ((selection & DH_POSSIBLE_SELECTIONS) == 0) return 1; /* nothing to validate */ @@ -194,10 +197,10 @@ index 9a7dde7c66..b3e7bca5ac 100644 /* * Both of these functions check parameters. DH_check_params_ex() diff --git a/test/endecode_test.c b/test/endecode_test.c -index e3f7b81f69..1b63daaed5 100644 +index 85c84f6592..d2ff9e6eb6 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c -@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) +@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) * for testing only. Use a minimum key size of 2048 for security purposes. */ if (strcmp(type, "DH") == 0) @@ -211,10 +214,10 @@ index e3f7b81f69..1b63daaed5 100644 /* diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index 2448c35a14..92d484fb12 100644 +index 039fca9bb0..2838f343bd 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c -@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) +@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) @@ -308,28 +311,11 @@ index f0e8709062..2ff6d6e721 100644 EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index cabbe3ecdf..efe56c5665 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( - ], - - [ "enveloped content test streaming S/MIME format, X9.42 DH", -- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, -+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, - "-stream", "-out", "{output}.cms", - "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], -- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), -+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), - "-in", "{output}.cms", "-out", "{output}.txt" ], - \&final_compare - ] diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 8c52b637fc..31ed54621b 100644 +index 6332aaec4b..4d8c900c00 100755 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t -@@ -390,6 +390,9 @@ sub testssl { +@@ -458,6 +458,9 @@ sub testssl { skip "skipping dhe1024dsa test", 1 if ($no_dh); @@ -340,5 +326,5 @@ index 8c52b637fc..31ed54621b 100644 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } -- -2.40.1 +2.49.0 diff --git a/0114-FIPS-enforce-EMS-support.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch similarity index 54% rename from 0114-FIPS-enforce-EMS-support.patch rename to 0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch index fd1e90e..2415b7b 100644 --- a/0114-FIPS-enforce-EMS-support.patch +++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch @@ -1,32 +1,34 @@ -From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 16:40:56 +0200 -Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch +From 39afccf3c978a35d1a2d3ebd072d3d1a7a0d0e09 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 37/50] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE + +NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code +change the option to enforce it seem to be available only in FIPS build Patch-name: 0114-FIPS-enforce-EMS-support.patch Patch-id: 114 Patch-status: | - # We believe that some changes present in CentOS are not necessary - # because ustream has a check for FIPS version + # # We believe that some changes present in CentOS are not necessary + # # because ustream has a check for FIPS version +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - doc/man3/SSL_CONF_cmd.pod | 3 +++ - doc/man5/fips_config.pod | 13 +++++++++++ - include/openssl/fips_names.h | 8 +++++++ - include/openssl/ssl.h.in | 1 + - providers/fips/fipsprov.c | 2 +- - providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ - ssl/ssl_conf.c | 1 + - ssl/statem/extensions_srvr.c | 8 ++++++- - ssl/t1_enc.c | 11 ++++++++-- - .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ - test/sslapitest.c | 2 +- - 11 files changed, 76 insertions(+), 5 deletions(-) + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/include/fips_indicator_params.inc | 2 +- + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 +++++++- + ssl/t1_enc.c | 11 +++++++++-- + test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++ + test/sslapitest.c | 2 +- + 9 files changed, 46 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod -index ae6ca43282..b83c04a308 100644 +index e2c1e69847..009b683b27 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod -@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by +@@ -621,6 +621,9 @@ B: use extended master secret extension, enabled by default. Inverse of B: that is, B<-ExtendedMasterSecret> is the same as setting B. @@ -37,12 +39,12 @@ index ae6ca43282..b83c04a308 100644 default. Inverse of B: that is, B<-CANames> is the same as setting B. diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod -index 1c15e32a5c..f2cedaf88d 100644 +index 15748c5756..34cbfbb2ad 100644 --- a/doc/man5/fips_config.pod +++ b/doc/man5/fips_config.pod -@@ -15,6 +15,19 @@ for more information. - - This functionality was added in OpenSSL 3.0. +@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the + environment variable B is set. See the documentation + for more information. +Red Hat Enterprise Linux uses a supplementary config for FIPS module located in +OpenSSL configuration directory and managed by crypto policies. If present, it @@ -59,31 +61,12 @@ index 1c15e32a5c..f2cedaf88d 100644 + =head1 COPYRIGHT - Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. -diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h -index 5c77f6d691..8cdd5a6bf7 100644 ---- a/include/openssl/fips_names.h -+++ b/include/openssl/fips_names.h -@@ -70,6 +70,14 @@ extern "C" { - */ - # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" - -+/* -+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. -+ * This is disabled by default. -+ * -+ * Type: OSSL_PARAM_UTF8_STRING -+ */ -+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" -+ - # ifdef __cplusplus - } - # endif + Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in -index 0b6de603e2..26a69ca282 100644 +index 0b2232b01c..99b2ad4eb3 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in -@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); +@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * interoperability with CryptoPro CSP 3.x */ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) @@ -91,84 +74,42 @@ index 0b6de603e2..26a69ca282 100644 /* * Disable RFC8879 certificate compression * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 5ff9872bd8..eb9653a9df 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) - if (fgbl == NULL) - return NULL; - init_fips_option(&fgbl->fips_security_checks, 1); -- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ -+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ - init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); - return fgbl; - } -diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index 25a6c79a2e..79bc7a9719 100644 ---- a/providers/implementations/kdfs/tls1_prf.c -+++ b/providers/implementations/kdfs/tls1_prf.c -@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx) - static void kdf_tls1_prf_free(void *vctx) - { - TLS1_PRF *ctx = (TLS1_PRF *)vctx; -+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - - if (ctx != NULL) { - kdf_tls1_prf_reset(ctx); -@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - } - } - -+ /* -+ * The seed buffer is prepended with a label. -+ * If EMS mode is enforced then the label "master secret" is not allowed, -+ * We do the check this way since the PRF is used for other purposes, as well -+ * as "extended master secret". -+ */ -+#ifdef FIPS_MODULE -+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE -+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, -+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ if (ossl_tls1_prf_ems_check_enabled(libctx)) { -+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE -+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, -+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); -+ return 0; -+ } -+ } -+ - return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, - ctx->sec, ctx->seclen, - ctx->seed, ctx->seedlen, +diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc +index c1b029de86..47d1cf2d01 100644 +--- a/providers/fips/include/fips_indicator_params.inc ++++ b/providers/fips/include/fips_indicator_params.inc +@@ -1,5 +1,5 @@ + OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1) +-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0) ++OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 1) + OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1) + OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0) + OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c -index 5146cedb96..086db98c33 100644 +index 946d20be52..b52c1675fd 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c -@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) +@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL("ClientRenegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION), SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), + SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), - SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), + SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX), diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 00b1ee531e..22cdabb308 100644 +index 1a09913ad6..936be81819 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c -@@ -11,6 +11,7 @@ - #include "../ssl_local.h" +@@ -12,6 +12,7 @@ #include "statem_local.h" #include "internal/cryptlib.h" + #include "internal/ssl_unwrap.h" +#include #define COOKIE_STATE_FORMAT_VERSION 1 -@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, +@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -184,10 +125,10 @@ index 00b1ee531e..22cdabb308 100644 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) || !WPACKET_put_bytes_u16(pkt, 0)) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 91238e6457..e8ad8ecd9e 100644 +index 474ea7bf5b..e0e595e989 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c -@@ -20,6 +20,7 @@ +@@ -21,6 +21,7 @@ #include #include #include @@ -195,7 +136,7 @@ index 91238e6457..e8ad8ecd9e 100644 /* seed1 through seed5 are concatenated */ static int tls1_PRF(SSL_CONNECTION *s, -@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, +@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s, } err: @@ -213,7 +154,7 @@ index 91238e6457..e8ad8ecd9e 100644 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); EVP_KDF_CTX_free(kctx); diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt -index 44040ff66b..deb6bf3fcb 100644 +index 50944328cb..edb2e81273 100644 --- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt @@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c @@ -234,10 +175,10 @@ index 44040ff66b..deb6bf3fcb 100644 KDF = TLS1-PRF Ctrl.digest = digest:SHA256 diff --git a/test/sslapitest.c b/test/sslapitest.c -index 169e3c7466..e67b5bb44c 100644 +index 39118a9162..9522478ad2 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c -@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) +@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void) STACK_OF(X509) *server_chain; SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -247,5 +188,5 @@ index 169e3c7466..e67b5bb44c 100644 if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, -- -2.41.0 +2.49.0 diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch new file mode 100644 index 0000000..3465171 --- /dev/null +++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch @@ -0,0 +1,61 @@ +From e1d57286ca07c3d89018d3c4368bed420f5c454a Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 13 Feb 2025 18:08:34 -0500 +Subject: [PATCH 38/50] FIPS: CMS: Set default padding to OAEP + +From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe +--- + apps/cms.c | 1 + + crypto/cms/cms_env.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/apps/cms.c b/apps/cms.c +index 919d306ff6..b4950df759 100644 +--- a/apps/cms.c ++++ b/apps/cms.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + static int save_certs(char *signerfile, STACK_OF(X509) *signers); + static int cms_cb(int ok, X509_STORE_CTX *ctx); +diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c +index 375239c78d..e09ad03ece 100644 +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "internal/sizes.h" + #include "crypto/asn1.h" + #include "crypto/evp.h" +@@ -375,6 +376,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0) ++ return 0; ++ } + } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) + return 0; + return 1; +@@ -540,6 +545,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; ++ ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0) ++ goto err; ++ } + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) +-- +2.49.0 + diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch new file mode 100644 index 0000000..fa3e3b4 --- /dev/null +++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch @@ -0,0 +1,35 @@ +From db948b9f36c27a72595eb81633d787e6c95977b4 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 13 Feb 2025 18:16:29 -0500 +Subject: [PATCH 39/50] FIPS: PKCS12: PBMAC1 defaults + +From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708 +--- + apps/pkcs12.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/apps/pkcs12.c b/apps/pkcs12.c +index 9964faf21a..59439a8cc0 100644 +--- a/apps/pkcs12.c ++++ b/apps/pkcs12.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -709,6 +710,9 @@ int pkcs12_main(int argc, char **argv) + } + + if (maciter != -1) { ++ if (EVP_default_properties_is_fips_enabled(NULL)) ++ pbmac1_pbkdf2 = 1; ++ + if (pbmac1_pbkdf2 == 1) { + if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, + macsaltlen, maciter, +-- +2.49.0 + diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch new file mode 100644 index 0000000..d94c9ec --- /dev/null +++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch @@ -0,0 +1,35 @@ +From c49eb02a6c08ab8398688e609a6c1681b86c24e0 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 5 Mar 2025 13:22:03 -0500 +Subject: [PATCH 40/50] FIPS: Fix encoder/decoder negative test + +Signed-off-by: Simo Sorce +--- + test/recipes/04-test_encoder_decoder.t | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + mode change 100644 => 100755 test/recipes/04-test_encoder_decoder.t + +diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t +old mode 100644 +new mode 100755 +index 2acc980e90..660d4e1115 +--- a/test/recipes/04-test_encoder_decoder.t ++++ b/test/recipes/04-test_encoder_decoder.t +@@ -75,10 +75,10 @@ SKIP: { + } + my $no_des = disabled("des"); + SKIP: { +- skip "MD5 disabled", 2 if disabled("md5"); +- ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem', +- '-traditional', '-passout', 'pass:pass' ])), +- "rsa encrypted using a non fips algorithm MD5 in pbe"); ++ skip "DES disabled", 2 if disabled("des3"); ++ ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem', ++ '-traditional', '-passout', 'pass:pass'])), ++ "rsa encrypted using a non fips algorithm DES3 in pbe"); + + my $conf2 = srctop_file("test", "default-and-fips.cnf"); + ok(run(test(['decoder_propq_test', '-config', $conf2, +-- +2.49.0 + diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch new file mode 100644 index 0000000..25ea8c1 --- /dev/null +++ b/0041-FIPS-EC-DH-DSA-PCTs.patch @@ -0,0 +1,180 @@ +From ad8a02985f28b1ead7169ca20dca010113f52250 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 24 Mar 2025 10:50:06 -0400 +Subject: [PATCH 41/50] FIPS: EC: DH/DSA PCTs + +Signed-off-by: Simo Sorce +--- + .../implementations/exchange/ecdh_exch.c | 19 ++++++++++ + providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++++- + .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++++++-- + 3 files changed, 75 insertions(+), 5 deletions(-) + +diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c +index 58fbc7bc09..98d4354f3e 100644 +--- a/providers/implementations/exchange/ecdh_exch.c ++++ b/providers/implementations/exchange/ecdh_exch.c +@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, + #endif + + ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); ++#ifdef FIPS_MODULE ++ { ++ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk)); ++ int check = 0; ++ ++ if (bn_ctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ goto end; ++ } ++ ++ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx); ++ BN_CTX_free(bn_ctx); ++ ++ if (check <= 0) { ++ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY); ++ goto end; ++ } ++ } ++#endif + + retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); + +diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c +index 9421aabb14..77531c4b59 100644 +--- a/providers/implementations/keymgmt/ec_kmgmt.c ++++ b/providers/implementations/keymgmt/ec_kmgmt.c +@@ -993,9 +993,18 @@ struct ec_gen_ctx { + EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + OSSL_FIPS_IND_DECLARE + }; + ++#ifdef FIPS_MODULE ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx, int selection, + gctx = NULL; + } + } ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ abort(); ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 096d944896..34fb3aa56e 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -33,7 +33,7 @@ + #include "prov/der_ec.h" + #include "crypto/ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -48,7 +48,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; +@@ -139,7 +139,7 @@ typedef struct { + OSSL_FIPS_IND_DECLARE + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) + { + PROV_ECDSA_CTX *ctx; + +@@ -613,7 +613,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, + return ok; + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -862,6 +862,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const unsigned char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +-- +2.49.0 + diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch new file mode 100644 index 0000000..7c0a5a2 --- /dev/null +++ b/0042-FIPS-EC-disable-weak-curves.patch @@ -0,0 +1,31 @@ +From 998f0c96eb674c2647bfead8b925f3599be3bd0a Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:06:36 -0500 +Subject: [PATCH 42/50] FIPS: EC: disable weak curves + +Signed-off-by: Simo Sorce +--- + apps/ecparam.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/apps/ecparam.c b/apps/ecparam.c +index f0879dfb11..a6042e7d2a 100644 +--- a/apps/ecparam.c ++++ b/apps/ecparam.c +@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +-- +2.49.0 + diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch new file mode 100644 index 0000000..e3471ec --- /dev/null +++ b/0043-FIPS-NO-DSA-Support.patch @@ -0,0 +1,400 @@ +From 64467bd0ad1bf2a0c1a67462a27e405632704026 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:10:52 -0500 +Subject: [PATCH 43/50] FIPS: NO DSA Support + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 8 +++++--- + providers/fips/self_test_data.inc | 6 +++++- + test/acvp_test.c | 2 ++ + test/endecode_test.c | 2 ++ + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +-- + test/recipes/30-test_evp.t | 7 ++----- + test/recipes/30-test_evp_data/evppkey_dsa.txt | 18 ++++++++++++++++- + test/recipes/80-test_cms.t | 20 +++++++++---------- + 9 files changed, 45 insertions(+), 23 deletions(-) + mode change 100644 => 100755 test/recipes/30-test_evp.t + +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index aa1ab85470..7999744b5a 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -430,7 +430,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = { + }; + + static const OSSL_ALGORITHM fips_signature[] = { +-#ifndef OPENSSL_NO_DSA ++/* We don't certify DSA in our FIPS provider */ ++#if 0 /* #ifndef OPENSSL_NO_DSA */ + { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + { PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions }, + { PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions }, +@@ -560,8 +561,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 5cbb5352a5..10ca473764 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expected_sig[] = { + # endif /* OPENSSL_NO_ECX */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_END() + }; + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_ML_DSA + static const unsigned char ml_dsa_65_pub_key[] = { +@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + }, + # endif /* OPENSSL_NO_ECX */ + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + ITM(dsa_expected_sig) + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_ML_DSA + { +diff --git a/test/acvp_test.c b/test/acvp_test.c +index 2bcc886fd2..db0282d043 100644 +--- a/test/acvp_test.c ++++ b/test/acvp_test.c +@@ -1735,6 +1735,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0); + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); +@@ -1743,6 +1744,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0); +diff --git a/test/endecode_test.c b/test/endecode_test.c +index d2ff9e6eb6..dfd5e92f7e 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -1536,6 +1536,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1546,6 +1547,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST(ec_encode_to_data_multi); + ADD_TEST_SUITE(EC); +diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t +index cd331c4cfc..e21d6acda4 100644 +--- a/test/recipes/15-test_gendsa.t ++++ b/test/recipes/15-test_gendsa.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t +index 2abc4d2434..9a6875b3ec 100644 +--- a/test/recipes/20-test_cli_fips.t ++++ b/test/recipes/20-test_cli_fips.t +@@ -283,8 +283,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa") || $dsasignpass == '0'; ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +old mode 100644 +new mode 100755 +index a86456157b..05a61c8abe +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -83,10 +83,6 @@ push @files, qw( + evppkey_slh_dsa_siggen.txt + evppkey_slh_dsa_sigver.txt + ) unless $no_slh_dsa; +-push @files, qw( +- evppkey_dsa.txt +- evppkey_dsa_sigalg.txt +- ) unless $no_dsa; + push @files, qw( + evppkey_ecx.txt + evppkey_ecx_sigalg.txt +@@ -166,11 +162,12 @@ my @defltfiles = qw( + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecx_kem.txt) unless $no_ecx; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; + push @defltfiles, qw(evpkdf_argon2.txt) unless $no_argon2; ++push @defltfiles, qw(evppkey_dsa.txt ++ evppkey_dsa_sigalg.txt) unless $no_dsa; + + plan tests => + + (scalar(@configs) * scalar(@files)) +diff --git a/test/recipes/30-test_evp_data/evppkey_dsa.txt b/test/recipes/30-test_evp_data/evppkey_dsa.txt +index 5e5315a5b9..660d1db149 100644 +--- a/test/recipes/30-test_evp_data/evppkey_dsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_dsa.txt +@@ -44,17 +44,22 @@ PrivPubKeyPair = DSA-1024:DSA-1024-PUBLIC + + Title = DSA tests + ++## Red Hat all SHA1 tests are unavailable ++ ++Availablein = none + Verify = DSA-1024 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87 + ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87 + + # Modified signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -62,6 +67,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239 + Result = VERIFY_ERROR + + # Digest too short ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -69,6 +75,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239 + Result = VERIFY_ERROR + + # Digest too long ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -76,12 +83,14 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239 + Result = VERIFY_ERROR + + # Garbage after signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700 + Result = VERIFY_ERROR + + # Invalid tag ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -89,6 +98,7 @@ Output = 312d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239 + Result = VERIFY_ERROR + + # BER signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -277,6 +287,7 @@ Output = 00 + Result = DIGESTSIGNINIT_ERROR + + # Test sign with a 2048 bit key with N == 224 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-2048-224 +@@ -285,6 +296,7 @@ Output = 00 + Result = SIGNATURE_MISMATCH + + # Test sign with a 2048 bit key with N == 256 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-2048-256 +@@ -292,6 +304,7 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test sign with a 3072 bit key with N == 256 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-3072-256 +@@ -299,6 +312,7 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test sign with a 2048 bit SHA3 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA3-224 + Key = DSA-2048-256 +@@ -306,19 +320,21 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test verify with a 1024 bit key is allowed in fips mode ++Availablein = default + DigestVerify = SHA256 + Key = DSA-1024 + Input = "Hello " + Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713 + + # Test verify with SHA1 is allowed in fips mode ++Availablein = none + DigestVerify = SHA1 + Key = DSA-1024 + Input = "Hello " + Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6 + + # Test verify with a 2048/160 bit key is allowed in fips mode +-FIPSversion = >3.1.1 ++Availablein = default + DigestVerify = SHA256 + Key = DSA-2048-160 + Input = "Hello" +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index ece29485f4..756f90c1bd 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) { + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -278,7 +278,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +-- +2.49.0 + diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch deleted file mode 100644 index 3fedb4c..0000000 --- a/0044-FIPS-140-3-keychecks.patch +++ /dev/null @@ -1,402 +0,0 @@ -From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 12:05:23 +0200 -Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch - -Patch-name: 0044-FIPS-140-3-keychecks.patch -Patch-id: 44 -Patch-status: | - # Extra public/private key checks required by FIPS-140-3 ---- - crypto/dh/dh_key.c | 26 ++++++++++ - .../implementations/exchange/ecdh_exch.c | 19 ++++++++ - providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- - providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ - .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- - providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- - 6 files changed, 162 insertions(+), 9 deletions(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 4e9705beef..83773cceea 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - BN_MONT_CTX *mont = NULL; - BIGNUM *z = NULL, *pminus1; - int ret = -1; -+#ifdef FIPS_MODULE -+ int validate = 0; -+#endif - - if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - return 0; - } - -+#ifdef FIPS_MODULE -+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { -+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); -+ return 0; -+ } -+#endif -+ - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; -@@ -262,6 +272,9 @@ static int generate_key(DH *dh) - #endif - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; -+#ifdef FIPS_MODULE -+ int validate = 0; -+#endif - - if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -354,8 +367,21 @@ static int generate_key(DH *dh) - if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) - goto err; - -+#ifdef FIPS_MODULE -+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { -+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); -+ goto err; -+ } -+#endif -+ - dh->pub_key = pub_key; - dh->priv_key = priv_key; -+#ifdef FIPS_MODULE -+ if (ossl_dh_check_pairwise(dh) <= 0) { -+ abort(); -+ } -+#endif -+ - dh->dirty_cnt++; - ok = 1; - err: -diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c -index 43caedb6df..73873f9758 100644 ---- a/providers/implementations/exchange/ecdh_exch.c -+++ b/providers/implementations/exchange/ecdh_exch.c -@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, - } - - ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); -+#ifdef FIPS_MODULE -+ { -+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk)); -+ int check = 0; -+ -+ if (bn_ctx == NULL) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); -+ goto end; -+ } -+ -+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx); -+ BN_CTX_free(bn_ctx); -+ -+ if (check <= 0) { -+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY); -+ goto end; -+ } -+ } -+#endif - - retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); - -diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index a37cbbdba8..bca3f3c674 100644 ---- a/providers/implementations/keymgmt/ec_kmgmt.c -+++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -989,8 +989,17 @@ struct ec_gen_ctx { - EC_GROUP *gen_group; - unsigned char *dhkem_ikm; - size_t dhkem_ikmlen; -+#ifdef FIPS_MODULE -+ void *ecdsa_sig_ctx; -+#endif - }; - -+#ifdef FIPS_MODULE -+void *ecdsa_newctx(void *provctx, const char *propq); -+void ecdsa_freectx(void *vctx); -+int do_ec_pct(void *, const char *, void *); -+#endif -+ - static void *ec_gen_init(void *provctx, int selection, - const OSSL_PARAM params[]) - { -@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, - gctx = NULL; - } - } -+#ifdef FIPS_MODULE -+ if (gctx != NULL) -+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); -+#endif - return gctx; - } - -@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - - if (gctx->ecdh_mode != -1) - ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); -+#ifdef FIPS_MODULE -+ /* Pairwise consistency test */ -+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 -+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) -+ abort(); -+#endif - - if (gctx->group_check != NULL) - ret = ret && ossl_ec_set_check_group_type_from_name(ec, -@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) - - if (gctx == NULL) - return; -- -+#ifdef FIPS_MODULE -+ ecdsa_freectx(gctx->ecdsa_sig_ctx); -+ gctx->ecdsa_sig_ctx = NULL; -+#endif - OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); - EC_GROUP_free(gctx->gen_group); - BN_free(gctx->p); -diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c -index 3ba12c4889..ff49f8fcd8 100644 ---- a/providers/implementations/keymgmt/rsa_kmgmt.c -+++ b/providers/implementations/keymgmt/rsa_kmgmt.c -@@ -434,6 +434,7 @@ struct rsa_gen_ctx { - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - /* ACVP test parameters */ - OSSL_PARAM *acvp_test_params; -+ void *prov_rsa_ctx; - #endif - }; - -@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) - return gctx->cb(params, gctx->cbarg); - } - -+#ifdef FIPS_MODULE -+void *rsa_newctx(void *provctx, const char *propq); -+void rsa_freectx(void *vctx); -+int do_rsa_pct(void *, const char *, void *); -+#endif -+ - static void *gen_init(void *provctx, int selection, int rsa_type, - const OSSL_PARAM params[]) - { -@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, - - if (!rsa_gen_set_params(gctx, params)) - goto err; -+#ifdef FIPS_MODULE -+ if (gctx != NULL) -+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); -+#endif - return gctx; - - err: -@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - - rsa = rsa_tmp; - rsa_tmp = NULL; -+#ifdef FIPS_MODULE -+ /* Pairwise consistency test */ -+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ abort(); -+#endif - err: - BN_GENCB_free(gencb); - RSA_free(rsa_tmp); -@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); - gctx->acvp_test_params = NULL; -+ rsa_freectx(gctx->prov_rsa_ctx); -+ gctx->prov_rsa_ctx = NULL; - #endif - BN_clear_free(gctx->pub_exp); - OPENSSL_free(gctx); -diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..ebeb30e002 100644 ---- a/providers/implementations/signature/ecdsa_sig.c -+++ b/providers/implementations/signature/ecdsa_sig.c -@@ -32,7 +32,7 @@ - #include "crypto/ec.h" - #include "prov/der_ec.h" - --static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; -+OSSL_FUNC_signature_newctx_fn ecdsa_newctx; - static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; - static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; - static OSSL_FUNC_signature_sign_fn ecdsa_sign; -@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; - static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; - static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; - static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; --static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; -+OSSL_FUNC_signature_freectx_fn ecdsa_freectx; - static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; - static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; - static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; -@@ -104,7 +104,7 @@ typedef struct { - unsigned int nonce_type; - } PROV_ECDSA_CTX; - --static void *ecdsa_newctx(void *provctx, const char *propq) -+void *ecdsa_newctx(void *provctx, const char *propq) - { - PROV_ECDSA_CTX *ctx; - -@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, - return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); - } - --static void ecdsa_freectx(void *vctx) -+void ecdsa_freectx(void *vctx) - { - PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; - -@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) - return EVP_MD_settable_ctx_params(ctx->md); - } - -+#ifdef FIPS_MODULE -+int do_ec_pct(void *vctx, const char *mdname, void *ec) -+{ -+ static const unsigned char data[32]; -+ unsigned char sigbuf[256]; -+ size_t siglen = sizeof(sigbuf); -+ -+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) -+ return 0; -+ -+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; -+ -+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) -+ return 0; -+ -+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) -+ return 0; -+ -+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; -+ -+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) -+ return 0; -+ -+ return 1; -+} -+#endif -+ - const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { - { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, - { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index cd5de6bd51..d4261e8f7d 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -34,7 +34,7 @@ - - #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 - --static OSSL_FUNC_signature_newctx_fn rsa_newctx; -+OSSL_FUNC_signature_newctx_fn rsa_newctx; - static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; - static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; - static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; -@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; - static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; - static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; - static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; --static OSSL_FUNC_signature_freectx_fn rsa_freectx; -+OSSL_FUNC_signature_freectx_fn rsa_freectx; - static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; - static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; - static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; -@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) - return 1; - } - --static void *rsa_newctx(void *provctx, const char *propq) -+void *rsa_newctx(void *provctx, const char *propq) - { - PROV_RSA_CTX *prsactx = NULL; - char *propq_copy = NULL; -@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, - return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); - } - --static void rsa_freectx(void *vprsactx) -+void rsa_freectx(void *vprsactx) - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - -@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) - return EVP_MD_settable_ctx_params(prsactx->md); - } - -+#ifdef FIPS_MODULE -+int do_rsa_pct(void *vctx, const char *mdname, void *rsa) -+{ -+ static const unsigned char data[32]; -+ unsigned char *sigbuf = NULL; -+ size_t siglen = 0; -+ int ret = 0; -+ -+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) -+ return 0; -+ -+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; -+ -+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) -+ return 0; -+ -+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) -+ return 0; -+ -+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) -+ goto err; -+ -+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) -+ goto err; -+ -+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ goto err; -+ -+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) -+ goto err; -+ ret = 1; -+ -+ err: -+ OPENSSL_free(sigbuf); -+ return ret; -+} -+#endif -+ - const OSSL_DISPATCH ossl_rsa_signature_functions[] = { - { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, - { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, -diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c -index e0d139d..35f23b2 100644 ---- a/crypto/rsa/rsa_gen.c -+++ b/crypto/rsa/rsa_gen.c -@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, - rsa->dmp1 = NULL; - rsa->dmq1 = NULL; - rsa->iqmp = NULL; -+#ifdef FIPS_MODULE -+ abort(); -+#endif /* defined(FIPS_MODULE) */ - } - } - return ok; --- -2.41.0 - diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch new file mode 100644 index 0000000..a117127 --- /dev/null +++ b/0044-FIPS-NO-DES-support.patch @@ -0,0 +1,174 @@ +From 88abbb0a30dd2d990992c769eaad71f6c6764237 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:15:13 -0500 +Subject: [PATCH 44/50] FIPS: NO DES support + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 3 ++- + providers/fips/self_test_data.inc | 5 ++++- + test/evp_libctx_test.c | 4 +++- + .../30-test_evp_data/evpciph_des3_common.txt | 13 ++++--------- + test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ---------- + test/recipes/80-test_cms.t | 2 +- + 6 files changed, 14 insertions(+), 23 deletions(-) + +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 7999744b5a..30f0c8ca14 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { + ossl_cipher_capable_aes_cbc_hmac_sha256), + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), +-#ifndef OPENSSL_NO_DES ++/* We don't certify 3DES in our FIPS provider */ ++#if 0 /* ifndef OPENSSL_NO_DES */ + ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), + ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + #endif /* OPENSSL_NO_DES */ +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 10ca473764..6a69e1687b 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = + /*- CIPHER TEST DATA */ + + /* DES3 test data */ ++#if 0 + static const unsigned char des_ede3_cbc_pt[] = { + 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, + 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, +@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = { + 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, + 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 + }; +- ++#endif + /* AES-256 GCM test data */ + static const unsigned char aes_256_gcm_key[] = { + 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, +@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = { + CIPHER_MODE_DECRYPT, + ITM(aes_128_ecb_key) + }, ++#if 0 + #ifndef OPENSSL_NO_DES + { + { +@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = { + ITM(tdes_key) + } + #endif ++#endif + }; + + static const char hkdf_digest[] = "SHA256"; +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2838f343bd..19dd2c6c63 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -831,7 +831,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt +index 1947e21f74..119b75d9ce 100644 +--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt ++++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt +@@ -14,7 +14,7 @@ + Title = DES3 Tests + + # DES EDE3 CBC tests (from destest) +-FIPSversion = <3.4.0 ++Availablein = default + Cipher = DES-EDE3-CBC + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + IV = fedcba9876543210 +@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675 + + # DES EDE3 ECB test + # FIPS(3.0.0): has a bug in the IV length #17591 +-FIPSversion = >3.0.0 +-FIPSversion = <3.4.0 ++Availablein = default + Cipher = DES-EDE3-ECB + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d + + # Test that DES3 CBC mode encryption fails because it is not FIPS approved + Availablein = fips +-FIPSversion = >=3.4.0 + Cipher = DES-EDE3-CBC + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + IV = fedcba9876543210 +@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR + + # Test that DES3 EBC mode encryption fails because it is not FIPS approved + Availablein = fips +-FIPSversion = >=3.4.0 + Cipher = DES-EDE3-ECB + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR + Title = DES3 FIPS Indicator Tests + + # Test that DES3 CBC mode encryption is not FIPS approved +-Availablein = fips +-FIPSversion = >=3.4.0 ++Availablein = none + Cipher = DES-EDE3-CBC + Unapproved = 1 + CtrlInit = encrypt-check:0 +@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 + Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + + # Test that DES3 ECB mode encryption is not FIPS approved +-Availablein = fipss +-FIPSversion = >=3.4.0 ++Availablein = none + Cipher = DES-EDE3-ECB + Operation = ENCRYPT + Unapproved = 1 +diff --git a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt +index a11e5ffe54..e4a7cbe75e 100644 +--- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt ++++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt +@@ -35,13 +35,3 @@ Algorithm = DES-EDE3-CBC + Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23 + Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E + Result = MAC_INIT_ERROR +- +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = CMAC +-Unapproved = 1 +-Ctrl = encrypt-check:0 +-Algorithm = DES-EDE3-CBC +-Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23 +-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E +-Output = 8F49A1B7D6AA2258 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 756f90c1bd..ac833d2a2f 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -398,7 +398,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +-- +2.49.0 + diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch new file mode 100644 index 0000000..5abcbc0 --- /dev/null +++ b/0045-FIPS-NO-Kmac.patch @@ -0,0 +1,426 @@ +From 77495dcfb162a588e9121305e798997c687862cd Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:22:07 -0500 +Subject: [PATCH 45/50] FIPS: NO Kmac + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 10 +- + providers/fips/self_test_data.inc | 4 + + test/recipes/30-test_evp.t | 2 +- + test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 +- + .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 +- + test/recipes/30-test_evp_data/evpkdf_ss.txt | 6 +- + .../30-test_evp_data/evpmac_common.txt | 100 ++++-------------- + 7 files changed, 40 insertions(+), 86 deletions(-) + +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 30f0c8ca14..00b7d1e2aa 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = { + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + ossl_keccak_kmac_128_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = { + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ + { NULL, NULL, NULL } + }; + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 6a69e1687b..f3059a8446 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = { + ST_KAT_PARAM_END() + }; + ++#if 0 + static const char kbkdf_kmac_mac[] = "KMAC128"; + static unsigned char kbkdf_kmac_label[] = { + 0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D, +@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = { + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context), + ST_KAT_PARAM_END() + }; ++#endif + + static const char tls13_kdf_digest[] = "SHA256"; + static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; +@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] = + kbkdf_params, + ITM(kbkdf_expected) + }, ++#if 0 + { + OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC, + OSSL_KDF_NAME_KBKDF, + kbkdf_kmac_params, + ITM(kbkdf_kmac_expected) + }, ++#endif + { + OSSL_SELF_TEST_DESC_KDF_HKDF, + OSSL_KDF_NAME_HKDF, +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index 05a61c8abe..4f2e8277b5 100755 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -52,7 +52,6 @@ my @files = qw( + evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt +- evpkdf_kbkdf_kmac.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt +@@ -144,6 +143,7 @@ my @defltfiles = qw( + evpkdf_scrypt.txt + evpkdf_tls11_prf.txt + evpkdf_hmac_drbg.txt ++ evpkdf_kbkdf_kmac.txt + evpmac_blake.txt + evpmac_poly1305.txt + evpmac_siphash.txt +diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +index c617f2cc44..c5cbaf5840 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +@@ -244,7 +244,7 @@ Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 +-Result = KDF_CTRL_ERROR ++Result = KDF_DERIVE_ERROR + Reason = invalid key length + + # Test that the key whose length is shorter than 112 bits is reported as +diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +index 67090f2112..bc87975449 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt +@@ -1869,7 +1869,7 @@ Ctrl.use-separator = use-separator:0 + Ctrl.r = r:8 + Ctrl.hexkey = hexkey:0ef9 + Ctrl.hexinfo = hexinfo:56ec +-Result = KDF_CTRL_ERROR ++Result = KDF_DERIVE_ERROR + Reason = invalid key length + + Availablein = fips +diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt +index 07691ccf57..4503af711f 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt +@@ -1171,6 +1171,7 @@ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96CB056DEBAEB6E5E706F99435257C + Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400 + Output = 428979EA52175DC833C04215AC6B4BA89BA4FCAA0E0FA3B4E2C0E264C5746F0A5C788F2907A2C2B90719E396B35A14C4B583C51B9911125D34100FADDC4D94C0D936263CC1EF0B0D526E3891FE1F67BCB94DEA2525B84A8E7949A4CA34F36AEEC55099BF0EC5DE24B86428F4E6E6E23FE9AA443E2BDCF25A77ECD22BF758D554 + ++Availablein = default + KDF = SSKDF + Ctrl.mac = mac:KMAC-128 + Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390ADBA9DFB291EE8C1920CB13452FDF851E0A6DBBB862FD8811F8CB29CDEC13591D8C047065FCD2 +@@ -1209,7 +1210,7 @@ Ctrl.mac = mac:KMAC-128 + Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A + Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400 + Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Reason = unsupported + + Title = Secret length < 112 is not approved in FIPS + +@@ -1246,6 +1247,8 @@ Ctrl.mac = mac:KMAC-128 + Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A + Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400 + Output = b160ca853957becf10f4edd06b24cff412b6ca85cff76490afb53ce2f81081ef ++Result = KDF_CTRL_ERROR ++Reason = unsupported + + Title = Test Small salt is allowed + +@@ -1257,6 +1260,7 @@ Ctrl.hexsalt = hexsalt:00 + Ctrl.hexinfo = hexinfo:861aa2886798231259bd0314 + Output = 02cfca07797566285b38982b86762abd + ++Availablein = default + KDF = SSKDF + Ctrl.mac = mac:KMAC-128 + Ctrl.hexsalt = hexsalt:00000000 +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index 831eecbac9..af92ceea98 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -399,6 +399,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C + Result = MAC_INIT_ERROR + Reason = invalid mode + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -409,12 +410,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -422,6 +425,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -430,12 +434,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -445,12 +451,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -458,6 +466,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -466,6 +475,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -473,6 +483,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -480,6 +491,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -490,6 +502,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -500,12 +513,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -513,6 +528,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -521,6 +537,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -528,6 +545,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -535,6 +553,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -545,6 +564,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -555,6 +575,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -564,6 +585,7 @@ Reason = invalid custom length + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -572,81 +594,3 @@ Ctrl = size:2097152 + Result = MAC_INIT_ERROR + Reason = invalid output length + +-Title = KMAC output is too small in FIPS +- +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Output = 28c815 +-Custom = "My Tagged Application" +-Unapproved = 1 +-Ctrl = size:3 +-Ctrl = no-short-mac:0 +- +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Output = 28c815 +-Custom = "My Tagged Application" +-Ctrl = size:3 +-Result = MAC_INIT_ERROR +-Reason = invalid output length +- +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Output = 28c815 +-Custom = "My Tagged Application" +-Ctrl = size:3 +-Ctrl = no-short-mac:1 +-Result = MAC_INIT_ERROR +-Reason = invalid output length +- +-# Old FIPS providers accept short output +-FIPSversion = <3.4.0 +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Output = 28c815 +-Custom = "My Tagged Application" +-Ctrl = size:3 +- +-# The default provider accepts short output +-Availablein = default +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Output = 28c815 +-Custom = "My Tagged Application" +-Ctrl = size:3 +- +-Title = KMAC FIPS short key test +- +-# Test KMAC with key < 112 bits is not allowed +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = KMAC256 +-Key = 404142434445464748494A4B4C +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Custom = "" +-Result = MAC_INIT_ERROR +-Reason = invalid key length +- +-Title = KMAC FIPS short key indicator test +- +-# Test KMAC with key < 112 bits is unapproved +-Availablein = fips +-FIPSversion = >=3.4.0 +-MAC = KMAC256 +-Unapproved = 1 +-Ctrl = key-check:0 +-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-Custom = "" +-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 +-- +2.49.0 + diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch deleted file mode 100644 index 117e6b2..0000000 --- a/0045-FIPS-services-minimize.patch +++ /dev/null @@ -1,779 +0,0 @@ -From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 6 Mar 2024 19:17:15 +0100 -Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch - -Patch-name: 0045-FIPS-services-minimize.patch -Patch-id: 45 -Patch-status: | - # # Minimize fips services -From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce ---- - apps/ecparam.c | 7 +++ - apps/req.c | 2 +- - providers/common/capabilities.c | 2 +- - providers/fips/fipsprov.c | 44 +++++++++++-------- - providers/fips/self_test_data.inc | 9 +++- - providers/implementations/signature/rsa_sig.c | 26 +++++++++++ - ssl/ssl_ciph.c | 3 ++ - test/acvp_test.c | 2 + - test/endecode_test.c | 4 ++ - test/evp_libctx_test.c | 9 +++- - test/recipes/15-test_gendsa.t | 2 +- - test/recipes/20-test_cli_fips.t | 3 +- - test/recipes/30-test_evp.t | 20 ++++----- - .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ - test/recipes/80-test_cms.t | 22 +++++----- - test/recipes/80-test_ssl_old.t | 2 +- - 16 files changed, 128 insertions(+), 51 deletions(-) - -diff --git a/apps/ecparam.c b/apps/ecparam.c -index 71f93c4ca5..347bf62d5c 100644 ---- a/apps/ecparam.c -+++ b/apps/ecparam.c -@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); - -+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) -+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) -+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) -+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) -+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) -+ continue; -+ - if (comment == NULL) - comment = "CURVE DESCRIPTION NOT AVAILABLE"; - if (sname == NULL) -diff --git a/apps/req.c b/apps/req.c -index 8995453dca..cb38e6aa64 100644 ---- a/apps/req.c -+++ b/apps/req.c -@@ -268,7 +268,7 @@ int req_main(int argc, char **argv) - unsigned long chtype = MBSTRING_ASC, reqflag = 0; - - #ifndef OPENSSL_NO_DES -- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - #endif - - opt_set_unknown_name("digest"); -diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c -index f7234615e4..0d4c0e3388 100644 ---- a/providers/common/capabilities.c -+++ b/providers/common/capabilities.c -@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = { - TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), - TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), - TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), --# endif - TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), - TLS_GROUP_ENTRY("x448", "X448", "X448", 29), -+# endif - # ifndef FIPS_MODULE - TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), - TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 7ec409710b..ec5bdd5a69 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) - OSSL_LIB_CTX_FIPS_PROV_INDEX); - - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider")) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); - if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) -@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { - * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for - * KMAC128 and KMAC256. - */ -- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, -+ /* We don't certify KECCAK in our FIPS provider */ -+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, - ossl_keccak_kmac_128_functions }, - { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, -- ossl_keccak_kmac_256_functions }, -+ ossl_keccak_kmac_256_functions }, */ - { NULL, NULL, NULL } - }; - -@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { - ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, - ossl_cipher_capable_aes_cbc_hmac_sha256), - #ifndef OPENSSL_NO_DES -- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), -+ /* We don't certify 3DES in our FIPS provider */ -+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ - #endif /* OPENSSL_NO_DES */ - { { NULL, NULL, NULL }, NULL } - }; -@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { - #endif - { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, -- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, -- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, -+ /* We don't certify KMAC in our FIPS provider */ -+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, -+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ - { NULL, NULL, NULL } - }; - -@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { - #ifndef OPENSSL_NO_EC - { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, - # ifndef OPENSSL_NO_ECX -- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, -- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, -+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ - # endif - #endif - { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, -@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = { - - static const OSSL_ALGORITHM fips_signature[] = { - #ifndef OPENSSL_NO_DSA -- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, -+ /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ - #endif - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, - #ifndef OPENSSL_NO_EC - # ifndef OPENSSL_NO_ECX -- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, - ossl_ed25519_signature_functions }, -- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ - # endif - { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, - #endif -@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { - PROV_DESCS_DHX }, - #endif - #ifndef OPENSSL_NO_DSA -- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, -- PROV_DESCS_DSA }, -+ /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, -+ PROV_DESCS_DSA }, */ - #endif - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, - PROV_DESCS_RSA }, -@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { - { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, - PROV_DESCS_EC }, - # ifndef OPENSSL_NO_ECX -- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, - PROV_DESCS_X25519 }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, - PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, - PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, -- PROV_DESCS_ED448 }, -+ PROV_DESCS_ED448 }, */ - # endif - #endif - { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 2057378d3d..4b80bb70b9 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = - /*- CIPHER TEST DATA */ - - /* DES3 test data */ -+#if 0 - static const unsigned char des_ede3_cbc_pt[] = { - 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, - 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, -@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { - 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, - 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 - }; -- -+#endif - /* AES-256 GCM test data */ - static const unsigned char aes_256_gcm_key[] = { - 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, -@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { - # endif /* OPENSSL_NO_EC2M */ - #endif /* OPENSSL_NO_EC */ - --#ifndef OPENSSL_NO_DSA - /* dsa 2048 */ -+#if 0 -+#ifndef OPENSSL_NO_DSA - static const unsigned char dsa_p[] = { - 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, - 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, -@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { - ST_KAT_PARAM_END() - }; - #endif /* OPENSSL_NO_DSA */ -+#endif - - /* Hash DRBG inputs for signature KATs */ - static const unsigned char sig_kat_entropyin[] = { -@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - }, - # endif - #endif /* OPENSSL_NO_EC */ -+#if 0 - #ifndef OPENSSL_NO_DSA - { - OSSL_SELF_TEST_DESC_SIGN_DSA, -@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - ITM(dsa_expected_sig) - }, - #endif /* OPENSSL_NO_DSA */ -+#endif - }; - - static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 22d93ead53..c1405f47ea 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ } -+# endif - - if (!ossl_prov_is_running()) - return 0; -@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - size_t rslen; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ } -+# endif - - if (!ossl_prov_is_running()) - return 0; -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 33c23efb0d..113c204716 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) - ctx->disabled_mkey_mask = 0; - ctx->disabled_auth_mask = 0; - -+ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) -+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; -+ - /* - * We ignore any errors from the fetches below. They are expected to fail - * if these algorithms are not available. -diff --git a/test/acvp_test.c b/test/acvp_test.c -index 45509095af..4a67519bb4 100644 ---- a/test/acvp_test.c -+++ b/test/acvp_test.c -@@ -1478,6 +1478,7 @@ int setup_tests(void) - OSSL_NELEM(dh_safe_prime_keyver_data)); - #endif /* OPENSSL_NO_DH */ - -+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ - #ifndef OPENSSL_NO_DSA - ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); - ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1485,6 +1486,7 @@ int setup_tests(void) - ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); - ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); - #endif /* OPENSSL_NO_DSA */ -+#endif - - #ifndef OPENSSL_NO_EC - ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); -diff --git a/test/endecode_test.c b/test/endecode_test.c -index b53b7b715b..885e49a47c 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -1419,6 +1419,7 @@ int setup_tests(void) - * so no legacy tests. - */ - #endif -+ if (is_fips == 0) { - #ifndef OPENSSL_NO_DSA - ADD_TEST_SUITE(DSA); - ADD_TEST_SUITE_PARAMS(DSA); -@@ -1429,6 +1430,7 @@ int setup_tests(void) - ADD_TEST_SUITE_PROTECTED_PVK(DSA); - # endif - #endif -+ } - #ifndef OPENSSL_NO_EC - ADD_TEST_SUITE(EC); - ADD_TEST_SUITE_PARAMS(EC); -@@ -1443,10 +1445,12 @@ int setup_tests(void) - ADD_TEST_SUITE(ECExplicitTri2G); - ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); - # endif -+ if (is_fips == 0) { - ADD_TEST_SUITE(ED25519); - ADD_TEST_SUITE(ED448); - ADD_TEST_SUITE(X25519); - ADD_TEST_SUITE(X448); -+ } - /* - * ED25519, ED448, X25519 and X448 have no support for - * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index 2448c35a14..a7913cda4c 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c -@@ -21,6 +21,7 @@ - */ - #include "internal/deprecated.h" - #include -+#include - #include - #include - #include -@@ -726,7 +727,9 @@ int setup_tests(void) - return 0; - - #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) -- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ } - #endif - #ifndef OPENSSL_NO_DH - ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); -@@ -746,7 +749,9 @@ int setup_tests(void) - ADD_TEST(kem_invalid_keytype); - #endif - #ifndef OPENSSL_NO_DES -- ADD_TEST(test_cipher_tdes_randkey); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_TEST(test_cipher_tdes_randkey); -+ } - #endif - return 1; - } -diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t -index 4bc460784b..93052eb3e7 100644 ---- a/test/recipes/15-test_gendsa.t -+++ b/test/recipes/15-test_gendsa.t -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "This test is unsupported in a no-dsa build" - if disabled("dsa"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; - - plan tests => - ($no_fips ? 0 : 2) # FIPS related tests -diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t -index d4b4d4ca51..031814e8ff 100644 ---- a/test/recipes/20-test_cli_fips.t -+++ b/test/recipes/20-test_cli_fips.t -@@ -278,8 +278,7 @@ SKIP: { - } - - SKIP : { -- skip "FIPS DSA tests because of no dsa in this build", 1 -- if disabled("dsa"); -+ skip "FIPS DSA tests because of no dsa in this build", 1; - - subtest DSA => sub { - my $testtext_prefix = 'DSA'; -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index eddca5c58e..36a192d041 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -46,10 +46,8 @@ my @files = qw( - evpciph_aes_cts.txt - evpciph_aes_wrap.txt - evpciph_aes_stitched.txt -- evpciph_des3_common.txt - evpkdf_hkdf.txt - evpkdf_kbkdf_counter.txt -- evpkdf_kbkdf_kmac.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt - evpkdf_ss.txt -@@ -69,15 +67,6 @@ push @files, qw( - evppkey_ffdhe.txt - evppkey_dh.txt - ) unless $no_dh; --push @files, qw( -- evpkdf_x942_des.txt -- evpmac_cmac_des.txt -- ) unless $no_des; --push @files, qw(evppkey_dsa.txt) unless $no_dsa; --push @files, qw( -- evppkey_ecx.txt -- evppkey_mismatch_ecx.txt -- ) unless $no_ecx; - push @files, qw( - evppkey_ecc.txt - evppkey_ecdh.txt -@@ -97,6 +86,7 @@ my @defltfiles = qw( - evpciph_cast5.txt - evpciph_chacha.txt - evpciph_des.txt -+ evpciph_des3_common.txt - evpciph_idea.txt - evpciph_rc2.txt - evpciph_rc4.txt -@@ -121,13 +111,19 @@ my @defltfiles = qw( - evpmd_whirlpool.txt - evppbe_scrypt.txt - evppbe_pkcs12.txt -+ evpkdf_kbkdf_kmac.txt - evppkey_kdf_scrypt.txt - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); -+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; -+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; -+push @defltfiles, qw( -+ evpkdf_x942_des.txt -+ evpmac_cmac_des.txt -+ ) unless $no_des; - push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; --push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; - push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; -diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt -index e47023aae6..96a8febeef 100644 ---- a/test/recipes/30-test_evp_data/evpmac_common.txt -+++ b/test/recipes/30-test_evp_data/evpmac_common.txt -@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C - Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 - Result = MAC_INIT_ERROR - -+Availablein = default - Title = KMAC Tests (From NIST) - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -@@ -373,12 +374,14 @@ Ctrl = xof:0 - OutputSize = 32 - BlockSize = 168 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Custom = "My Tagged Application" - Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -386,6 +389,7 @@ Custom = "My Tagged Application" - Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC - OutputSize = 64 - BlockSize = 136 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 - Custom = "" - Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -409,12 +415,14 @@ Ctrl = size:64 - - Title = KMAC XOF Tests (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -422,6 +430,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F - XOF = 1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -437,6 +447,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -444,6 +455,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -454,6 +466,7 @@ XOF = 1 - - Title = KMAC long customisation string (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -464,12 +477,14 @@ XOF = 1 - - Title = KMAC XOF Tests via ctrl (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -477,6 +492,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F - Ctrl = xof:1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -492,6 +509,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -499,6 +517,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -509,6 +528,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string via ctrl (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -519,6 +539,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string negative test - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR - - Title = KMAC output is too large - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 6a9792128b..4e368c730b 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content DER format, DSA key", -+ [ "signed content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, DSA key", -+ [ "signed detached content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, add RSA signer (with DSA existing)", -+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", -@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, DSA key", -+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], -@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-noattr", "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( - \&zero_compare - ], - -- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( - - my @smime_cms_tests = ( - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-keyid", - "-signer", $smrsa1, -@@ -263,7 +263,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -373,7 +373,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "encrypted content test streaming PEM format, triple DES key", -+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", - "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", - "-stream", "-out", "{output}.cms" ], -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 50b74a1e29..e2dcb68fb5 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t -@@ -436,7 +436,7 @@ sub testssl { - my @exkeys = (); - my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; - -- if (!$no_dsa) { -+ if (!$no_dsa && $provider ne "fips") { - push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; - } - --- -2.44.0 - diff --git a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch new file mode 100644 index 0000000..503a515 --- /dev/null +++ b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch @@ -0,0 +1,33 @@ +From 5de6758ff6d27df266280e8df7f587d7deba6d92 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:24:36 -0500 +Subject: [PATCH 46/50] FIPS: NO PQ (ML/SLH-DSA) + +Signed-off-by: Simo Sorce +--- + providers/fips/self_test_data.inc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index f3059a8446..9659f10613 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -3037,6 +3037,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + #endif /* OPENSSL_NO_DSA */ + #endif + ++#if 0 + #ifndef OPENSSL_NO_ML_DSA + { + OSSL_SELF_TEST_DESC_SIGN_ML_DSA, +@@ -3081,6 +3082,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + slh_dsa_sig_params, slh_dsa_sig_params + }, + #endif /* OPENSSL_NO_SLH_DSA */ ++#endif + }; + + #if !defined(OPENSSL_NO_ML_DSA) +-- +2.49.0 + diff --git a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch new file mode 100644 index 0000000..16d336c --- /dev/null +++ b/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch @@ -0,0 +1,106 @@ +From 7996dc097918cf09350312d5ee04c727c3cd42ac Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 10 Mar 2025 13:52:50 -0400 +Subject: [PATCH 47/50] FIPS: Fix some tests due to our versioning change + +Signed-off-by: Simo Sorce +--- + test/ssl-tests/13-fragmentation.cnf.in | 4 ++-- + test/ssl-tests/17-renegotiate.cnf.in | 4 ++-- + test/ssl-tests/18-dtls-renegotiate.cnf.in | 2 +- + test/ssl-tests/19-mac-then-encrypt.cnf.in | 2 +- + test/ssl-tests/20-cert-select.cnf.in | 6 +++--- + 5 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in +index 318fd65960..87ec08ee5b 100644 +--- a/test/ssl-tests/13-fragmentation.cnf.in ++++ b/test/ssl-tests/13-fragmentation.cnf.in +@@ -14,7 +14,7 @@ use warnings; + + package ssltests; + +-our $fips_3_4; ++our $fips_mode; + + our @tests = ( + # Default fragment size is 512. +@@ -273,4 +273,4 @@ my @tests_rsa = ( + ); + + push @tests, @tests_rsa +- unless $fips_3_4; ++ unless $fips_mode; +diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in +index 2812e4c38b..9cbd972eba 100644 +--- a/test/ssl-tests/17-renegotiate.cnf.in ++++ b/test/ssl-tests/17-renegotiate.cnf.in +@@ -15,7 +15,7 @@ use warnings; + package ssltests; + use OpenSSL::Test::Utils; + +-our $fips_3_4; ++our $fips_mode; + + our @tests = ( + { +@@ -318,5 +318,5 @@ our @tests_tls1_2 = ( + } + ); + +-push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4; ++push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_mode; + push @tests, @tests_tls1_2 unless disabled("tls1_2"); +diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in +index 8996849a2c..415dc2978d 100644 +--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in ++++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in +@@ -133,7 +133,7 @@ foreach my $sctp ("No", "Yes") + ); + push @tests, @tests_basic; + +- next if disabled("dtls1_2") || $fips_3_4; ++ next if disabled("dtls1_2") || $fips_mode; + our @tests_dtls1_2 = ( + { + name => "renegotiate-aead-to-non-aead".$suffix, +diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in +index 32bcec4be4..2f8a123c20 100644 +--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in ++++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in +@@ -17,7 +17,7 @@ our $fips_mode; + our $fips_3_4; + + # Nothing to test with newer fips providers +-return if $fips_3_4; ++return if $fips_mode; + + our @tests = ( + { +diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in +index af47842fd8..21c75033e8 100644 +--- a/test/ssl-tests/20-cert-select.cnf.in ++++ b/test/ssl-tests/20-cert-select.cnf.in +@@ -266,7 +266,7 @@ our @tests = ( + }, + test => { + "ExpectedServerCertType" =>, "RSA", +- "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success" ++ "ExpectedResult" => $fips_mode ? "ClientFail" : "Success" + }, + }, + { +@@ -1005,8 +1005,8 @@ my @tests_dsa_tls_1_3 = ( + ); + + if (!disabled("dsa")) { +- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4; +- push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); ++ push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode; ++ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3") || $fips_mode; + } + + my @tests_mldsa_tls_1_3 = ( +-- +2.49.0 + diff --git a/0047-FIPS-early-KATS.patch b/0047-FIPS-early-KATS.patch deleted file mode 100644 index 6dffded..0000000 --- a/0047-FIPS-early-KATS.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 19 Oct 2023 13:12:40 +0200 -Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch - -Patch-name: 0047-FIPS-early-KATS.patch -Patch-id: 47 -Patch-status: | - # # Execute KATS before HMAC verification -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 ---- - providers/fips/self_test.c | 22 ++++++++++------------ - 1 file changed, 10 insertions(+), 12 deletions(-) - -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index e3a629018a..3c09bd8638 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - if (ev == NULL) - goto end; - -+ /* -+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements -+ */ -+ if (kats_already_passed == 0) { -+ if (!SELF_TEST_kats(ev, st->libctx)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); -+ goto end; -+ } -+ } -+ - if (st->module_checksum_data == NULL) { - module_checksum = fips_hmac_container; - checksum_len = sizeof(fips_hmac_container); -@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) - } - } - -- /* -- * Only runs the KAT's during installation OR on_demand(). -- * NOTE: If the installation option 'self_test_onload' is chosen then this -- * path will always be run, since kats_already_passed will always be 0. -- */ -- if (on_demand_test || kats_already_passed == 0) { -- if (!SELF_TEST_kats(ev, st->libctx)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); -- goto end; -- } -- } -- - /* Verify that the RNG has been restored properly */ - rng = ossl_rand_get0_private_noncreating(st->libctx); - if (rng != NULL) --- -2.41.0 - diff --git a/0048-Current-Rebase-status.patch b/0048-Current-Rebase-status.patch new file mode 100644 index 0000000..a130864 --- /dev/null +++ b/0048-Current-Rebase-status.patch @@ -0,0 +1,106 @@ +From d2068b5ee18ccb9014bc49e71be49e467f1bf07f Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 12 Feb 2025 17:25:47 -0500 +Subject: [PATCH 48/50] Current Rebase status + +Signed-off-by: Simo Sorce +--- + REBASE.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 81 insertions(+) + +diff --git a/REBASE.txt b/REBASE.txt +index 2833a383c1..c8f6c992a8 100644 +--- a/REBASE.txt ++++ b/REBASE.txt +@@ -1,3 +1,6 @@ ++REBASED on TOP of tagged openssl-3.5.0 ++ ++ + 0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch + + Some asym testing has been dropped upstream, unclear if this needs to survive, +@@ -8,3 +11,81 @@ if so we may need to resurrect deleted code in upstream patch: + fips: remove redundant RSA encrypt/decrypt KAT + -- + ++This does not apply cleanly and I can't figure out the original intent exactly ++to modify the existing code correctly. ++ ++-- ++0030-0075-FIPS-Use-FFDHE2048-in-self-test.patch.patch ++ ++Unnecessary, upstream aleady change to use ffsh2048 ++ ++-- ++0032-0077-FIPS-140-3-zeroization.patch.patch ++ ++Unnecessary, but MUST define OPENSSL_PEDANTIC_ZEROIZATION to do the same ++ ++-- ++0048-Spec-cleanup.patch ++ ++Not applied as I did not get in the initial patch that imports into packit ++-- ++0049-0117-ignore-unknown-sigalgorithms-groups.patch.patch ++ ++Unnecessary, already included in 3.5 ++ ++-- ++0050-0118-no-crl-memleak.patch.patch ++ ++Unnecessary, already included in 3.5 ++ ++-- ++0051-0119-provider-sigalgs-in-signaturealgorithms-conf.pa.patch ++ ++Unnecessary, already included in 3.5 ++ ++-- ++ ++Recheck ++====== ++ ++- Dropped: openssl speed - skip unavailable dgst ++ ++- Dropped: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signa.patch ++ ++- Dropped patch to disable ECX algorihms ++ ++Needed build/spec changes ++==================== ++ ++Add -DOPENSSL_PEDANTIC_ZEROIZATION to ./Configure line ++This is needed for zeroizations required for FIPS ++ ++Add -DREDHAT_FIPS_VENDOR for the module name ++ ++Drop 0025-for-tests.patch from dist-git ++We now use a separate config file for tests and for install ++Copy rh-openssl.cnf over the openssl default conf file in the install section. ++ ++Testing ++======= ++./Configure \ ++ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ ++ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \ ++ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ ++ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\ ++ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ ++ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ ++ -Wl,--allow-multiple-definition ++ ++prefix=$HOME/tmp/openssl-rebase ++sysconfigdir=$prefix/etc ++fips="Rebase Testing" ++sslarch=linux-x86_64 ++sslflags=enable-ec_nistp_64_gcc_128 ++ktlsopt=enable-ktls ++ ++Example Testing ++=============== ++ ++./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition ++ +-- +2.49.0 + diff --git a/0049-FIPS-KDF-key-lenght-errors.patch b/0049-FIPS-KDF-key-lenght-errors.patch new file mode 100644 index 0000000..e29f212 --- /dev/null +++ b/0049-FIPS-KDF-key-lenght-errors.patch @@ -0,0 +1,175 @@ +From f9fb76834b0c471d770463e5d7d70f1e2fca3237 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 14 Apr 2025 15:25:40 -0400 +Subject: [PATCH 49/50] FIPS: KDF key lenght errors + +Signed-off-by: Simo Sorce +--- + test/recipes/30-test_evp_data/evpkdf_ss.txt | 8 ++++---- + test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 6 +++--- + test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 11 ++++++----- + test/recipes/30-test_evp_data/evpkdf_x942.txt | 3 +-- + test/recipes/30-test_evp_data/evpkdf_x963.txt | 6 ++---- + test/recipes/30-test_evp_data/evpmac_common.txt | 2 +- + test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt | 2 +- + 7 files changed, 18 insertions(+), 20 deletions(-) + +diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt +index 4503af711f..7ef2894ae6 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt +@@ -1189,8 +1189,8 @@ KDF = SSKDF + Ctrl.digest = digest:SHA1 + Ctrl.hexsecret = hexsecret:d7e6 + Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_DERIVE_ERROR ++#Reason = invalid key length + + Availablein = fips + FIPSversion = >=3.4.0 +@@ -1200,8 +1200,8 @@ Ctrl.digest = digest:SHA224 + Ctrl.salt = hexsalt:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96C + Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400 +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_DERIVE_ERROR ++#Reason = invalid key length + + Availablein = fips + FIPSversion = >=3.4.0 +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index edb2e81273..d663e5e5a5 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -104,8 +104,8 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55 + Ctrl.label = seed:extended master secret + Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce +-Result = KDF_CTRL_ERROR +-Reason = digest not allowed ++Result = KDF_DERIVE_ERROR ++Reason = invalid key length + + # Test that the operation with unapproved digest function is is reported as + # unapproved +@@ -131,7 +131,7 @@ Ctrl.Secret = hexsecret:0102030405060708090a0b + Ctrl.label = seed:extended master secret + Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce +-Result = KDF_CTRL_ERROR ++Result = KDF_DERIVE_ERROR + Reason = invalid key length + + # Test that the key whose length is shorter than 112 bits is reported as +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +index f2ea9ac44a..0f2f6e3904 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt +@@ -4963,7 +4963,7 @@ KDF = TLS13-KDF + Ctrl.mode = mode:EXTRACT_ONLY + Ctrl.digest = digest:SHA512-256 + Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05 +-Result = KDF_CTRL_ERROR ++Result = KDF_DERIVE_ERROR + + # Test that the operation with unapproved digest function is is reported as + # unapproved +@@ -4985,20 +4985,21 @@ KDF = TLS13-KDF + Ctrl.mode = mode:EXTRACT_ONLY + Ctrl.digest = digest:SHA2-256 + Ctrl.key = hexkey:0102030405060708090a0b +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_DERIVE_ERROR ++Reason = wrong output buffer size + + Availablein = fips + FIPSversion = >=3.4.0 + KDF = TLS13-KDF ++Unapproved = 1 + Ctrl.mode = mode:EXPAND_ONLY + Ctrl.digest = digest:SHA2-256 + Ctrl.key = hexkey:0102030405060708090a0b + Ctrl.data = hexdata:7c92f68bd5bf3638ea338a6494722e1b44127e1b7e8aad535f2322a644ff22b3 + Ctrl.prefix = hexprefix:746c73313320 + Ctrl.label = hexlabel:6320652074726166666963 +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_MISMATCH ++#Reason = invalid key length + + # Test that the key whose length is shorter than 112 bits is reported as + # unapproved +diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt +index b1774592e9..6869fd0f20 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_x942.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt +@@ -124,11 +124,10 @@ Reason = xof digests not allowed + Availablein = fips + FIPSversion = >=3.4.0 + KDF = X942KDF-ASN1 ++Unapproved = 1 + Ctrl.digest = digest:SHA256 + Ctrl.hexsecret = hexsecret:6B + Ctrl.use-keybits = use-keybits:0 + Ctrl.cekalg = cekalg:id-aes128-wrap + Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC + Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A +-Result = KDF_CTRL_ERROR +-Reason = invalid key length +diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt +index b8f3cff3d3..74524c4694 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_x963.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt +@@ -148,8 +148,7 @@ KDF = X963KDF + Ctrl.digest = digest:SHA1 + Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2 + Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2 +-Result = KDF_CTRL_ERROR +-Reason = digest not allowed ++Result = KDF_DERIVE_ERROR + + # Test that the operation with unapproved digest function is is reported as + # unapproved +@@ -170,8 +169,7 @@ KDF = X963KDF + Ctrl.digest = digest:SHA224 + Ctrl.hexsecret = hexsecret:0102030405060908090a0b + Ctrl.hexinfo = hexinfo:0102030405060708090a0b0c0d0e0f10 +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_DERIVE_ERROR + + # Test that the key whose length is shorter than 112 bits is reported as + # unapproved +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index af92ceea98..a1541bf226 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -271,7 +271,7 @@ MAC = HMAC + Algorithm = SHA256 + Input = "Test Input" + Key = 0001020304 +-Result = MAC_INIT_ERROR ++Output = db70da6176d87813b059879ccc27bc53e295c6eca74db8bdc4e77d7e951d894b + + Title = HMAC FIPS short key indicator test + +diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt +index 1fb2472001..93c07ede7c 100644 +--- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt ++++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt +@@ -216,7 +216,7 @@ Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 +-Result = PKEY_CTRL_ERROR ++Result = KDF_DERIVE_ERROR + Reason = invalid key length + + # Test that the key whose length is shorter than 112 bits is reported as +-- +2.49.0 + diff --git a/0050-FIPS-enable-pkcs12-mac.patch b/0050-FIPS-enable-pkcs12-mac.patch deleted file mode 100644 index 1496bb2..0000000 --- a/0050-FIPS-enable-pkcs12-mac.patch +++ /dev/null @@ -1,95 +0,0 @@ -diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c ---- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100 -+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100 -@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char - EVP_KDF *kdf; - EVP_KDF_CTX *ctx; - OSSL_PARAM params[6], *p = params; -+ char *adjusted_propq = NULL; - - if (n <= 0) - return 0; - -- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq); -- if (kdf == NULL) -+ if (ossl_get_kernel_fips_flag()) { -+ const char *nofips = "-fips"; -+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 : -+ strlen(nofips) + 1; -+ char *ptr = NULL; -+ -+ adjusted_propq = OPENSSL_zalloc(len); -+ if (adjusted_propq != NULL) { -+ ptr = adjusted_propq; -+ if (propq) { -+ memcpy(ptr, propq, strlen(propq)); -+ ptr += strlen(propq); -+ *ptr = ','; -+ ptr++; -+ } -+ memcpy(ptr, nofips, strlen(nofips)); -+ } -+ } -+ -+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq); -+ if (kdf == NULL) { -+ OPENSSL_free(adjusted_propq); - return 0; -+ } - ctx = EVP_KDF_CTX_new(kdf); - EVP_KDF_free(kdf); -- if (ctx == NULL) -+ if (ctx == NULL) { -+ OPENSSL_free(adjusted_propq); - return 0; -+ } - - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - (char *)EVP_MD_get0_name(md_type), -@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char - } OSSL_TRACE_END(PKCS12_KEYGEN); - } - EVP_KDF_CTX_free(ctx); -+ OPENSSL_free(adjusted_propq); - return res; - } - -diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c ---- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100 -+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100 -@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv) - } - if (macver) { - EVP_KDF *pkcs12kdf; -+ char *adjusted_propq = NULL; -+ const char *nofips = "-fips"; -+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 : -+ strlen(nofips) + 1; -+ char *ptr = NULL; -+ -+ adjusted_propq = OPENSSL_zalloc(len); -+ if (adjusted_propq != NULL) { -+ ptr = adjusted_propq; -+ if (app_get0_propq()) { -+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq())); -+ ptr += strlen(app_get0_propq()); -+ *ptr = ','; -+ ptr++; -+ } -+ memcpy(ptr, nofips, strlen(nofips)); -+ } - - pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", -- app_get0_propq()); -+ adjusted_propq ? adjusted_propq : app_get0_propq()); - if (pkcs12kdf == NULL) { - BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); - BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); -+ OPENSSL_free(adjusted_propq); - goto end; - } - EVP_KDF_free(pkcs12kdf); -+ OPENSSL_free(adjusted_propq); - /* If we enter empty password try no password first */ - if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { - /* If mac and crypto pass the same set it to NULL too */ diff --git a/0050-FIPS-fix-disallowed-digests-tests.patch b/0050-FIPS-fix-disallowed-digests-tests.patch new file mode 100644 index 0000000..bd56dca --- /dev/null +++ b/0050-FIPS-fix-disallowed-digests-tests.patch @@ -0,0 +1,51 @@ +From 7dc0e5c5dbab91874602bbe73a3c0b627283ff64 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 15 Apr 2025 13:41:42 -0400 +Subject: [PATCH 50/50] FIPS: fix disallowed digests tests + +Signed-off-by: Simo Sorce +--- + test/recipes/30-test_evp_data/evpkdf_ssh.txt | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt +index 6688c217aa..8347f773e6 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt +@@ -4894,13 +4894,14 @@ Title = FIPS indicator tests + Availablein = fips + FIPSversion = >=3.4.0 + KDF = SSHKDF ++Unapproved = 1 + Ctrl.digest = digest:SHA512-256 + Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 + Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 + Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 + Ctrl.type = type:A +-Result = KDF_CTRL_ERROR +-Reason = digest not allowed ++Result = KDF_MISMATCH ++#Reason = digest not allowed + + # Test that the operation with unapproved digest function is is reported as + # unapproved +@@ -4920,13 +4921,14 @@ Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2 + Availablein = fips + FIPSversion = >=3.4.0 + KDF = SSHKDF ++Unapproved = 1 + Ctrl.digest = digest:SHA1 + Ctrl.hexkey = hexkey:0102030405060708090a0b + Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 + Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 + Ctrl.type = type:A +-Result = KDF_CTRL_ERROR +-Reason = invalid key length ++Result = KDF_MISMATCH ++#Reason = invalid key length + + # Test that the key whose length is shorter than 112 bits is reported as + # unapproved +-- +2.49.0 + diff --git a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch deleted file mode 100644 index 14bacd4..0000000 --- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ /dev/null @@ -1,205 +0,0 @@ -From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 1 Mar 2022 15:44:18 +0100 -Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes - -References: rhbz#2055796 ---- - crypto/x509/x509_vfy.c | 19 ++++++++++- - doc/man5/config.pod | 7 +++- - ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- - test/recipes/25-test_verify.t | 7 ++-- - 4 files changed, 79 insertions(+), 18 deletions(-) - -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index ff3ca83de6..a549c1c111 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -25,6 +25,7 @@ - #include - #include - #include "internal/dane.h" -+#include "internal/sslconf.h" - #include "crypto/x509.h" - #include "x509_local.h" - -@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) - { - int secbits = -1; - int level = ctx->param->auth_level; -+ int nid; -+ OSSL_LIB_CTX *libctx = NULL; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - -- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) -+ if (ctx->libctx) -+ libctx = ctx->libctx; -+ else if (cert->libctx) -+ libctx = cert->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) - return 0; - -+ if (nid == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ctx->param->auth_level < 3) -+ /* When rh-allow-sha1-signatures = yes and security level <= 2, -+ * explicitly allow SHA1 for backwards compatibility. */ -+ return 1; -+ - return secbits >= minbits_table[level - 1]; - } -diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index aa1be5ca7f..aa69e2b844 100644 ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod -@@ -305,7 +305,12 @@ When set to B, any attempt to create or verify a signature with a SHA1 - digest will fail. For compatibility with older versions of OpenSSL, set this - option to B. This setting also affects TLS, where signature algorithms - that use SHA1 as digest will no longer be supported if this option is set to --B. -+B. Note that enabling B will allow TLS signature -+algorithms that use SHA1 in security level 2, despite the definition of -+security level 2 of 112 bits of security, which SHA1 does not meet. Because -+TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key -+material, disabling B requires the use of TLS 1.2 or -+newer. - - =item B (deprecated) - -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 4b74ee1a34..5f089de107 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "crypto/x509.h" - #include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey) - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); - return 0; - } -- /* -- * Make sure security callback allows algorithm. For historical -- * reasons we have to pass the sigalg as a two byte char array. -- */ -- sigalgstr[0] = (sig >> 8) & 0xff; -- sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); -- if (secbits == 0 || -- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -- md != NULL ? EVP_MD_get_type(md) : NID_undef, -- (void *)sigalgstr)) { -- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -- return 0; -+ -+ if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) -+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 2, -+ * explicitly allow SHA1 for backwards compatibility */ -+ } else { -+ /* -+ * Make sure security callback allows algorithm. For historical -+ * reasons we have to pass the sigalg as a two byte char array. -+ */ -+ sigalgstr[0] = (sig >> 8) & 0xff; -+ sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->session_ctx, lu); -+ if (secbits == 0 || -+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -+ md != NULL ? EVP_MD_get_type(md) : NID_undef, -+ (void *)sigalgstr)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -+ return 0; -+ } - } - /* Store the sigalg the peer uses */ - s->s3.tmp.peer_sigalg = lu; -@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) - } - } - -+ if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) -+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { -+ /* when rh-allow-sha1-signatures = yes and security level <= 2, -+ * explicitly allow SHA1 for backwards compatibility */ -+ return 1; -+ } -+ - /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); - sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) - { - /* Lookup signature algorithm digest */ - int secbits, nid, pknid; -+ OSSL_LIB_CTX *libctx = NULL; -+ - - /* Don't check signature if self signed */ - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) -@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) - /* If digest NID not defined use signature NID */ - if (nid == NID_undef) - nid = pknid; -+ -+ if (x && x->libctx) -+ libctx = x->libctx; -+ else if (ctx && ctx->libctx) -+ libctx = ctx->libctx; -+ else if (s && s->session_ctx && s->session_ctx->libctx) -+ libctx = s->session_ctx->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (nid == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) -+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) -+ )) -+ /* When rh-allow-sha1-signatures = yes and security level <= 2, -+ * explicitly allow SHA1 for backwards compatibility. */ -+ return 1; -+ - if (s != NULL) - return ssl_security(s, op, secbits, nid, x); - else -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 700bbd849c..2de1d76b5e 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 193; -+plan tests => 192; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0" - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), - "CA with PSS signature using SHA256"); - --ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -- "Reject PSS signature using SHA1 and auth level 1"); -+## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1 -+#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -+# "Reject PSS signature using SHA1 and auth level 1"); - - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), - "PSS signature using SHA256 and auth level 2"); --- -2.35.1 diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch deleted file mode 100644 index 6b740ce..0000000 --- a/0056-strcasecmp.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num ---- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 -+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 -@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex - X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: - OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: - BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK -+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: -+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: - ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: - ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c ---- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100 -+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100 -@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char - #endif - } - --int OPENSSL_strcasecmp(const char *s1, const char *s2) -+int -+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) -+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), -+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) -+#endif -+OPENSSL_strcasecmp(const char *s1, const char *s2) - { - int t; - -@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c - return t; - } - --int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) -+int -+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) -+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), -+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) -+#endif -+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) - { - int t; - size_t i; -diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t ---- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 -+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 -@@ -77,6 +80,7 @@ foreach my $libname (@libnames) { - s| .*||; - # Drop OpenSSL dynamic version information if there is any - s|\@\@.+$||; -+ s|\@.+$||; - # Return the result - $_ - } diff --git a/0062-fips-Expose-a-FIPS-indicator.patch b/0062-fips-Expose-a-FIPS-indicator.patch deleted file mode 100644 index f1ad59d..0000000 --- a/0062-fips-Expose-a-FIPS-indicator.patch +++ /dev/null @@ -1,466 +0,0 @@ -From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 7 Jun 2022 12:02:49 +0200 -Subject: [PATCH] fips: Expose a FIPS indicator - -FIPS 140-3 requires us to indicate whether an operation was using -approved services or not. The FIPS 140-3 implementation guidelines -provide two basic approaches to doing this: implicit indicators, and -explicit indicators. - -Implicit indicators are basically the concept of "if the operation -passes, it was approved". We were originally aiming for implicit -indicators in our copy of OpenSSL. However, this proved to be a problem, -because we wanted to certify a signature service, and FIPS 140-3 -requires that a signature service computes the digest to be signed -within the boundaries of the FIPS module. Since we were planning to -certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify -would have to be blocked. Unfortunately, EVP_SignFinal uses -EVP_PKEY_sign internally, but outside of fips.so and thus outside of the -FIPS module boundary. This means that using implicit indicators in -combination with certifying only fips.so would require us to block both -EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used -by most users of OpenSSL for signatures. - -EVP_DigestSign would be acceptable, but has only been added in 3.0 and -is thus not yet widely used. - -As a consequence, we've decided to introduce explicit indicators so that -EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but -FIPS-aware applications can query the explicit indicator to check -whether the operation was approved. - -To avoid affecting the ABI and public API too much, this is implemented -as an exported symbol in fips.so and a private header, so applications -that wish to use this will have to dlopen(3) fips.so, locate the -function using dlsym(3), and then call it. These applications will have -to build against the private header in order to use the returned -pointer. - -Modify util/mkdef.pl to support exposing a symbol only for a specific -provider identified by its name and path. - -Signed-off-by: Clemens Lang ---- - doc/build.info | 6 ++ - doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++ - providers/fips/fipsprov.c | 71 +++++++++++++ - providers/fips/indicator.h | 66 ++++++++++++ - util/mkdef.pl | 25 ++++- - util/providers.num | 1 + - 6 files changed, 322 insertions(+), 1 deletion(-) - create mode 100644 doc/man7/fips_module_indicators.pod - create mode 100644 providers/fips/indicator.h - -diff --git a/doc/build.info b/doc/build.info -index b0aa4297a4..af235113bb 100644 ---- a/doc/build.info -+++ b/doc/build.info -@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod - GENERATE[html/man7/fips_module.html]=man7/fips_module.pod - DEPEND[man/man7/fips_module.7]=man7/fips_module.pod - GENERATE[man/man7/fips_module.7]=man7/fips_module.pod -+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod -+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod -+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod -+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod - DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod - GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod - DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod -@@ -4631,6 +4635,7 @@ html/man7/ct.html \ - html/man7/des_modes.html \ - html/man7/evp.html \ - html/man7/fips_module.html \ -+html/man7/fips_module_indicators.html \ - html/man7/life_cycle-cipher.html \ - html/man7/life_cycle-digest.html \ - html/man7/life_cycle-kdf.html \ -@@ -4754,6 +4759,7 @@ man/man7/ct.7 \ - man/man7/des_modes.7 \ - man/man7/evp.7 \ - man/man7/fips_module.7 \ -+man/man7/fips_module_indicators.7 \ - man/man7/life_cycle-cipher.7 \ - man/man7/life_cycle-digest.7 \ - man/man7/life_cycle-kdf.7 \ -diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod -new file mode 100644 -index 0000000000..23db2b395c ---- /dev/null -+++ b/doc/man7/fips_module_indicators.pod -@@ -0,0 +1,154 @@ -+=pod -+ -+=head1 NAME -+ -+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide -+ -+=head1 DESCRIPTION -+ -+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider -+implements Approved Security Service Indicators according to the FIPS 140-3 -+Implementation Guidelines, section 2.4.C. See -+L -+for the FIPS 140-3 Implementation Guidelines. -+ -+For all approved services except signatures, the Red Hat OpenSSL FIPS provider -+uses the return code as the indicator as understood by FIPS 140-3. That means -+that every operation that succeeds denotes use of an approved security service. -+Operations that do not succeed may not have been approved security services, or -+may have been used incorrectly. -+ -+For signatures, an explicit indicator API is available to determine whether -+a selected operation is an approved security service, in combination with the -+return code of the operation. For a signature operation to be approved, the -+explicit indicator must claim it as approved, and it must succeed. -+ -+=head2 Querying the explicit indicator -+ -+The Red Hat OpenSSL FIPS provider exports a symbol named -+I that provides information on which signature -+operations are approved security functions. To use this function, either link -+against I directly, or load it at runtime using dlopen(3) and -+dlsym(3). -+ -+ #include -+ #include "providers/fips/indicator.h" -+ -+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY); -+ if (provider == NULL) { -+ fprintf(stderr, "%s\n", dlerror()); -+ // handle error -+ } -+ -+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \ -+ = dlsym(provider, "redhat_ossl_query_fipsindicator"); -+ if (redhat_ossl_query_fipsindicator == NULL) { -+ fprintf(stderr, "%s\n", dlerror()); -+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat" -+ " patches?\n"); -+ // handle error -+ } -+ -+Note that this uses the I header, which is not -+public. Install the I package from the I -+repository using I and include -+I in the compiler's include path. -+ -+I expects an operation ID as its only -+argument. Currently, the only supported operation ID is I to -+obtain the indicators for signature operations. On success, the return value is -+a pointer to an array of Is. On failure, NULL is -+returned. The last entry in the array is indicated by I being -+NULL. -+ -+ typedef struct ossl_rh_fipsindicator_algorithm_st { -+ const char *algorithm_names; /* key */ -+ const char *property_definition; /* key */ -+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; -+ } OSSL_RH_FIPSINDICATOR_ALGORITHM; -+ -+ typedef struct ossl_rh_fipsindicator_dispatch_st { -+ int function_id; -+ int approved; -+ } OSSL_RH_FIPSINDICATOR_DISPATCH; -+ -+The I field is a colon-separated list of algorithm names from -+one of the I constants, e.g., I. strtok(3) can -+be used to locate the appropriate entry. See the example below, where -+I contains the algorithm name to search for: -+ -+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL; -+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator = -+ redhat_ossl_query_fipsindicator(operation_id); -+ if (indicator == NULL) { -+ fprintf(stderr, "No indicator for operation, probably using implicit" -+ " indicators.\n"); -+ // handle error -+ } -+ -+ for (; indicator->algorithm_names != NULL; ++indicator) { -+ char *algorithm_names = strdup(indicator->algorithm_names); -+ if (algorithm_names == NULL) { -+ perror("strdup(3)"); -+ // handle error -+ } -+ -+ const char *algorithm_name = strtok(algorithm_names, ":"); -+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) { -+ if (strcasecmp(algorithm_name, algorithm) == 0) { -+ indicator_dispatch = indicator->indicators; -+ free(algorithm_names); -+ algorithm_names = NULL; -+ break; -+ } -+ } -+ free(algorithm_names); -+ } -+ if (indicator_dispatch == NULL) { -+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm); -+ // handle error -+ } -+ -+If an appropriate I array is available for the -+given algorithm name, it maps function IDs to their approval status. The last -+entry is indicated by a zero I. I is -+I if the operation is an approved security -+service, or part of an approved security service, or -+I otherwise. Any other value is invalid. -+Function IDs are I constants from I, -+e.g., I or I. -+ -+Assuming I is the function in question, the following code can be -+used to query the approval status: -+ -+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) { -+ if (indicator_dispatch->function_id == function_id) { -+ switch (indicator_dispatch->approved) { -+ case OSSL_RH_FIPSINDICATOR_APPROVED: -+ // approved security service -+ break; -+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED: -+ // unapproved security service -+ break; -+ default: -+ // invalid result -+ break; -+ } -+ break; -+ } -+ } -+ -+=head1 SEE ALSO -+ -+L, L -+ -+=head1 COPYRIGHT -+ -+Copyright 2022 Red Hat, Inc. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index de391ce067..1cfd71c5cf 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -23,6 +23,7 @@ - #include "self_test.h" - #include "crypto/context.h" - #include "internal/core.h" -+#include "indicator.h" - - static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; - static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; -@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = { - { NULL, NULL, NULL } - }; - -+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = { -+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } -+}; -+ -+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = { -+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, -+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } -+}; -+ -+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = { -+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, -+ redhat_rsa_signature_indicators }, -+#ifndef OPENSSL_NO_EC -+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, -+ redhat_ecdsa_signature_indicators }, -+#endif -+ { NULL, NULL, NULL } -+}; -+ - static const OSSL_ALGORITHM fips_asym_cipher[] = { - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, - { NULL, NULL, NULL } -@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) { - return NULL; - } - -+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) { -+ switch (operation_id) { -+ case OSSL_OP_SIGNATURE: -+ return redhat_indicator_fips_signature; -+ } -+ return NULL; -+} -+ - static void fips_teardown(void *provctx) - { - OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); -diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h -new file mode 100644 -index 0000000000..b323efe44c ---- /dev/null -+++ b/providers/fips/indicator.h -@@ -0,0 +1,66 @@ -+/* -+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#ifndef OPENSSL_FIPS_INDICATOR_H -+# define OPENSSL_FIPS_INDICATOR_H -+# pragma once -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0) -+# define OSSL_RH_FIPSINDICATOR_APPROVED (1) -+ -+/* -+ * FIPS indicator dispatch table element. function_id numbers and the -+ * functions are defined in core_dispatch.h, see macros with -+ * 'OSSL_CORE_MAKE_FUNC' in their names. -+ * -+ * An array of these is always terminated by function_id == 0 -+ */ -+typedef struct ossl_rh_fipsindicator_dispatch_st { -+ int function_id; -+ int approved; -+} OSSL_RH_FIPSINDICATOR_DISPATCH; -+ -+/* -+ * Type to tie together algorithm names, property definition string and the -+ * algorithm implementation's FIPS indicator status in the form of a FIPS -+ * indicator dispatch table. -+ * -+ * An array of these is always terminated by algorithm_names == NULL -+ */ -+typedef struct ossl_rh_fipsindicator_algorithm_st { -+ const char *algorithm_names; /* key */ -+ const char *property_definition; /* key */ -+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; -+} OSSL_RH_FIPSINDICATOR_ALGORITHM; -+ -+/** -+ * Query FIPS indicator status for the given operation. Possible values for -+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms -+ * use implicit indicators. The return value is an array of -+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with -+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of -+ * algorithm names, 'property_definition' a comma-separated list of properties, -+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This -+ * list is terminated by function_id == 0. 'function_id' is one of the -+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL. -+ * -+ * If there is no entry in the returned struct for the given operation_id, -+ * algorithm name, or function_id, the algorithm is unapproved. -+ */ -+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id); -+ -+# ifdef __cplusplus -+} -+# endif -+ -+#endif -diff --git a/util/mkdef.pl b/util/mkdef.pl -index a1c76f7c97..eda39b71ee 100755 ---- a/util/mkdef.pl -+++ b/util/mkdef.pl -@@ -149,7 +149,8 @@ $ordinal_opts{filter} = - return - $item->exists() - && platform_filter($item) -- && feature_filter($item); -+ && feature_filter($item) -+ && fips_filter($item, $name); - }; - my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file); - -@@ -205,6 +206,28 @@ sub feature_filter { - return $verdict; - } - -+sub fips_filter { -+ my $item = shift; -+ my $name = uc(shift); -+ my @features = ( $item->features() ); -+ -+ # True if no features are defined -+ return 1 if scalar @features == 0; -+ -+ my @matches = grep(/^ONLY_.*$/, @features); -+ if (@matches) { -+ # There is at least one only_* flag on this symbol, check if any of -+ # them match the name -+ for (@matches) { -+ if ($_ eq "ONLY_${name}") { -+ return 1; -+ } -+ } -+ return 0; -+ } -+ return 1; -+} -+ - sub sorter_unix { - my $by_name = OpenSSL::Ordinals::by_name(); - my %weight = ( -diff --git a/util/providers.num b/util/providers.num -index 4e2fa81b98..77879d0e5f 100644 ---- a/util/providers.num -+++ b/util/providers.num -@@ -1 +1,2 @@ - OSSL_provider_init 1 * EXIST::FUNCTION: -+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS --- -2.35.3 - diff --git a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch deleted file mode 100644 index 726d320..0000000 --- a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 22 Jul 2022 13:59:37 +0200 -Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed - -Review by our lab for FIPS 140-3 certification expects the RSA -encryption and decryption tests to use a supported padding mode, not raw -RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that. - -The FIPS 140-3 Implementation Guidance specifies in section 10.3.A -"Cryptographic Algorithm Self-Test Requirements" that a self-test may be -a known-answer test, a comparison test, or a fault-detection test. - -Comparison tests are not an option, because they would require -a separate implementation of RSA-OAEP, which we do not have. Fault -detection tests require implementing fault detection mechanisms into the -cryptographic algorithm implementation, we we also do not have. - -As a consequence, a known-answer test must be used to test RSA -encryption and decryption, but RSA encryption with OAEP padding is not -deterministic, and thus encryption will always yield different results -that could not be compared to known answers. For this reason, this -change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1), -which is the source of randomness for RSA-OAEP, to a fixed value. This -setting is only available during self-test execution, and the parameter -set using EVP_PKEY_CTX_set_params() will be ignored otherwise. - -Signed-off-by: Clemens Lang ---- - crypto/rsa/rsa_local.h | 8 ++ - crypto/rsa/rsa_oaep.c | 34 ++++++-- - providers/fips/self_test_data.inc | 83 +++++++++++-------- - providers/fips/self_test_kats.c | 7 ++ - .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- - util/perl/OpenSSL/paramnames.pm | 1 + - 6 files changed, 126 insertions(+), 44 deletions(-) - -diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h -index ea70da05ad..dde57a1a0e 100644 ---- a/crypto/rsa/rsa_local.h -+++ b/crypto/rsa/rsa_local.h -@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to - int tlen, const unsigned char *from, - int flen); - -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md, -+ const char *redhat_st_seed); -+ - #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ -diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index d9be1a4f98..b2f7f7dc4b 100644 ---- a/crypto/rsa/rsa_oaep.c -+++ b/crypto/rsa/rsa_oaep.c -@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - param, plen, NULL, NULL); - } - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_asym_cipher_st; -+#endif /* FIPS_MODULE */ -+ - /* - * Perform the padding as per NIST 800-56B 7.2.2.3 - * from (K) is the key material. -@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - * Step numbers are included here but not in the constant time inverse below - * to avoid complicating an already difficult enough function. - */ --int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, -- unsigned char *to, int tlen, -- const unsigned char *from, int flen, -- const unsigned char *param, -- int plen, const EVP_MD *md, -- const EVP_MD *mgf1md) -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md, -+ const char *redhat_st_seed) - { - int rv = 0; - int i, emlen = tlen - 1; -@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, - db[emlen - flen - mdlen - 1] = 0x01; - memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); - /* step 3d: generate random byte string */ -+#ifdef FIPS_MODULE -+ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { -+ memcpy(seed, redhat_st_seed, mdlen); -+ } else -+#endif - if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) - goto err; - -@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, - return rv; - } - -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md) -+{ -+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, -+ flen, param, plen, md, -+ mgf1md, NULL); -+} -+ - int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - const unsigned char *from, int flen, - const unsigned char *param, int plen, -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 4e30ec56dd..0103c87528 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = { - ST_KAT_PARAM_END() - }; - --/*- -- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the -- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient -- * HP/UX PA-RISC compilers. -- */ --static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; -- -+/*- -+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the -+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient -+ * HP/UX PA-RISC compilers. -+ */ -+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; -+static const char oaep_fixed_seed[] = { -+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, -+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, -+ 0x2e, 0x4b, 0x2c, 0xe6 -+}; -+ - static const ST_KAT_PARAM rsa_enc_params[] = { -- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), -+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), -+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, -+ oaep_fixed_seed), - ST_KAT_PARAM_END() - }; - -@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = { - 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 - }; - --static const unsigned char rsa_asym_plaintext_encrypt[256] = { -+static const unsigned char rsa_asym_plaintext_encrypt[208] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - }; - static const unsigned char rsa_asym_expected_encrypt[256] = { -- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, -- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, -- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, -- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, -- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, -- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, -- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, -- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, -- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, -- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, -- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, -- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, -- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, -- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, -- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, -- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, -- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, -- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, -- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, -- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, -- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, -- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, -- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, -- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, -- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, -- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, -- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, -- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, -- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, -- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, -- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, -- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, -+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, -+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, -+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, -+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, -+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, -+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, -+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, -+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, -+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, -+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, -+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, -+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, -+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, -+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, -+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, -+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, -+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, -+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, -+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, -+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, -+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, -+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, -+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, -+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, -+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, -+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, -+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, -+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, -+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, -+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, -+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, -+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 - }; - - #ifndef OPENSSL_NO_EC -diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index 064794d9bf..b6d5e8e134 100644 ---- a/providers/fips/self_test_kats.c -+++ b/providers/fips/self_test_kats.c -@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - return ret; - } - -+int REDHAT_FIPS_asym_cipher_st = 0; -+ - static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - { - int i, ret = 1; - -+ REDHAT_FIPS_asym_cipher_st = 1; -+ - for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { - if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) - ret = 0; - } -+ -+ REDHAT_FIPS_asym_cipher_st = 0; -+ - return ret; - } - -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 00cf65fcd6..83be3d8ede 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -30,6 +30,9 @@ - #include "prov/implementations.h" - #include "prov/providercommon.h" - #include "prov/securitycheck.h" -+#ifdef FIPS_MODULE -+# include "crypto/rsa/rsa_local.h" -+#endif - - #include - -@@ -75,6 +78,9 @@ typedef struct { - /* TLS padding */ - unsigned int client_version; - unsigned int alt_version; -+#ifdef FIPS_MODULE -+ char *redhat_st_oaep_seed; -+#endif /* FIPS_MODULE */ - /* PKCS#1 v1.5 decryption mode */ - unsigned int implicit_rejection; - } PROV_RSA_CTX; -@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - } - } - ret = -- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, -+#ifdef FIPS_MODULE -+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( -+#else -+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( -+#endif -+ prsactx->libctx, tbuf, - rsasize, in, inlen, - prsactx->oaep_label, - prsactx->oaep_labellen, - prsactx->oaep_md, -- prsactx->mgf1_md); -+ prsactx->mgf1_md -+#ifdef FIPS_MODULE -+ , prsactx->redhat_st_oaep_seed -+#endif -+ ); - - if (!ret) { - OPENSSL_free(tbuf); -@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx) - EVP_MD_free(prsactx->oaep_md); - EVP_MD_free(prsactx->mgf1_md); - OPENSSL_free(prsactx->oaep_label); -+#ifdef FIPS_MODULE -+ OPENSSL_free(prsactx->redhat_st_oaep_seed); -+#endif /* FIPS_MODULE */ - - OPENSSL_free(prsactx); - } -@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), -+#endif /* FIPS_MODULE */ - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END - }; -@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, - return known_gettable_ctx_params; - } - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_asym_cipher_st; -+#endif /* FIPS_MODULE */ -+ - static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - prsactx->oaep_labellen = tmp_labellen; - } - -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); -+ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { -+ void *tmp_oaep_seed = NULL; -+ -+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) -+ return 0; -+ OPENSSL_free(prsactx->redhat_st_oaep_seed); -+ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; -+ } -+#endif /* FIPS_MODULE */ -+ - p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); - if (p != NULL) { - unsigned int client_version; -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index c37ed7815f..70f7c50fe4 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -401,6 +401,7 @@ my %params = ( - 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", - 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", - 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", -+ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", - - # Encoder / decoder parameters - --- -2.37.1 - diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch deleted file mode 100644 index 7751f05..0000000 --- a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ /dev/null @@ -1,317 +0,0 @@ -From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 6 Mar 2024 19:17:16 +0100 -Subject: [PATCH 28/49] - 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch - -Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -Patch-id: 74 -Patch-status: | - # [PATCH 29/46] - # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce ---- - crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++----- - providers/fips/self_test_kats.c | 43 +++++++++++++++----------- - 2 files changed, 73 insertions(+), 24 deletions(-) - -diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index fd3a4b79df..3e9f33c26c 100644 ---- a/crypto/evp/m_sigver.c -+++ b/crypto/evp/m_sigver.c -@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) - ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); - return 0; - } -+#endif /* !defined(FIPS_MODULE) */ - - /* - * If we get the "NULL" md then the name comes back as "UNDEF". We want to use -@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - reinit = 0; - if (e == NULL) - ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); -+#ifndef FIPS_MODULE - else - ctx->pctx = EVP_PKEY_CTX_new(pkey, e); -+#endif /* !defined(FIPS_MODULE) */ - } - if (ctx->pctx == NULL) - return 0; -@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - locpctx = ctx->pctx; - ERR_set_mark(); - -+#ifndef FIPS_MODULE - if (evp_pkey_ctx_is_legacy(locpctx)) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - - /* do not reinitialize if pkey is set or operation is different */ - if (reinit -@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - signature = - evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, - supported_sig, locpctx->propquery); -+#ifndef FIPS_MODULE - if (signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - break; - } - if (signature == NULL) -@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); - if (ctx->fetched_digest != NULL) { - ctx->digest = ctx->reqdigest = ctx->fetched_digest; -+#ifndef FIPS_MODULE - } else { - /* legacy engine support : remove the mark when this is deleted */ - ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); -@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); - goto err; - } -+#endif /* !defined(FIPS_MODULE) */ - } - (void)ERR_pop_to_mark(); - } - } - -+#ifndef FIPS_MODULE - if (ctx->reqdigest != NULL - && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) - && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - goto err; - } - } -+#endif /* !defined(FIPS_MODULE) */ - - if (ver) { - if (signature->digest_verify_init == NULL) { -@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - EVP_KEYMGMT_free(tmp_keymgmt); - return 0; - -+#ifndef FIPS_MODULE - legacy: - /* - * If we don't have the full support we need with provided methods, -@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - ctx->pctx->flag_call_digest_custom = 1; - - ret = 1; -+#endif /* !defined(FIPS_MODULE) */ - - end: - #ifndef FIPS_MODULE -@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, - NULL); - } --#endif /* FIPS_MDOE */ - - int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) - { -@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) - return EVP_DigestUpdate(ctx, data, dsize); - } - --#ifndef FIPS_MODULE - int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - size_t *siglen) - { -- int sctx = 0, r = 0; -- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; -+ int r = 0; -+#ifndef FIPS_MODULE -+ int sctx = 0; -+ EVP_PKEY_CTX *dctx = NULL; -+#endif /* !defined(FIPS_MODULE) */ -+ EVP_PKEY_CTX *pctx = ctx->pctx; -+ - - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); - return 0; - } - -+#ifndef FIPS_MODULE - if (pctx == NULL - || pctx->operation != EVP_PKEY_OP_SIGNCTX - || pctx->op.sig.algctx == NULL - || pctx->op.sig.signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - -+#ifndef FIPS_MODULE - if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { - /* try dup */ - dctx = EVP_PKEY_CTX_dup(pctx); -@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - else - EVP_PKEY_CTX_free(dctx); - return r; -+#else -+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, -+ sigret, siglen, -+ sigret == NULL ? 0 : *siglen); -+ return r; -+#endif /* !defined(FIPS_MODULE) */ - -+#ifndef FIPS_MODULE - legacy: - if (pctx == NULL || pctx->pmeth == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - } - } - return 1; -+#endif /* !defined(FIPS_MODULE) */ - } - - int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, -@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, - int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen) - { -- unsigned char md[EVP_MAX_MD_SIZE]; - int r = 0; -+#ifndef FIPS_MODULE -+ unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int mdlen = 0; - int vctx = 0; -- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; -+ EVP_PKEY_CTX *dctx = NULL; -+#endif /* !defined(FIPS_MODULE) */ -+ EVP_PKEY_CTX *pctx = ctx->pctx; -+ - - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); - return 0; - } - -+#ifndef FIPS_MODULE - if (pctx == NULL - || pctx->operation != EVP_PKEY_OP_VERIFYCTX - || pctx->op.sig.algctx == NULL - || pctx->op.sig.signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - -+#ifndef FIPS_MODULE - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { - /* try dup */ - dctx = EVP_PKEY_CTX_dup(pctx); -@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - else - EVP_PKEY_CTX_free(dctx); - return r; -+#else -+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, -+ sig, siglen); -+ return r; -+#endif /* !defined(FIPS_MODULE) */ - -+#ifndef FIPS_MODULE - legacy: - if (pctx == NULL || pctx->pmeth == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - if (vctx || !r) - return r; - return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); -+#endif /* !defined(FIPS_MODULE) */ - } - - int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, -@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, - return -1; - return EVP_DigestVerifyFinal(ctx, sigret, siglen); - } --#endif /* FIPS_MODULE */ -diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index 4ea10670c0..5eb27c8ed2 100644 ---- a/providers/fips/self_test_kats.c -+++ b/providers/fips/self_test_kats.c -@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t, - int ret = 0; - OSSL_PARAM *params = NULL, *params_sig = NULL; - OSSL_PARAM_BLD *bld = NULL; -+ EVP_MD *md = NULL; -+ EVP_MD_CTX *ctx = NULL; - EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; - EVP_PKEY *pkey = NULL; -- unsigned char sig[256]; - BN_CTX *bnctx = NULL; -+ const char *msg = "Hello World!"; -+ unsigned char sig[256]; - size_t siglen = sizeof(sig); - static const unsigned char dgst[] = { - 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, - || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) - goto err; - -- /* Create a EVP_PKEY_CTX to use for the signing operation */ -- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); -- if (sctx == NULL -- || EVP_PKEY_sign_init(sctx) <= 0) -- goto err; -- -- /* set signature parameters */ -- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, -- t->mdalgorithm, -- strlen(t->mdalgorithm) + 1)) -- goto err; -+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature -+ * parameters and sign */ - params_sig = OSSL_PARAM_BLD_to_param(bld); -- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) -+ md = EVP_MD_fetch(libctx, "SHA256", NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (md == NULL || ctx == NULL) -+ goto err; -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); -+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 -+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 -+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 -+ || EVP_MD_CTX_reset(ctx) <= 0) - goto err; - -- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 -- || EVP_PKEY_verify_init(sctx) <= 0 -+ /* sctx is not freed automatically inside the FIPS module */ -+ EVP_PKEY_CTX_free(sctx); -+ sctx = NULL; -+ -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); -+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 - || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) - goto err; - -@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, - goto err; - - OSSL_SELF_TEST_oncorrupt_byte(st, sig); -- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) -+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) - goto err; - ret = 1; - err: - BN_CTX_free(bnctx); - EVP_PKEY_free(pkey); -- EVP_PKEY_CTX_free(kctx); -+ EVP_MD_free(md); -+ EVP_MD_CTX_free(ctx); -+ /* sctx is not freed automatically inside the FIPS module */ - EVP_PKEY_CTX_free(sctx); -+ EVP_PKEY_CTX_free(kctx); - OSSL_PARAM_free(params); - OSSL_PARAM_free(params_sig); - OSSL_PARAM_BLD_free(bld); --- -2.44.0 - diff --git a/0075-FIPS-Use-FFDHE2048-in-self-test.patch b/0075-FIPS-Use-FFDHE2048-in-self-test.patch deleted file mode 100644 index 096e62d..0000000 --- a/0075-FIPS-Use-FFDHE2048-in-self-test.patch +++ /dev/null @@ -1,378 +0,0 @@ -From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 22 Jul 2022 17:51:16 +0200 -Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test - -Signed-off-by: Clemens Lang ---- - providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- - 1 file changed, 172 insertions(+), 170 deletions(-) - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index a29cc650b5..1b5623833f 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = - - #ifndef OPENSSL_NO_DH - /* DH KAT */ -+/* RFC7919 FFDHE2048 p */ - static const unsigned char dh_p[] = { -- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, -- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, -- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, -- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, -- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, -- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, -- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, -- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, -- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, -- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, -- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, -- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, -- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, -- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, -- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, -- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, -- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, -- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, -- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, -- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, -- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, -- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, -- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, -- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, -- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, -- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, -- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, -- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, -- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, -- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, -- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, -- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 --}; -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, -+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, -+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, -+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, -+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, -+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, -+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, -+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, -+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, -+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, -+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, -+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, -+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, -+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, -+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, -+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, -+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, -+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, -+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, -+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, -+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, -+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, -+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, -+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, -+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, -+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, -+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, -+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, -+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, -+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+/* RFC7919 FFDHE2048 q */ - static const unsigned char dh_q[] = { -- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, -- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, -- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, -- 0x11, 0xac, 0xb5, 0x7d --}; -+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, -+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, -+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, -+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, -+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, -+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, -+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, -+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, -+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, -+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, -+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, -+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, -+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, -+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, -+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, -+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, -+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, -+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, -+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, -+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, -+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, -+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, -+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, -+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, -+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, -+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, -+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, -+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, -+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, -+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+/* RFC7919 FFDHE2048 g */ - static const unsigned char dh_g[] = { -- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, -- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, -- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, -- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, -- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, -- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, -- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, -- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, -- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, -- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, -- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, -- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, -- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, -- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, -- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, -- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, -- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, -- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, -- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, -- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, -- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, -- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, -- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, -- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, -- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, -- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, -- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, -- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, -- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, -- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, -- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, -- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 -+ 0x02 - }; - static const unsigned char dh_priv[] = { -- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, -- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, -- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, -- 0x40, 0xb8, 0xfc, 0xe6 -+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, -+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, -+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, -+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 - }; - static const unsigned char dh_pub[] = { -- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, -- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, -- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, -- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, -- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, -- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, -- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, -- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, -- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, -- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, -- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, -- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, -- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, -- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, -- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, -- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, -- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, -- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, -- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, -- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, -- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, -- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, -- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, -- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, -- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, -- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, -- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, -- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, -- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, -- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, -- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, -- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 -+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, -+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, -+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, -+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, -+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, -+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, -+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, -+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, -+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, -+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, -+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, -+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, -+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, -+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, -+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, -+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, -+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, -+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, -+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, -+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, -+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, -+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, -+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, -+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, -+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, -+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, -+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, -+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, -+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, -+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, -+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, -+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, -+ 0x32 - }; - static const unsigned char dh_peer_pub[] = { -- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, -- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, -- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, -- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, -- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, -- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, -- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, -- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, -- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, -- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, -- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, -- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, -- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, -- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, -- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, -- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, -- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, -- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, -- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, -- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, -- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, -- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, -- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, -- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, -- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, -- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, -- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, -- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, -- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, -- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, -- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, -- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b -+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, -+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, -+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, -+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, -+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, -+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, -+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, -+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, -+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, -+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, -+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, -+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, -+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, -+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, -+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, -+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, -+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, -+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, -+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, -+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, -+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, -+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, -+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, -+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, -+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, -+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, -+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, -+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, -+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, -+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, -+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, -+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, -+ 0x64 - }; - - static const unsigned char dh_secret_expected[] = { -- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, -- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, -- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, -- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, -- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, -- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, -- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, -- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, -- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, -- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, -- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, -- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, -- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, -- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, -- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, -- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, -- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, -- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, -- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, -- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, -- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, -- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, -- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, -- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, -- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, -- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, -- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, -- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, -- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, -- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, -- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, -- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 -+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, -+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, -+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, -+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, -+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, -+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, -+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, -+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, -+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, -+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, -+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, -+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, -+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, -+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, -+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, -+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, -+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, -+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, -+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, -+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, -+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, -+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, -+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, -+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, -+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, -+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, -+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, -+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, -+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, -+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, -+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, -+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 - }; - - static const ST_KAT_PARAM dh_group[] = { --- -2.35.3 - diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch deleted file mode 100644 index 591b49c..0000000 --- a/0076-FIPS-140-3-DRBG.patch +++ /dev/null @@ -1,298 +0,0 @@ -diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c ---- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 -+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 -@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused - size_t entropy_available; - RAND_POOL *pool; - -- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); - if (pool == NULL) { - ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); - return 0; -diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c ---- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 -+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 -@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG - * to the nearest byte. If the entropy is of less than full quality, - * the amount required should be scaled up appropriately here. - */ -- bytes_needed = (entropy + 7) / 8; -+ /* -+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy -+ * + 128 bits during initial seeding -+ */ -+ bytes_needed = (entropy + 128 + 7) / 8; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) -diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c ---- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 -+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 -@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb - #endif - } - -+#ifdef FIPS_MODULE -+ prediction_resistance = 1; -+#endif - /* Reseed using our sources in addition */ - entropylen = get_entropy(drbg, &entropy, drbg->strength, - drbg->min_entropylen, drbg->max_entropylen, -@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d - reseed_required = 1; - } - if (drbg->parent != NULL -- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) -+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { -+#ifdef FIPS_MODULE -+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ -+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); -+#else - reseed_required = 1; -+#endif -+ } - - if (reseed_required || prediction_resistance) { - if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, -diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h ---- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 -+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 -@@ -38,7 +38,7 @@ - * - * The value is in bytes. - */ --#define CRNGT_BUFSIZ 16 -+#define CRNGT_BUFSIZ 32 - - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) -diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c ---- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 -+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 -@@ -48,6 +48,8 @@ - # include - # include - # include -+# include -+# include - - static uint64_t get_time_stamp(void); - -@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen) - * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion - * between size_t and ssize_t is safe even without a range check. - */ -- -- /* -- * Do runtime detection to find getentropy(). -- * -- * Known OSs that should support this: -- * - Darwin since 16 (OSX 10.12, IOS 10.0). -- * - Solaris since 11.3 -- * - OpenBSD since 5.6 -- * - Linux since 3.17 with glibc 2.25 -- * - FreeBSD since 12.0 (1200061) -- * -- * Note: Sometimes getentropy() can be provided but not implemented -- * internally. So we need to check errno for ENOSYS -- */ --# if !defined(__DragonFly__) && !defined(__NetBSD__) --# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) -- extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -- -- if (getentropy != NULL) { -- if (getentropy(buf, buflen) == 0) -- return (ssize_t)buflen; -- if (errno != ENOSYS) -- return -1; -- } --# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) -- -- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) -- return (ssize_t)buflen; -- -- return -1; --# else -- union { -- void *p; -- int (*f)(void *buffer, size_t length); -- } p_getentropy; -- -- /* -- * We could cache the result of the lookup, but we normally don't -- * call this function often. -- */ -- ERR_set_mark(); -- p_getentropy.p = DSO_global_lookup("getentropy"); -- ERR_pop_to_mark(); -- if (p_getentropy.p != NULL) -- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; --# endif --# endif /* !__DragonFly__ */ -- -- /* Linux supports this since version 3.17 */ --# if defined(__linux) && defined(__NR_getrandom) -- return syscall(__NR_getrandom, buf, buflen, 0); --# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) -- return sysctl_random(buf, buflen); --# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ -- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) -- return getrandom(buf, buflen, 0); --# elif defined(__wasi__) -- if (getentropy(buf, buflen) == 0) -- return (ssize_t)buflen; -- return -1; --# else -- errno = ENOSYS; -- return -1; --# endif -+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */ -+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0); - } - # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ - -diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c ---- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200 -+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200 -@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed - return 0; - } - -- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); - if (pool == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); - return 0; -@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed, - size_t i; - RAND_POOL *pool; - -- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); - if (pool == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); - return 0; -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index 14999540ab..b05b84717b 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -11,6 +11,7 @@ - #define OPENSSL_SUPPRESS_DEPRECATED - - #include -+#include - #include - #include - #include "internal/cryptlib.h" -@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) - return ret; - } - --#ifndef FIPS_MODULE -- if (dgbl->seed == NULL) { -- ERR_set_mark(); -- dgbl->seed = rand_new_seed(ctx); -- ERR_pop_to_mark(); -- } --#endif -- -- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, -+ ret = dgbl->primary = rand_new_drbg(ctx, NULL, - PRIMARY_RESEED_INTERVAL, - PRIMARY_RESEED_TIME_INTERVAL, 1); - /* -@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_ - if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL - && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) - return NULL; -- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, -+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, - SECONDARY_RESEED_TIME_INTERVAL, 0); - CRYPTO_THREAD_set_local(&dgbl->public, rand); - } -@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB - if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL - && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) - return NULL; -- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, -+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, - SECONDARY_RESEED_TIME_INTERVAL, 0); - CRYPTO_THREAD_set_local(&dgbl->private, rand); - } -diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c ---- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200 -+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200 -@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s - reseed_when = time(NULL); - - /* Generate random output from the public and private DRBG */ -- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0; -+ before_reseed = 0; - if (!TEST_int_eq(rand_bytes((unsigned char*)public_random, - RANDOM_SIZE), expect_success) - || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random, -@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s - */ - - /* Test whether reseeding succeeded as expected */ -- if (!TEST_int_eq(state(primary), expected_state) -- || !TEST_int_eq(state(public), expected_state) -+ if (/*!TEST_int_eq(state(primary), expected_state) -+ ||*/ !TEST_int_eq(state(public), expected_state) - || !TEST_int_eq(state(private), expected_state)) - return 0; - -@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s - if (expect_public_reseed >= 0) { - /* Test whether public DRBG was reseeded as expected */ - if (!TEST_int_ge(reseed_counter(public), public_reseed) -- || !TEST_uint_ge(reseed_counter(public), -- reseed_counter(primary))) -+ /*|| !TEST_uint_ge(reseed_counter(public), -+ reseed_counter(primary))*/) - return 0; - } - - if (expect_private_reseed >= 0) { - /* Test whether public DRBG was reseeded as expected */ - if (!TEST_int_ge(reseed_counter(private), private_reseed) -- || !TEST_uint_ge(reseed_counter(private), -- reseed_counter(primary))) -+ /*|| !TEST_uint_ge(reseed_counter(private), -+ reseed_counter(primary))*/) - return 0; - } - -@@ -577,8 +577,8 @@ static int test_rand_reseed(void) - if (!TEST_ptr_ne(public, private) - || !TEST_ptr_ne(public, primary) - || !TEST_ptr_ne(private, primary) -- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) -- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))) -+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) -+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/) - return 0; - - /* Disable CRNG testing for the primary DRBG */ diff --git a/0077-FIPS-140-3-zeroization.patch b/0077-FIPS-140-3-zeroization.patch deleted file mode 100644 index f6ff517..0000000 --- a/0077-FIPS-140-3-zeroization.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c ---- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200 -+++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200 -@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa - - void ossl_ffc_params_cleanup(FFC_PARAMS *params) - { -- BN_free(params->p); -- BN_free(params->q); -- BN_free(params->g); -- BN_free(params->j); -+ BN_clear_free(params->p); -+ BN_clear_free(params->q); -+ BN_clear_free(params->g); -+ BN_clear_free(params->j); - OPENSSL_free(params->seed); - ossl_ffc_params_init(params); - } -diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c ---- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200 -+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200 -@@ -155,8 +155,8 @@ void RSA_free(RSA *r) - CRYPTO_THREAD_lock_free(r->lock); - CRYPTO_FREE_REF(&r->references); - -- BN_free(r->n); -- BN_free(r->e); -+ BN_clear_free(r->n); -+ BN_clear_free(r->e); - BN_clear_free(r->d); - BN_clear_free(r->p); - BN_clear_free(r->q); -diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c ---- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200 -+++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200 -@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx) - void *provctx = ctx->provctx; - - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_free(ctx->prefix); - OPENSSL_free(ctx->label); - OPENSSL_clear_free(ctx->data, ctx->data_len); -diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c ---- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200 -+++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200 -@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct - static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) - { - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_clear_free(ctx->pass, ctx->pass_len); - memset(ctx, 0, sizeof(*ctx)); - } -diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c ---- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200 -+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200 -@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g - - void EC_POINT_free(EC_POINT *point) - { -+#ifdef FIPS_MODULE -+ EC_POINT_clear_free(point); -+#else - if (point == NULL) - return; - - if (point->meth->point_finish != 0) - point->meth->point_finish(point); - OPENSSL_free(point); -+#endif - } - - void EC_POINT_clear_free(EC_POINT *point) diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch deleted file mode 100644 index 17ff63e..0000000 --- a/0078-KDF-Add-FIPS-indicators.patch +++ /dev/null @@ -1,911 +0,0 @@ -From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 11 Aug 2022 09:27:12 +0200 -Subject: KDF: Add FIPS indicators - -FIPS requires a number of restrictions on the parameters of the various -key derivation functions implemented in OpenSSL. The KDFs that use -digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG -C.C). Additionally, some application-specific KDFs have further -restrictions defined in SP 800-135r1. - -Generally, all KDFs shall use a key-derivation key length of at least -112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF -to generate and output length of less than 112 bits will also set the -indicator to unapproved. - -Add explicit indicators to all KDFs usable in FIPS mode except for -PBKDF2 (which has its specific FIPS limits already implemented). The -indicator can be queried using EVP_KDF_CTX_get_params() after setting -the required parameters and keys for the KDF. - -Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the -truncated variants -224 and -384) and SHA3 (-256 and -512, and the -truncated versions -224 and -384), as well as SHAKE-128 and -256. - -The SHAKE functions are generally not allowed in KDFs. For the rest, the -support matrix is: - - KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated -========================================================================== -KBKDF | x | x | x | x | x -HKDF | x | x | x | x | x -TLS1PRF | | SHA-{256,384,512} only | | -SSHKDF | x | x | x | | -SSKDF | x | x | x | x | x -X9.63KDF | | x | x | x | x -X9.42-ASN1 | x | x | x | x | x -TLS1.3PRF | | SHA-{256,384} only | | - -Signed-off-by: Clemens Lang -Resolves: rhbz#2160733 rhbz#2164763 -Related: rhbz#2114772 rhbz#2141695 ---- - include/crypto/evp.h | 7 ++ - include/openssl/kdf.h | 4 + - providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- - providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- - providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- - providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- - providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- - providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- - util/perl/OpenSSL/paramnames.pm | 1 + - 9 files changed, 487 insertions(+), 22 deletions(-) - -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index e70d8e9e84..76fb990de4 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -219,6 +219,13 @@ struct evp_mac_st { - OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; - }; - -+#ifdef FIPS_MODULE -+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving -+ * Additional Keys from a Cryptographic Key, "[t]he length of the -+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ -+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_kdf_st { - OSSL_PROVIDER *prov; - int name_id; -diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h -index 0983230a48..86171635ea 100644 ---- a/include/openssl/kdf.h -+++ b/include/openssl/kdf.h -@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, - # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 - # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 - -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 - #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index dfa7786bde..f01e40ff5a 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; - static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; - static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; - static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; -+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; - static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; - static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; - static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; -@@ -85,6 +86,10 @@ typedef struct { - size_t data_len; - unsigned char *info; - size_t info_len; -+ int is_tls13; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_HKDF; - - static void *kdf_hkdf_new(void *provctx) -@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - switch (ctx->mode) { - case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: - default: -@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void - { - KDF_HKDF *ctx = (KDF_HKDF *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - - if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { - size_t sz = kdf_hkdf_size(ctx); - -+ any_valid = 1; - if (sz == 0) - return 0; - return OSSL_PARAM_set_size_t(p, sz); - } - if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { -+ any_valid = 1; - if (ctx->info == NULL || ctx->info_len == 0) { - p->return_size = 0; - return 1; - } - return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); - } -- return -2; -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (ctx->is_tls13) { -+ if (md != NULL -+ && !EVP_MD_is_a(md, "SHA2-256") -+ && !EVP_MD_is_a(md, "SHA2-384")) { -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic -+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 -+ * key derivation function documented in Section 7.1 of RFC -+ * 8446. This is considered an approved CVL because the -+ * underlying functions performed within the TLS 1.3 KDF map to -+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 -+ * Option #3), SP 800-56Crev2, and SP 800-108." -+ * -+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } else { -+ if (md != NULL -+ && (EVP_MD_is_a(md, "SHAKE-128") || -+ EVP_MD_is_a(md, "SHAKE-256"))) { -+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, -+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because -+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the -+ * standalone algorithms." */ -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif /* defined(FIPS_MODULE) */ -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, - return ret; - } - -+static void *kdf_tls1_3_new(void *provctx) -+{ -+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); -+ -+ if (hkdf != NULL) -+ hkdf->is_tls13 = 1; -+ -+ return hkdf; -+} -+ -+ - static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, - const OSSL_PARAM params[]) - { -@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - switch (ctx->mode) { - default: - return 0; -@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, - } - - const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { -- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, -+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, - { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, - { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, - { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index a542f84dfa..6b6dfb94ac 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -59,6 +59,9 @@ typedef struct { - kbkdf_mode mode; - EVP_MAC_CTX *ctx_init; - -+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ -+ PROV_DIGEST digest; -+ - /* Names are lowercased versions of those found in SP800-108. */ - int r; - unsigned char *ki; -@@ -73,6 +76,9 @@ typedef struct { - int use_l; - int is_kmac; - int use_separator; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KBKDF; - - /* Definitions needed for typechecking. */ -@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) - void *provctx = ctx->provctx; - - EVP_MAC_CTX_free(ctx->ctx_init); -+ ossl_prov_digest_reset(&ctx->digest); - OPENSSL_clear_free(ctx->context, ctx->context_len); - OPENSSL_clear_free(ctx->label, ctx->label_len); - OPENSSL_clear_free(ctx->ki, ctx->ki_len); -@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - goto done; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); - if (h == 0) - goto done; -@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - } - } - -+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) -+ return 0; -+ - p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); - if (p != NULL - && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { -@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, - static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - - p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); -- if (p == NULL) -+ if (p != NULL) { -+ any_valid = 1; -+ -+ /* KBKDF can produce results as large as you like. */ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ KBKDF *ctx = (KBKDF *)vctx; -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." Note that the digest is only used when the MAC -+ * algorithm is HMAC. */ -+ if (ctx->ctx_init != NULL -+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ if (md != NULL -+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) - return -2; - -- /* KBKDF can produce results as large as you like. */ -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ return 1; - } - - static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, - ossl_unused void *provctx) - { -- static const OSSL_PARAM known_gettable_ctx_params[] = -- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; -+ static const OSSL_PARAM known_gettable_ctx_params[] = { -+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ -+ OSSL_PARAM_END -+ }; - return known_gettable_ctx_params; - } - -diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c -index c592ba72f1..4a52b38266 100644 ---- a/providers/implementations/kdfs/sshkdf.c -+++ b/providers/implementations/kdfs/sshkdf.c -@@ -48,6 +48,9 @@ typedef struct { - char type; /* X */ - unsigned char *session_id; - size_t session_id_len; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_SSHKDF; - - static void *kdf_sshkdf_new(void *provctx) -@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); - return 0; - } -+ -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - return SSHKDF(md, ctx->key, ctx->key_len, - ctx->xcghash, ctx->xcghash_len, - ctx->session_id, ctx->session_id_len, -@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, - static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ KDF_SSHKDF *ctx = vctx; -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." -+ * -+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash -+ * function used in SSHKDF "is one of the hash functions specified in -+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. -+ * */ -+ if (ctx->digest.md != NULL -+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c -index eb54972e1c..23865cd70f 100644 ---- a/providers/implementations/kdfs/sskdf.c -+++ b/providers/implementations/kdfs/sskdf.c -@@ -64,6 +64,10 @@ typedef struct { - size_t salt_len; - size_t out_len; /* optional KMAC parameter */ - int is_kmac; -+ int is_x963kdf; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_SSKDF; - - #define SSKDF_MAX_INLEN (1<<30) -@@ -73,6 +77,7 @@ typedef struct { - static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; - - static OSSL_FUNC_kdf_newctx_fn sskdf_new; -+static OSSL_FUNC_kdf_newctx_fn x963kdf_new; - static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; - static OSSL_FUNC_kdf_freectx_fn sskdf_free; - static OSSL_FUNC_kdf_reset_fn sskdf_reset; -@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) - return ctx; - } - -+static void *x963kdf_new(void *provctx) -+{ -+ KDF_SSKDF *ctx = sskdf_new(provctx); -+ -+ if (ctx) -+ ctx->is_x963kdf = 1; -+ -+ return ctx; -+} -+ - static void sskdf_reset(void *vctx) - { - KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; -@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, - } - md = ossl_prov_digest_md(&ctx->digest); - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - if (ctx->macctx != NULL) { - /* H(x) = KMAC or H(x) = HMAC */ - int ret; -@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, - ctx->info, ctx->info_len, 1, key, keylen); - } -@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) -+ return 0; -+ } - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); -- return -2; -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." */ -+ if (ctx->macctx == NULL -+ || (ctx->macctx != NULL && -+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { -+ if (ctx->digest.md != NULL -+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || -+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions -+ * should only be used for 80-bit key agreement, but FIPS 140-3 -+ * requires a security strength of 112 bits, so SHA-1 cannot be -+ * used with X9.63. See the discussion in -+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. -+ */ -+ if (ctx->is_x963kdf -+ && ctx->digest.md != NULL -+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { - }; - - const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { -- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, -+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, - { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, - { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, - { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, -diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index a4d64b9352..f6782a6ca2 100644 ---- a/providers/implementations/kdfs/tls1_prf.c -+++ b/providers/implementations/kdfs/tls1_prf.c -@@ -93,6 +93,13 @@ typedef struct { - /* Buffer of concatenated seed data */ - unsigned char seed[TLS1_PRF_MAXBUF]; - size_t seedlen; -+ -+ /* MAC digest algorithm; used to compute FIPS indicator */ -+ PROV_DIGEST digest; -+ -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } TLS1_PRF; - - static void *kdf_tls1_prf_new(void *provctx) -@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) - EVP_MAC_CTX_free(ctx->P_sha1); - OPENSSL_clear_free(ctx->sec, ctx->seclen); - OPENSSL_cleanse(ctx->seed, ctx->seedlen); -+ ossl_prov_digest_reset(&ctx->digest); - memset(ctx, 0, sizeof(*ctx)); - ctx->provctx = provctx; - } -@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ - - /* - * The seed buffer is prepended with a label. -@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - } - } - -+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) -+ return 0; -+ - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { - OPENSSL_clear_free(ctx->sec, ctx->seclen); - ctx->sec = NULL; -@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( - static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+#ifdef FIPS_MODULE -+ TLS1_PRF *ctx = vctx; -+#endif /* defined(FIPS_MODULE) */ -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) -+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ -+ if (ctx->digest.md != NULL -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( -@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c -index b1bc6f7e1b..8173fc2cc7 100644 ---- a/providers/implementations/kdfs/x942kdf.c -+++ b/providers/implementations/kdfs/x942kdf.c -@@ -13,11 +13,13 @@ - #include - #include - #include -+#include - #include - #include - #include "internal/packet.h" - #include "internal/der.h" - #include "internal/nelem.h" -+#include "crypto/evp.h" - #include "prov/provider_ctx.h" - #include "prov/providercommon.h" - #include "prov/implementations.h" -@@ -47,6 +50,9 @@ typedef struct { - const unsigned char *cek_oid; - size_t cek_oid_len; - int use_keybits; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_X942; - - /* -@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, - ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); - return 0; - } -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ - ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, - der, der_len, ctr, key, keylen); - OPENSSL_free(der); -@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - KDF_X942 *ctx = (KDF_X942 *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); -- return -2; -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." */ -+ if (ctx->digest.md != NULL -+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || -+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index 70f7c50fe4..6618122417 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -183,6 +183,7 @@ my %params = ( - 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", - 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", - 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", -+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", - 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", - 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", - 'KDF_PARAM_THREADS' => "threads", # uint32_t --- -2.39.2 - diff --git a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch deleted file mode 100644 index b61bcb8..0000000 --- a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +++ /dev/null @@ -1,123 +0,0 @@ -From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 18:08:24 +0100 -Subject: [PATCH] hmac: Add explicit FIPS indicator for key length - -NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms" -specifies key lengths < 112 bytes are disallowed for HMAC generation and -are legacy use for HMAC verification. - -Add an explicit indicator that will mark shorter key lengths as -unsupported. The indicator can be queries from the EVP_MAC_CTX object -using EVP_MAC_CTX_get_params() with the - OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR -parameter. - -Signed-off-by: Clemens Lang ---- - include/crypto/evp.h | 7 +++++++ - include/openssl/evp.h | 3 +++ - providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ - 4 files changed, 28 insertions(+) - -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index 76fb990de4..1e2240516e 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void); - const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); - const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); - -+#ifdef FIPS_MODULE -+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key -+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for -+ * HMAC verification. */ -+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_mac_st { - OSSL_PROVIDER *prov; - int name_id; -diff --git a/include/openssl/evp.h b/include/openssl/evp.h -index 49e8e1df78..a5e78efd6e 100644 ---- a/include/openssl/evp.h -+++ b/include/openssl/evp.h -@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, - void *arg); - - /* MAC stuff */ -+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 - - EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, - const char *properties); -diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c -index 52ebb08b8f..cf5c3ecbe7 100644 ---- a/providers/implementations/macs/hmac_prov.c -+++ b/providers/implementations/macs/hmac_prov.c -@@ -21,6 +21,8 @@ - #include - #include - -+#include "crypto/evp.h" -+ - #include "internal/ssl3_cbc.h" - - #include "prov/implementations.h" -@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl, - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), - OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, -@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) - && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) - return 0; - -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) { -+ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED; -+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms -+ * specifies key lengths < 112 bytes are disallowed for HMAC generation -+ * and legacy use for HMAC verification. */ -+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif /* defined(FIPS_MODULE) */ -+ - return 1; - } - -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index 6618122417..8b2d430f17 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -137,12 +137,13 @@ my %params = ( - # If "engine",or "properties",are specified, they should always be paired - # with "cipher",or "digest". - -- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string -- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string -- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string -- 'MAC_PARAM_SIZE' => "size", # size_t -- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t -- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t -+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string -+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string -+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string -+ 'MAC_PARAM_SIZE' => "size", # size_t -+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t -+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t -+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t - - # KDF / PRF parameters - 'KDF_PARAM_SECRET' => "secret", # octet string --- -2.38.1 - diff --git a/0088-signature-Add-indicator-for-PSS-salt-length.patch b/0088-signature-Add-indicator-for-PSS-salt-length.patch deleted file mode 100644 index edfd0b8..0000000 --- a/0088-signature-Add-indicator-for-PSS-salt-length.patch +++ /dev/null @@ -1,138 +0,0 @@ -From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 19:33:02 +0100 -Subject: [PATCH 1/3] signature: Add indicator for PSS salt length -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of -the hash function output block (in bytes)." - -It is not exactly clear from this text whether hLen refers to the -message digest or the hash function used for the mask generation -function MGF1. PKCS#1 v2.1 suggests it is the former: - -| Typical salt lengths in octets are hLen (the length of the output of -| the hash function Hash) and 0. In both cases the security of -| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1. -| Bellare and Rogaway [4] give a tight lower bound for the security of -| the original RSA-PSS scheme, which corresponds roughly to the former -| case, while Coron [12] gives a lower bound for the related Full Domain -| Hashing scheme, which corresponds roughly to the latter case. In [13] -| Coron provides a general treatment with various salt lengths ranging -| from 0 to hLen; see [27] for discussion. See also [31], which adapts -| the security proofs in [4][13] to address the differences between the -| original and the present version of RSA-PSS as listed in Note 1 above. - -Since OpenSSL defaults to creating signatures with the maximum salt -length, blocking the use of longer salts would probably lead to -significant problems in practice. Instead, introduce an explicit -indicator that can be obtained from the EVP_PKEY_CTX object using -EVP_PKEY_CTX_get_params() with the - OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR -parameter. - -We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. -Dmitry Belyavskiy - -Signed-off-by: Clemens Lang ---- - include/openssl/evp.h | 4 ++++ - providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++ - util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- - 3 files changed, 37 insertions(+), 11 deletions(-) - -diff --git a/include/openssl/evp.h b/include/openssl/evp.h -index a5e78efd6e..f239200465 100644 ---- a/include/openssl/evp.h -+++ b/include/openssl/evp.h -@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, - __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, - int *outl); - -+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, - EVP_PKEY *pkey); - __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 49e7f9158a..0c45008a00 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - } - } - -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED; -+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { -+ if (prsactx->md == NULL) { -+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED; -+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { -+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } else if (prsactx->pad_mode == RSA_NO_PADDING) { -+ if (prsactx->md == NULL) /* Should always be the case */ -+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif -+ - return 1; - } - -@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif - OSSL_PARAM_END - }; - -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index 8b2d430f17..a109e44521 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -377,17 +377,18 @@ my %params = ( - 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", - - # Signature parameters -- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", -- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', -- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', -- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", -- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', -- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', -- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', -- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", -- 'SIGNATURE_PARAM_INSTANCE' => "instance", -- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", -+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", -+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', -+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', -+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", -+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', -+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', -+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', -+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", -+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", -+ 'SIGNATURE_PARAM_INSTANCE' => "instance", -+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", - - # Asym cipher parameters - 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', --- -2.38.1 - diff --git a/0091-FIPS-RSA-encapsulate.patch b/0091-FIPS-RSA-encapsulate.patch deleted file mode 100644 index 0e24cf8..0000000 --- a/0091-FIPS-RSA-encapsulate.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c ---- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100 -+++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100 -@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX - *secretlen = nlen; - return 1; - } -+ -+#ifdef FIPS_MODULE -+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - /* - * Step (2): Generate a random byte string z of nlen bytes where - * 1 < z < n - 1 -@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX * - return 1; - } - -+#ifdef FIPS_MODULE -+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - /* Step (2): check the input ciphertext 'inlen' matches the nlen */ - if (inlen != nlen) { - ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch deleted file mode 100644 index 4d80b9c..0000000 --- a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 17 Feb 2023 15:31:08 +0100 -Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen - -Implementation Guidance for FIPS 140-3 and the Cryptographic Module -Verification Program, Section C.H requires guarantees about the -uniqueness of key/iv pairs, and proposes a few approaches to ensure -this. Provide an indicator for option 2 "The IV may be generated -internally at its entirety randomly." - -Resolves: rhbz#2168289 -Signed-off-by: Clemens Lang ---- - include/openssl/evp.h | 4 +++ - .../implementations/ciphers/ciphercommon.c | 4 +++ - .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ - util/perl/OpenSSL/paramnames.pm | 5 ++-- - 4 files changed, 36 insertions(+), 2 deletions(-) - -diff --git a/include/openssl/evp.h b/include/openssl/evp.h -index 49e8e1df78..ec2ba46fbd 100644 ---- a/include/openssl/evp.h -+++ b/include/openssl/evp.h -@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); - void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); - int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); - -+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - const unsigned char *key, const unsigned char *iv); - __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, -diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c -index fa383165d8..716add7339 100644 ---- a/providers/implementations/ciphers/ciphercommon.c -+++ b/providers/implementations/ciphers/ciphercommon.c -@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), - OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), -+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does -+ * not work in ciphercommon.c because it is compiled only once into -+ * libcommon.a */ -+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), - OSSL_PARAM_END - }; - const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( -diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c -index ed95c97ff4..db7910eb0e 100644 ---- a/providers/implementations/ciphers/ciphercommon_gcm.c -+++ b/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) - break; - } - } -+ -+ /* We would usually hide this under #ifdef FIPS_MODULE, but -+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do -+ * not work here. */ -+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section C.H requires guarantees about the -+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure -+ * this. This provides an indicator for option 2 "The IV may be -+ * generated internally at its entirety randomly." Note that one of the -+ * conditions of this option is that "The IV length shall be at least -+ * 96 bits (per SP 800-38D)." We do not specically check for this -+ * condition here, because gcm_iv_generate will fail in this case. */ -+ if (ctx->enc && !ctx->iv_gen_rand) -+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ } -+ - return 1; - } - -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index a109e44521..64e9809387 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -101,8 +101,9 @@ my %params = ( - 'CIPHER_PARAM_SPEED' => "speed", # uint - 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string - # For passing the AlgorithmIdentifier parameter in DER form -- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string -- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string -+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string -+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int -+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string - - 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint - 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t --- -2.39.1 - diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch deleted file mode 100644 index 2e869e2..0000000 --- a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +++ /dev/null @@ -1,80 +0,0 @@ -From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 6 Mar 2023 12:32:04 +0100 -Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks - -The pbkdf2 implementation in the FIPS provider supports the checks -required by NIST, but allows disabling these checks by setting the -OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate -that the use of this configuration is not approved in FIPS mode. Add an -explicit indicator to provide this indication. - -Resolves: rhbz#2175145 -Signed-off-by: Clemens Lang ---- - providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- - 1 file changed, 37 insertions(+), 3 deletions(-) - -diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c -index aa0adce5e6..6df8c6d321 100644 ---- a/providers/implementations/kdfs/pbkdf2.c -+++ b/providers/implementations/kdfs/pbkdf2.c -@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, - - static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { -+#ifdef FIPS_MODULE -+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ /* The lower_bound_checks parameter enables checks required by FIPS. If -+ * those checks are disabled, the PBKDF2 implementation will also -+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see -+ * NIST SP 800-132 section 5.1). */ -+ if (!ctx->lower_bound_checks) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ -+ any_valid = 1; -+ } -+#endif /* defined(FIPS_MODULE) */ -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, -@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; --- -2.39.2 - diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch deleted file mode 100644 index 2dc304c..0000000 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ /dev/null @@ -1,156 +0,0 @@ -From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 17 Mar 2023 15:39:15 +0100 -Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator - -NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key -confirmation (section 6.4.2.3.2), or assurance from a trusted third -party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key -agreement schemes, but explicit key confirmation is not implemented and -cannot be implemented without protocol changes, and the FIPS provider -does not implement trusted third party validation, since it relies on -its callers to do that. A request for guidance sent to NIST did clarify -that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add -an indicator to mark them as unapproved previously and should thus keep -the indicator available. - -This does not affect RSA-OAEP decryption, because it is approved as -a component according to the FIPS 140-3 IG, section 2.4.G. - -Resolves: rhbz#2179331 -Resolves: RHEL-14083 -Signed-off-by: Clemens Lang ---- - include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++ - providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- - util/perl/OpenSSL/paramnames.pm | 6 ++-- - 4 files changed, 59 insertions(+), 3 deletions(-) - -diff --git a/include/openssl/evp.h b/include/openssl/evp.h -index ec2ba46fbd..3803b03422 100644 ---- a/include/openssl/evp.h -+++ b/include/openssl/evp.h -@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); - OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); - # endif - -+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, - const char *properties); - int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 568452ec56..2e7ea632d7 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) - return 0; - -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; -+ -+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key -+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third -+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but -+ * explicit key confirmation is not implemented here and cannot be -+ * implemented without protocol changes, and the FIPS provider does not -+ * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSA-OAEP as unapproved until -+ * we have received clarification from NIST on how library modules such -+ * as OpenSSL should implement TTP validation. */ -+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif /* defined(FIPS_MODULE) */ -+ - return 1; - } - -@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), - #ifdef FIPS_MODULE - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), -+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), - #endif /* FIPS_MODULE */ - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END -diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c -index 882cf16125..b4cc0f9237 100644 ---- a/providers/implementations/kem/rsa_kem.c -+++ b/providers/implementations/kem/rsa_kem.c -@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, - static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - { - PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; -+#ifdef FIPS_MODULE -+ OSSL_PARAM *p; -+#endif /* defined(FIPS_MODULE) */ -+ -+ if (ctx == NULL) -+ return 0; -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key -+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third -+ * party (section 6.4.2.3.1) for key agreement or key transport, but -+ * explicit key confirmation is not implemented here and cannot be -+ * implemented without protocol changes, and the FIPS provider does not -+ * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSASVE unapproved until we -+ * have received clarification from NIST on how library modules such as -+ * OpenSSL should implement TTP validation. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif /* defined(FIPS_MODULE) */ - -- return ctx != NULL; -+ return 1; - } - - static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -index 64e9809387..45ab0c8dc4 100644 ---- a/util/perl/OpenSSL/paramnames.pm -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -406,6 +406,7 @@ my %params = ( - 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", - 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", - 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", -+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", - - # Encoder / decoder parameters - -@@ -438,8 +439,9 @@ my %params = ( - 'SIGNATURE_PARAM_KAT' => "kat", - - # KEM parameters -- 'KEM_PARAM_OPERATION' => "operation", -- 'KEM_PARAM_IKME' => "ikme", -+ 'KEM_PARAM_OPERATION' => "operation", -+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", -+ 'KEM_PARAM_IKME' => "ikme", - - # Capabilities - --- -2.39.2 - diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch deleted file mode 100644 index dd40e11..0000000 --- a/0117-ignore-unknown-sigalgorithms-groups.patch +++ /dev/null @@ -1,318 +0,0 @@ -From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 14 Dec 2023 17:08:56 +0100 -Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch - -Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch -Patch-id: 117 -Patch-status: | - # https://github.com/openssl/openssl/issues/23050 ---- - CHANGES.md | 13 +++++++ - doc/man3/SSL_CTX_set1_curves.pod | 6 ++- - doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++- - ssl/t1_lib.c | 56 +++++++++++++++++++++------- - test/sslapitest.c | 61 +++++++++++++++++++++++++++++++ - 5 files changed, 132 insertions(+), 15 deletions(-) - -diff --git a/CHANGES.md b/CHANGES.md -index ca29762ac2..4e21d0ddf9 100644 ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -27,6 +27,19 @@ OpenSSL 3.2 - - ### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] - -+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms -+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and -+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are -+ ignored and the configuration will still be used. -+ -+ Similarly unknown entries that start with `?` character in a TLS -+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored -+ and the configuration will still be used. -+ -+ In both cases if the resulting list is empty, an error is returned. -+ -+ *Tomáš Mráz* -+ - * A file in PKCS12 format can contain certificates and keys and may come from - an untrusted source. The PKCS12 specification allows certain fields to be - NULL, but OpenSSL did not correctly check for this case. A fix has been -diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod -index c26ef00306..f0566e148e 100644 ---- a/doc/man3/SSL_CTX_set1_curves.pod -+++ b/doc/man3/SSL_CTX_set1_curves.pod -@@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example - are B, B, B, B, B, B, - B, B, B, B, - B, B and B. Support for other groups may be --added by external providers. -+added by external providers. If a group name is preceded with the C -+character, it will be ignored if an implementation is missing. - - SSL_set1_groups() and SSL_set1_groups_list() are similar except they set - supported groups for the SSL structure B. -@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group - functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function - was added in OpenSSL 3.0.0. - -+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and -+SSL_set1_groups_list() was added in OpenSSL 3.3. -+ - =head1 COPYRIGHT - - Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. -diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod -index eb31006346..5b7de7d956 100644 ---- a/doc/man3/SSL_CTX_set1_sigalgs.pod -+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod -@@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter - must be a null terminated string consisting of a colon separated list of - elements, where each element is either a combination of a public key - algorithm and a digest separated by B<+>, or a TLS 1.3-style named --SignatureScheme such as rsa_pss_pss_sha256. -+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded -+with the C character, it will be ignored if an implementation is missing. -+ - - SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), - SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set -@@ -106,6 +108,13 @@ using a string: - L, L, - L - -+=head1 HISTORY -+ -+Support for ignoring unknown signature algorithms in -+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), -+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() -+was added in OpenSSL 3.3. -+ - =head1 COPYRIGHT - - Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 056aae3863..fe680449c5 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg) - size_t i; - uint16_t gid = 0; - char etmp[GROUP_NAME_BUFFER_LENGTH]; -+ int ignore_unknown = 0; - - if (elem == NULL) - return 0; -+ if (elem[0] == '?') { -+ ignore_unknown = 1; -+ ++elem; -+ --len; -+ } - if (garg->gidcnt == garg->gidmax) { - uint16_t *tmp = - OPENSSL_realloc(garg->gid_arr, -@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) - - gid = tls1_group_name2id(garg->ctx, etmp); - if (gid == 0) { -- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, -- "group '%s' cannot be set", etmp); -- return 0; -+ /* Unknown group - ignore, if ignore_unknown */ -+ return ignore_unknown; - } - for (i = 0; i < garg->gidcnt; i++) -- if (garg->gid_arr[i] == gid) -- return 0; -+ if (garg->gid_arr[i] == gid) { -+ /* Duplicate group - ignore */ -+ return 1; -+ } - garg->gid_arr[garg->gidcnt++] = gid; - return 1; - } -@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, - gcb.ctx = ctx; - if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) - goto end; -+ if (gcb.gidcnt == 0) { -+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, -+ "No valid groups in '%s'", str); -+ goto end; -+ } - if (pext == NULL) { - ret = 1; - goto end; -@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg) - const SIGALG_LOOKUP *s; - char etmp[TLS_MAX_SIGSTRING_LEN], *p; - int sig_alg = NID_undef, hash_alg = NID_undef; -+ int ignore_unknown = 0; -+ - if (elem == NULL) - return 0; -+ if (elem[0] == '?') { -+ ignore_unknown = 1; -+ ++elem; -+ --len; -+ } - if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) - return 0; - if (len > (int)(sizeof(etmp) - 1)) -@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) - break; - } - } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) -- return 0; -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } - } - } else { - *p = 0; -@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) - return 0; - get_sigorhash(&sig_alg, &hash_alg, etmp); - get_sigorhash(&sig_alg, &hash_alg, p); -- if (sig_alg == NID_undef || hash_alg == NID_undef) -- return 0; -+ if (sig_alg == NID_undef || hash_alg == NID_undef) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } - for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); - i++, s++) { - if (s->hash == hash_alg && s->sig == sig_alg) { -@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg) - break; - } - } -- if (i == OSSL_NELEM(sigalg_lookup_tbl)) -- return 0; -+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { -+ /* Ignore unknown algorithms if ignore_unknown */ -+ return ignore_unknown; -+ } - } - -- /* Reject duplicates */ -+ /* Ignore duplicates */ - for (i = 0; i < sarg->sigalgcnt - 1; i++) { - if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { - sarg->sigalgcnt--; -- return 0; -+ return 1; - } - } - return 1; -@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) - } - if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) - return 0; -+ if (sig.sigalgcnt == 0) { -+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, -+ "No valid signature algorithms in '%s'", str); -+ return 0; -+ } - if (c == NULL) - return 1; - return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 1c14f93ed1..184a0f1055 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -39,6 +39,7 @@ - #include "testutil.h" - #include "testutil/output.h" - #include "internal/nelem.h" -+#include "internal/tlsgroups.h" - #include "internal/ktls.h" - #include "../ssl/ssl_local.h" - #include "../ssl/record/methods/recmethod_local.h" -@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = { - {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, - # endif - {NULL, 0, "RSA+SHA256", 1, 1}, -+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1}, - # ifndef OPENSSL_NO_EC - {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, - {NULL, 0, "ECDSA+SHA512", 1, 0}, -@@ -9276,6 +9278,64 @@ static int test_servername(int tst) - return testresult; - } - -+static int test_unknown_sigalgs_groups(void) -+{ -+ int ret = 0; -+ SSL_CTX *ctx = NULL; -+ -+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) -+ goto end; -+ -+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx, -+ "RSA+SHA256:?nonexistent:?RSA+SHA512"), -+ 0)) -+ goto end; -+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2) -+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) -+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) -+ goto end; -+ -+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx, -+ "RSA+SHA256:?nonexistent:?RSA+SHA512"), -+ 0)) -+ goto end; -+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2) -+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) -+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) -+ goto end; -+ -+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, -+ "nonexistent"), -+ 0)) -+ goto end; -+ -+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, -+ "?nonexistent1:?nonexistent2:?nonexistent3"), -+ 0)) -+ goto end; -+ -+#ifndef OPENSSL_NO_EC -+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, -+ "P-256:nonexistent"), -+ 0)) -+ goto end; -+ -+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, -+ "P-384:?nonexistent:?P-521"), -+ 0)) -+ goto end; -+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2) -+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1) -+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1)) -+ goto end; -+#endif -+ -+ ret = 1; -+ end: -+ SSL_CTX_free(ctx); -+ return ret; -+} -+ - #if !defined(OPENSSL_NO_EC) \ - && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) - /* -@@ -11519,6 +11579,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); - #endif - ADD_ALL_TESTS(test_servername, 10); -+ ADD_TEST(test_unknown_sigalgs_groups); - #if !defined(OPENSSL_NO_EC) \ - && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) - ADD_ALL_TESTS(test_sigalgs_available, 6); --- -2.44.0 - diff --git a/0121-FIPS-cms-defaults.patch b/0121-FIPS-cms-defaults.patch deleted file mode 100644 index 7598512..0000000 --- a/0121-FIPS-cms-defaults.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c ---- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200 -+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200 -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include - - static int save_certs(char *signerfile, STACK_OF(X509) *signers); - static int cms_cb(int ok, X509_STORE_CTX *ctx); -@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv) - - if (operation == SMIME_ENCRYPT) { - if (!cipher) { -+ if (FIPS_mode()) { -+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc(); -+ } else { - #ifndef OPENSSL_NO_DES -- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); - #else -- BIO_printf(bio_err, "No cipher selected\n"); -- goto end; -+ BIO_printf(bio_err, "No cipher selected\n"); -+ goto end; - #endif -+ } - } - - if (secret_key && !secret_keyid) { -diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c ---- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200 -+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200 -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include "internal/sizes.h" - #include "crypto/asn1.h" - #include "crypto/evp.h" -@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C - return 0; - if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) - return 0; -+ if (FIPS_mode()) { -+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0) -+ return 0; -+ } - } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) - return 0; - return 1; -@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp - - if (EVP_PKEY_encrypt_init(pctx) <= 0) - goto err; -+ -+ if (FIPS_mode()) { -+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0) -+ goto err; -+ } - } - - if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) diff --git a/0122-TMP-KTLS-test-skip.patch b/0122-TMP-KTLS-test-skip.patch deleted file mode 100644 index f037ee3..0000000 --- a/0122-TMP-KTLS-test-skip.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c ---- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200 -+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200 -@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co - /* sock must be connected */ - static int ktls_chk_platform(int sock) - { -- if (!ktls_enable(sock)) -+/* if (!ktls_enable(sock)) - return 0; -- return 1; -+ return 1; */ -+ return 0; - } - - static int ping_pong_query(SSL *clientssl, SSL *serverssl) diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch deleted file mode 100644 index 85f97c6..0000000 --- a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch +++ /dev/null @@ -1,62 +0,0 @@ -From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 17 Jun 2024 16:48:26 +0200 -Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older - providers - -If there is no get_ctx_params() implemented in the key exchange -provider implementation the fallback will not work. Instead -check the gettable_ctx_params() to see if the fallback should be -performed. - -Fixes #24611 - -Reviewed-by: Paul Dale -Reviewed-by: Tom Cosgrove -(Merged from https://github.com/openssl/openssl/pull/24661) - -(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d) ---- - crypto/evp/pmeth_lib.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2caff2cd6d..d15e43be05 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - int datalen) - { - OSSL_PARAM os_params[2]; -+ const OSSL_PARAM *gettables; - unsigned char *info = NULL; - size_t info_len = 0; - size_t info_alloc = 0; -@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - return 1; - } - -+ /* Check for older provider that doesn't support getting this parameter */ -+ gettables = EVP_PKEY_CTX_gettable_params(ctx); -+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) -+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, -+ data, datalen); -+ - /* Get the original value length */ - os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); - os_params[1] = OSSL_PARAM_construct_end(); -@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - if (!EVP_PKEY_CTX_get_params(ctx, os_params)) - return 0; - -- /* Older provider that doesn't support getting this parameter */ -+ /* This should not happen but check to be sure. */ - if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) -- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); -+ return 0; - - info_alloc = os_params[0].return_size + datalen; - if (info_alloc == 0) --- -2.45.1 - diff --git a/0124-Fix-SSL_select_next_proto.patch b/0124-Fix-SSL_select_next_proto.patch deleted file mode 100644 index 6458067..0000000 --- a/0124-Fix-SSL_select_next_proto.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH 01/10] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 016135fe18..cf52b317cf 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG --- -2.46.0 - diff --git a/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch b/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch deleted file mode 100644 index 29d22c6..0000000 --- a/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:18:27 +0100 -Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when - processing NPN - -In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but -the selected_len is 0 we should fail. Previously this would fail with an -internal_error alert because calling OPENSSL_malloc(selected_len) will -return NULL when selected_len is 0. We make this error detection more -explicit and return a handshake failure alert. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - ssl/statem/extensions_clnt.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 381a6c9d7b..1ab3c13d57 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), - &selected, &selected_len, - PACKET_data(pkt), PACKET_remaining(pkt), -- sctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); - return 0; - } --- -2.46.0 - diff --git a/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch b/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch deleted file mode 100644 index 028732f..0000000 --- a/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:22:13 +0100 -Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver - -The QUIC test server was using incorrectly formatted ALPN data. With the -previous implementation of SSL_select_next_proto this went unnoticed. With -the new stricter implemenation it was failing. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - ssl/quic/quic_tserver.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c -index 86187d06ff..15694e723f 100644 ---- a/ssl/quic/quic_tserver.c -+++ b/ssl/quic/quic_tserver.c -@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out, - - if (srv->args.alpn == NULL) { - alpn = alpndeflt; -- alpnlen = sizeof(alpn); -+ alpnlen = sizeof(alpndeflt); - } else { - alpn = srv->args.alpn; - alpnlen = srv->args.alpnlen; --- -2.46.0 - diff --git a/0127-Clarify-the-SSL_select_next_proto-documentation.patch b/0127-Clarify-the-SSL_select_next_proto-documentation.patch deleted file mode 100644 index 34e6261..0000000 --- a/0127-Clarify-the-SSL_select_next_proto-documentation.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:46:38 +0100 -Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation - -We clarify the input preconditions and the expected behaviour in the event -of no overlap. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index 05fee2fbec..79e1a252f6 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -154,7 +163,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - --- -2.46.0 - diff --git a/0128-Add-a-test-for-SSL_select_next_proto.patch b/0128-Add-a-test-for-SSL_select_next_proto.patch deleted file mode 100644 index ccf1577..0000000 --- a/0128-Add-a-test-for-SSL_select_next_proto.patch +++ /dev/null @@ -1,172 +0,0 @@ -From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 16:35:16 +0100 -Subject: [PATCH 05/10] Add a test for SSL_select_next_proto - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 137 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index ce163322cd..15cb9060cb 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx) - return testresult; - } - -+static struct next_proto_st { -+ int serverlen; -+ unsigned char server[40]; -+ int clientlen; -+ unsigned char client[40]; -+ int expected_ret; -+ size_t selectedlen; -+ unsigned char selected[40]; -+} next_proto_tests[] = { -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'b', 'c', 'd' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 0, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ -1, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 0, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ -1, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 3, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 3, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ } -+}; -+ -+static int test_select_next_proto(int idx) -+{ -+ struct next_proto_st *np = &next_proto_tests[idx]; -+ int ret = 0; -+ unsigned char *out, *client, *server; -+ unsigned char outlen; -+ unsigned int clientlen, serverlen; -+ -+ if (np->clientlen == -1) { -+ client = NULL; -+ clientlen = 0; -+ } else { -+ client = np->client; -+ clientlen = (unsigned int)np->clientlen; -+ } -+ if (np->serverlen == -1) { -+ server = NULL; -+ serverlen = 0; -+ } else { -+ server = np->server; -+ serverlen = (unsigned int)np->serverlen; -+ } -+ -+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, -+ client, clientlen), -+ np->expected_ret)) -+ goto err; -+ -+ if (np->selectedlen == 0) { -+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) -+ goto err; -+ } else { -+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) -+ goto err; -+ } -+ -+ ret = 1; -+ err: -+ return ret; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -12053,6 +12189,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_TEST(test_data_retry); - ADD_ALL_TESTS(test_multi_resume, 5); -+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); - return 1; - - err: --- -2.46.0 - diff --git a/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch b/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch deleted file mode 100644 index ae383c8..0000000 --- a/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch +++ /dev/null @@ -1,1169 +0,0 @@ -From 7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 4 Jun 2024 15:47:32 +0100 -Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests - -Allow ourselves to configure an empty NPN/ALPN protocol list and test what -happens if we do. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - test/helpers/handshake.c | 6 + - test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++--------------- - test/ssl-tests/08-npn.cnf.in | 35 +++ - test/ssl-tests/09-alpn.cnf | 66 +++- - test/ssl-tests/09-alpn.cnf.in | 33 ++ - 5 files changed, 449 insertions(+), 244 deletions(-) - -diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c -index e0422469e4..6b1629b942 100644 ---- a/test/helpers/handshake.c -+++ b/test/helpers/handshake.c -@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) - - len = strlen(protos); - -+ if (len == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return 1; -+ } -+ - /* Should never have reuse. */ - if (!TEST_ptr_null(*out) - /* Test values are small, so we omit length limit checks. */ -diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf -index f38b3f6975..1931d02de4 100644 ---- a/test/ssl-tests/08-npn.cnf -+++ b/test/ssl-tests/08-npn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 20 -+num_tests = 22 - - test-0 = 0-npn-simple - test-1 = 1-npn-client-finds-match -@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref - test-3 = 3-npn-client-first-pref-on-mismatch - test-4 = 4-npn-no-server-support - test-5 = 5-npn-no-client-support --test-6 = 6-npn-with-sni-no-context-switch --test-7 = 7-npn-with-sni-context-switch --test-8 = 8-npn-selected-sni-server-supports-npn --test-9 = 9-npn-selected-sni-server-does-not-support-npn --test-10 = 10-alpn-preferred-over-npn --test-11 = 11-sni-npn-preferred-over-alpn --test-12 = 12-npn-simple-resumption --test-13 = 13-npn-server-switch-resumption --test-14 = 14-npn-client-switch-resumption --test-15 = 15-npn-client-first-pref-on-mismatch-resumption --test-16 = 16-npn-no-server-support-resumption --test-17 = 17-npn-no-client-support-resumption --test-18 = 18-alpn-preferred-over-npn-resumption --test-19 = 19-npn-used-if-alpn-not-supported-resumption -+test-6 = 6-npn-empty-client-list -+test-7 = 7-npn-empty-server-list -+test-8 = 8-npn-with-sni-no-context-switch -+test-9 = 9-npn-with-sni-context-switch -+test-10 = 10-npn-selected-sni-server-supports-npn -+test-11 = 11-npn-selected-sni-server-does-not-support-npn -+test-12 = 12-alpn-preferred-over-npn -+test-13 = 13-sni-npn-preferred-over-alpn -+test-14 = 14-npn-simple-resumption -+test-15 = 15-npn-server-switch-resumption -+test-16 = 16-npn-client-switch-resumption -+test-17 = 17-npn-client-first-pref-on-mismatch-resumption -+test-18 = 18-npn-no-server-support-resumption -+test-19 = 19-npn-no-client-support-resumption -+test-20 = 20-alpn-preferred-over-npn-resumption -+test-21 = 21-npn-used-if-alpn-not-supported-resumption - # =========================================================== - - [0-npn-simple] -@@ -206,253 +208,318 @@ NPNProtocols = foo - - # =========================================================== - --[6-npn-with-sni-no-context-switch] --ssl_conf = 6-npn-with-sni-no-context-switch-ssl -+[6-npn-empty-client-list] -+ssl_conf = 6-npn-empty-client-list-ssl - --[6-npn-with-sni-no-context-switch-ssl] --server = 6-npn-with-sni-no-context-switch-server --client = 6-npn-with-sni-no-context-switch-client --server2 = 6-npn-with-sni-no-context-switch-server2 -+[6-npn-empty-client-list-ssl] -+server = 6-npn-empty-client-list-server -+client = 6-npn-empty-client-list-client - --[6-npn-with-sni-no-context-switch-server] -+[6-npn-empty-client-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-server2] -+[6-npn-empty-client-list-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-6] -+ExpectedClientAlert = HandshakeFailure -+ExpectedResult = ClientFail -+server = 6-npn-empty-client-list-server-extra -+client = 6-npn-empty-client-list-client-extra -+ -+[6-npn-empty-client-list-server-extra] -+NPNProtocols = foo -+ -+[6-npn-empty-client-list-client-extra] -+NPNProtocols = -+ -+ -+# =========================================================== -+ -+[7-npn-empty-server-list] -+ssl_conf = 7-npn-empty-server-list-ssl -+ -+[7-npn-empty-server-list-ssl] -+server = 7-npn-empty-server-list-server -+client = 7-npn-empty-server-list-client -+ -+[7-npn-empty-server-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-client] -+[7-npn-empty-server-list-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-6] -+[test-7] -+ExpectedNPNProtocol = foo -+server = 7-npn-empty-server-list-server-extra -+client = 7-npn-empty-server-list-client-extra -+ -+[7-npn-empty-server-list-server-extra] -+NPNProtocols = -+ -+[7-npn-empty-server-list-client-extra] -+NPNProtocols = foo -+ -+ -+# =========================================================== -+ -+[8-npn-with-sni-no-context-switch] -+ssl_conf = 8-npn-with-sni-no-context-switch-ssl -+ -+[8-npn-with-sni-no-context-switch-ssl] -+server = 8-npn-with-sni-no-context-switch-server -+client = 8-npn-with-sni-no-context-switch-client -+server2 = 8-npn-with-sni-no-context-switch-server2 -+ -+[8-npn-with-sni-no-context-switch-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-server2] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-8] - ExpectedNPNProtocol = foo - ExpectedServerName = server1 --server = 6-npn-with-sni-no-context-switch-server-extra --server2 = 6-npn-with-sni-no-context-switch-server2-extra --client = 6-npn-with-sni-no-context-switch-client-extra -+server = 8-npn-with-sni-no-context-switch-server-extra -+server2 = 8-npn-with-sni-no-context-switch-server2-extra -+client = 8-npn-with-sni-no-context-switch-client-extra - --[6-npn-with-sni-no-context-switch-server-extra] -+[8-npn-with-sni-no-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[6-npn-with-sni-no-context-switch-server2-extra] -+[8-npn-with-sni-no-context-switch-server2-extra] - NPNProtocols = bar - --[6-npn-with-sni-no-context-switch-client-extra] -+[8-npn-with-sni-no-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server1 - - - # =========================================================== - --[7-npn-with-sni-context-switch] --ssl_conf = 7-npn-with-sni-context-switch-ssl -+[9-npn-with-sni-context-switch] -+ssl_conf = 9-npn-with-sni-context-switch-ssl - --[7-npn-with-sni-context-switch-ssl] --server = 7-npn-with-sni-context-switch-server --client = 7-npn-with-sni-context-switch-client --server2 = 7-npn-with-sni-context-switch-server2 -+[9-npn-with-sni-context-switch-ssl] -+server = 9-npn-with-sni-context-switch-server -+client = 9-npn-with-sni-context-switch-client -+server2 = 9-npn-with-sni-context-switch-server2 - --[7-npn-with-sni-context-switch-server] -+[9-npn-with-sni-context-switch-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-server2] -+[9-npn-with-sni-context-switch-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-client] -+[9-npn-with-sni-context-switch-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-7] -+[test-9] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 7-npn-with-sni-context-switch-server-extra --server2 = 7-npn-with-sni-context-switch-server2-extra --client = 7-npn-with-sni-context-switch-client-extra -+server = 9-npn-with-sni-context-switch-server-extra -+server2 = 9-npn-with-sni-context-switch-server2-extra -+client = 9-npn-with-sni-context-switch-client-extra - --[7-npn-with-sni-context-switch-server-extra] -+[9-npn-with-sni-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[7-npn-with-sni-context-switch-server2-extra] -+[9-npn-with-sni-context-switch-server2-extra] - NPNProtocols = bar - --[7-npn-with-sni-context-switch-client-extra] -+[9-npn-with-sni-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[8-npn-selected-sni-server-supports-npn] --ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl -+[10-npn-selected-sni-server-supports-npn] -+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl - --[8-npn-selected-sni-server-supports-npn-ssl] --server = 8-npn-selected-sni-server-supports-npn-server --client = 8-npn-selected-sni-server-supports-npn-client --server2 = 8-npn-selected-sni-server-supports-npn-server2 -+[10-npn-selected-sni-server-supports-npn-ssl] -+server = 10-npn-selected-sni-server-supports-npn-server -+client = 10-npn-selected-sni-server-supports-npn-client -+server2 = 10-npn-selected-sni-server-supports-npn-server2 - --[8-npn-selected-sni-server-supports-npn-server] -+[10-npn-selected-sni-server-supports-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-server2] -+[10-npn-selected-sni-server-supports-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-client] -+[10-npn-selected-sni-server-supports-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-8] -+[test-10] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 8-npn-selected-sni-server-supports-npn-server-extra --server2 = 8-npn-selected-sni-server-supports-npn-server2-extra --client = 8-npn-selected-sni-server-supports-npn-client-extra -+server = 10-npn-selected-sni-server-supports-npn-server-extra -+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra -+client = 10-npn-selected-sni-server-supports-npn-client-extra - --[8-npn-selected-sni-server-supports-npn-server-extra] -+[10-npn-selected-sni-server-supports-npn-server-extra] - ServerNameCallback = IgnoreMismatch - --[8-npn-selected-sni-server-supports-npn-server2-extra] -+[10-npn-selected-sni-server-supports-npn-server2-extra] - NPNProtocols = bar - --[8-npn-selected-sni-server-supports-npn-client-extra] -+[10-npn-selected-sni-server-supports-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[9-npn-selected-sni-server-does-not-support-npn] --ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl -+[11-npn-selected-sni-server-does-not-support-npn] -+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl - --[9-npn-selected-sni-server-does-not-support-npn-ssl] --server = 9-npn-selected-sni-server-does-not-support-npn-server --client = 9-npn-selected-sni-server-does-not-support-npn-client --server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 -+[11-npn-selected-sni-server-does-not-support-npn-ssl] -+server = 11-npn-selected-sni-server-does-not-support-npn-server -+client = 11-npn-selected-sni-server-does-not-support-npn-client -+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 - --[9-npn-selected-sni-server-does-not-support-npn-server] -+[11-npn-selected-sni-server-does-not-support-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-server2] -+[11-npn-selected-sni-server-does-not-support-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-client] -+[11-npn-selected-sni-server-does-not-support-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-9] -+[test-11] - ExpectedServerName = server2 --server = 9-npn-selected-sni-server-does-not-support-npn-server-extra --client = 9-npn-selected-sni-server-does-not-support-npn-client-extra -+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra -+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra - --[9-npn-selected-sni-server-does-not-support-npn-server-extra] -+[11-npn-selected-sni-server-does-not-support-npn-server-extra] - NPNProtocols = bar - ServerNameCallback = IgnoreMismatch - --[9-npn-selected-sni-server-does-not-support-npn-client-extra] -+[11-npn-selected-sni-server-does-not-support-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[10-alpn-preferred-over-npn] --ssl_conf = 10-alpn-preferred-over-npn-ssl -+[12-alpn-preferred-over-npn] -+ssl_conf = 12-alpn-preferred-over-npn-ssl - --[10-alpn-preferred-over-npn-ssl] --server = 10-alpn-preferred-over-npn-server --client = 10-alpn-preferred-over-npn-client -+[12-alpn-preferred-over-npn-ssl] -+server = 12-alpn-preferred-over-npn-server -+client = 12-alpn-preferred-over-npn-client - --[10-alpn-preferred-over-npn-server] -+[12-alpn-preferred-over-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[10-alpn-preferred-over-npn-client] -+[12-alpn-preferred-over-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-10] -+[test-12] - ExpectedALPNProtocol = foo --server = 10-alpn-preferred-over-npn-server-extra --client = 10-alpn-preferred-over-npn-client-extra -+server = 12-alpn-preferred-over-npn-server-extra -+client = 12-alpn-preferred-over-npn-client-extra - --[10-alpn-preferred-over-npn-server-extra] -+[12-alpn-preferred-over-npn-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[10-alpn-preferred-over-npn-client-extra] -+[12-alpn-preferred-over-npn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - - - # =========================================================== - --[11-sni-npn-preferred-over-alpn] --ssl_conf = 11-sni-npn-preferred-over-alpn-ssl -+[13-sni-npn-preferred-over-alpn] -+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl - --[11-sni-npn-preferred-over-alpn-ssl] --server = 11-sni-npn-preferred-over-alpn-server --client = 11-sni-npn-preferred-over-alpn-client --server2 = 11-sni-npn-preferred-over-alpn-server2 -+[13-sni-npn-preferred-over-alpn-ssl] -+server = 13-sni-npn-preferred-over-alpn-server -+client = 13-sni-npn-preferred-over-alpn-client -+server2 = 13-sni-npn-preferred-over-alpn-server2 - --[11-sni-npn-preferred-over-alpn-server] -+[13-sni-npn-preferred-over-alpn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-server2] -+[13-sni-npn-preferred-over-alpn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-client] -+[13-sni-npn-preferred-over-alpn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-11] -+[test-13] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 11-sni-npn-preferred-over-alpn-server-extra --server2 = 11-sni-npn-preferred-over-alpn-server2-extra --client = 11-sni-npn-preferred-over-alpn-client-extra -+server = 13-sni-npn-preferred-over-alpn-server-extra -+server2 = 13-sni-npn-preferred-over-alpn-server2-extra -+client = 13-sni-npn-preferred-over-alpn-client-extra - --[11-sni-npn-preferred-over-alpn-server-extra] -+[13-sni-npn-preferred-over-alpn-server-extra] - ALPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[11-sni-npn-preferred-over-alpn-server2-extra] -+[13-sni-npn-preferred-over-alpn-server2-extra] - NPNProtocols = bar - --[11-sni-npn-preferred-over-alpn-client-extra] -+[13-sni-npn-preferred-over-alpn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - ServerName = server2 -@@ -460,356 +527,356 @@ ServerName = server2 - - # =========================================================== - --[12-npn-simple-resumption] --ssl_conf = 12-npn-simple-resumption-ssl -+[14-npn-simple-resumption] -+ssl_conf = 14-npn-simple-resumption-ssl - --[12-npn-simple-resumption-ssl] --server = 12-npn-simple-resumption-server --client = 12-npn-simple-resumption-client --resume-server = 12-npn-simple-resumption-server --resume-client = 12-npn-simple-resumption-client -+[14-npn-simple-resumption-ssl] -+server = 14-npn-simple-resumption-server -+client = 14-npn-simple-resumption-client -+resume-server = 14-npn-simple-resumption-server -+resume-client = 14-npn-simple-resumption-client - --[12-npn-simple-resumption-server] -+[14-npn-simple-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[12-npn-simple-resumption-client] -+[14-npn-simple-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-12] -+[test-14] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 12-npn-simple-resumption-server-extra --resume-server = 12-npn-simple-resumption-server-extra --client = 12-npn-simple-resumption-client-extra --resume-client = 12-npn-simple-resumption-client-extra -+server = 14-npn-simple-resumption-server-extra -+resume-server = 14-npn-simple-resumption-server-extra -+client = 14-npn-simple-resumption-client-extra -+resume-client = 14-npn-simple-resumption-client-extra - --[12-npn-simple-resumption-server-extra] -+[14-npn-simple-resumption-server-extra] - NPNProtocols = foo - --[12-npn-simple-resumption-client-extra] -+[14-npn-simple-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[13-npn-server-switch-resumption] --ssl_conf = 13-npn-server-switch-resumption-ssl -+[15-npn-server-switch-resumption] -+ssl_conf = 15-npn-server-switch-resumption-ssl - --[13-npn-server-switch-resumption-ssl] --server = 13-npn-server-switch-resumption-server --client = 13-npn-server-switch-resumption-client --resume-server = 13-npn-server-switch-resumption-resume-server --resume-client = 13-npn-server-switch-resumption-client -+[15-npn-server-switch-resumption-ssl] -+server = 15-npn-server-switch-resumption-server -+client = 15-npn-server-switch-resumption-client -+resume-server = 15-npn-server-switch-resumption-resume-server -+resume-client = 15-npn-server-switch-resumption-client - --[13-npn-server-switch-resumption-server] -+[15-npn-server-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-resume-server] -+[15-npn-server-switch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-client] -+[15-npn-server-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-13] -+[test-15] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 13-npn-server-switch-resumption-server-extra --resume-server = 13-npn-server-switch-resumption-resume-server-extra --client = 13-npn-server-switch-resumption-client-extra --resume-client = 13-npn-server-switch-resumption-client-extra -+server = 15-npn-server-switch-resumption-server-extra -+resume-server = 15-npn-server-switch-resumption-resume-server-extra -+client = 15-npn-server-switch-resumption-client-extra -+resume-client = 15-npn-server-switch-resumption-client-extra - --[13-npn-server-switch-resumption-server-extra] -+[15-npn-server-switch-resumption-server-extra] - NPNProtocols = bar,foo - --[13-npn-server-switch-resumption-resume-server-extra] -+[15-npn-server-switch-resumption-resume-server-extra] - NPNProtocols = baz,foo - --[13-npn-server-switch-resumption-client-extra] -+[15-npn-server-switch-resumption-client-extra] - NPNProtocols = foo,bar,baz - - - # =========================================================== - --[14-npn-client-switch-resumption] --ssl_conf = 14-npn-client-switch-resumption-ssl -+[16-npn-client-switch-resumption] -+ssl_conf = 16-npn-client-switch-resumption-ssl - --[14-npn-client-switch-resumption-ssl] --server = 14-npn-client-switch-resumption-server --client = 14-npn-client-switch-resumption-client --resume-server = 14-npn-client-switch-resumption-server --resume-client = 14-npn-client-switch-resumption-resume-client -+[16-npn-client-switch-resumption-ssl] -+server = 16-npn-client-switch-resumption-server -+client = 16-npn-client-switch-resumption-client -+resume-server = 16-npn-client-switch-resumption-server -+resume-client = 16-npn-client-switch-resumption-resume-client - --[14-npn-client-switch-resumption-server] -+[16-npn-client-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[14-npn-client-switch-resumption-client] -+[16-npn-client-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[14-npn-client-switch-resumption-resume-client] -+[16-npn-client-switch-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-14] -+[test-16] - ExpectedNPNProtocol = bar - HandshakeMode = Resume - ResumptionExpected = Yes --server = 14-npn-client-switch-resumption-server-extra --resume-server = 14-npn-client-switch-resumption-server-extra --client = 14-npn-client-switch-resumption-client-extra --resume-client = 14-npn-client-switch-resumption-resume-client-extra -+server = 16-npn-client-switch-resumption-server-extra -+resume-server = 16-npn-client-switch-resumption-server-extra -+client = 16-npn-client-switch-resumption-client-extra -+resume-client = 16-npn-client-switch-resumption-resume-client-extra - --[14-npn-client-switch-resumption-server-extra] -+[16-npn-client-switch-resumption-server-extra] - NPNProtocols = foo,bar,baz - --[14-npn-client-switch-resumption-client-extra] -+[16-npn-client-switch-resumption-client-extra] - NPNProtocols = foo,baz - --[14-npn-client-switch-resumption-resume-client-extra] -+[16-npn-client-switch-resumption-resume-client-extra] - NPNProtocols = bar,baz - - - # =========================================================== - --[15-npn-client-first-pref-on-mismatch-resumption] --ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl -+[17-npn-client-first-pref-on-mismatch-resumption] -+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl - --[15-npn-client-first-pref-on-mismatch-resumption-ssl] --server = 15-npn-client-first-pref-on-mismatch-resumption-server --client = 15-npn-client-first-pref-on-mismatch-resumption-client --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client -+[17-npn-client-first-pref-on-mismatch-resumption-ssl] -+server = 17-npn-client-first-pref-on-mismatch-resumption-server -+client = 17-npn-client-first-pref-on-mismatch-resumption-client -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client - --[15-npn-client-first-pref-on-mismatch-resumption-server] -+[17-npn-client-first-pref-on-mismatch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-client] -+[17-npn-client-first-pref-on-mismatch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-15] -+[test-17] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra --client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra -+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra -+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra - --[15-npn-client-first-pref-on-mismatch-resumption-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-server-extra] - NPNProtocols = bar - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] - NPNProtocols = baz - --[15-npn-client-first-pref-on-mismatch-resumption-client-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-client-extra] - NPNProtocols = foo,bar - - - # =========================================================== - --[16-npn-no-server-support-resumption] --ssl_conf = 16-npn-no-server-support-resumption-ssl -+[18-npn-no-server-support-resumption] -+ssl_conf = 18-npn-no-server-support-resumption-ssl - --[16-npn-no-server-support-resumption-ssl] --server = 16-npn-no-server-support-resumption-server --client = 16-npn-no-server-support-resumption-client --resume-server = 16-npn-no-server-support-resumption-resume-server --resume-client = 16-npn-no-server-support-resumption-client -+[18-npn-no-server-support-resumption-ssl] -+server = 18-npn-no-server-support-resumption-server -+client = 18-npn-no-server-support-resumption-client -+resume-server = 18-npn-no-server-support-resumption-resume-server -+resume-client = 18-npn-no-server-support-resumption-client - --[16-npn-no-server-support-resumption-server] -+[18-npn-no-server-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-resume-server] -+[18-npn-no-server-support-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-client] -+[18-npn-no-server-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-16] -+[test-18] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 16-npn-no-server-support-resumption-server-extra --client = 16-npn-no-server-support-resumption-client-extra --resume-client = 16-npn-no-server-support-resumption-client-extra -+server = 18-npn-no-server-support-resumption-server-extra -+client = 18-npn-no-server-support-resumption-client-extra -+resume-client = 18-npn-no-server-support-resumption-client-extra - --[16-npn-no-server-support-resumption-server-extra] -+[18-npn-no-server-support-resumption-server-extra] - NPNProtocols = foo - --[16-npn-no-server-support-resumption-client-extra] -+[18-npn-no-server-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[17-npn-no-client-support-resumption] --ssl_conf = 17-npn-no-client-support-resumption-ssl -+[19-npn-no-client-support-resumption] -+ssl_conf = 19-npn-no-client-support-resumption-ssl - --[17-npn-no-client-support-resumption-ssl] --server = 17-npn-no-client-support-resumption-server --client = 17-npn-no-client-support-resumption-client --resume-server = 17-npn-no-client-support-resumption-server --resume-client = 17-npn-no-client-support-resumption-resume-client -+[19-npn-no-client-support-resumption-ssl] -+server = 19-npn-no-client-support-resumption-server -+client = 19-npn-no-client-support-resumption-client -+resume-server = 19-npn-no-client-support-resumption-server -+resume-client = 19-npn-no-client-support-resumption-resume-client - --[17-npn-no-client-support-resumption-server] -+[19-npn-no-client-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[17-npn-no-client-support-resumption-client] -+[19-npn-no-client-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[17-npn-no-client-support-resumption-resume-client] -+[19-npn-no-client-support-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-17] -+[test-19] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 17-npn-no-client-support-resumption-server-extra --resume-server = 17-npn-no-client-support-resumption-server-extra --client = 17-npn-no-client-support-resumption-client-extra -+server = 19-npn-no-client-support-resumption-server-extra -+resume-server = 19-npn-no-client-support-resumption-server-extra -+client = 19-npn-no-client-support-resumption-client-extra - --[17-npn-no-client-support-resumption-server-extra] -+[19-npn-no-client-support-resumption-server-extra] - NPNProtocols = foo - --[17-npn-no-client-support-resumption-client-extra] -+[19-npn-no-client-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[18-alpn-preferred-over-npn-resumption] --ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl -+[20-alpn-preferred-over-npn-resumption] -+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl - --[18-alpn-preferred-over-npn-resumption-ssl] --server = 18-alpn-preferred-over-npn-resumption-server --client = 18-alpn-preferred-over-npn-resumption-client --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server --resume-client = 18-alpn-preferred-over-npn-resumption-client -+[20-alpn-preferred-over-npn-resumption-ssl] -+server = 20-alpn-preferred-over-npn-resumption-server -+client = 20-alpn-preferred-over-npn-resumption-client -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server -+resume-client = 20-alpn-preferred-over-npn-resumption-client - --[18-alpn-preferred-over-npn-resumption-server] -+[20-alpn-preferred-over-npn-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-resume-server] -+[20-alpn-preferred-over-npn-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-client] -+[20-alpn-preferred-over-npn-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-18] -+[test-20] - ExpectedALPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 18-alpn-preferred-over-npn-resumption-server-extra --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra --client = 18-alpn-preferred-over-npn-resumption-client-extra --resume-client = 18-alpn-preferred-over-npn-resumption-client-extra -+server = 20-alpn-preferred-over-npn-resumption-server-extra -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra -+client = 20-alpn-preferred-over-npn-resumption-client-extra -+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra - --[18-alpn-preferred-over-npn-resumption-server-extra] -+[20-alpn-preferred-over-npn-resumption-server-extra] - NPNProtocols = bar - --[18-alpn-preferred-over-npn-resumption-resume-server-extra] -+[20-alpn-preferred-over-npn-resumption-resume-server-extra] - ALPNProtocols = foo - NPNProtocols = baz - --[18-alpn-preferred-over-npn-resumption-client-extra] -+[20-alpn-preferred-over-npn-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - - - # =========================================================== - --[19-npn-used-if-alpn-not-supported-resumption] --ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl -+[21-npn-used-if-alpn-not-supported-resumption] -+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl - --[19-npn-used-if-alpn-not-supported-resumption-ssl] --server = 19-npn-used-if-alpn-not-supported-resumption-server --client = 19-npn-used-if-alpn-not-supported-resumption-client --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client -+[21-npn-used-if-alpn-not-supported-resumption-ssl] -+server = 21-npn-used-if-alpn-not-supported-resumption-server -+client = 21-npn-used-if-alpn-not-supported-resumption-client -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client - --[19-npn-used-if-alpn-not-supported-resumption-server] -+[21-npn-used-if-alpn-not-supported-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-resume-server] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-client] -+[21-npn-used-if-alpn-not-supported-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-19] -+[test-21] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 19-npn-used-if-alpn-not-supported-resumption-server-extra --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra --client = 19-npn-used-if-alpn-not-supported-resumption-client-extra --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra -+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra -+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra - --[19-npn-used-if-alpn-not-supported-resumption-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] - NPNProtocols = baz - --[19-npn-used-if-alpn-not-supported-resumption-client-extra] -+[21-npn-used-if-alpn-not-supported-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - -diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in -index 30783e45eb..1dc2704bdb 100644 ---- a/test/ssl-tests/08-npn.cnf.in -+++ b/test/ssl-tests/08-npn.cnf.in -@@ -110,6 +110,41 @@ our @tests = ( - "ExpectedNPNProtocol" => undef, - }, - }, -+ { -+ name => "npn-empty-client-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedResult" => "ClientFail", -+ "ExpectedClientAlert" => "HandshakeFailure" -+ }, -+ }, -+ { -+ name => "npn-empty-server-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedNPNProtocol" => "foo" -+ }, -+ }, - { - name => "npn-with-sni-no-context-switch", - server => { -diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf -index e7e6cb9534..dd668739ab 100644 ---- a/test/ssl-tests/09-alpn.cnf -+++ b/test/ssl-tests/09-alpn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 16 -+num_tests = 18 - - test-0 = 0-alpn-simple - test-1 = 1-alpn-server-finds-match -@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption - test-13 = 13-alpn-alert-on-mismatch-resumption - test-14 = 14-alpn-no-server-support-resumption - test-15 = 15-alpn-no-client-support-resumption -+test-16 = 16-alpn-empty-client-list -+test-17 = 17-alpn-empty-server-list - # =========================================================== - - [0-alpn-simple] -@@ -617,3 +619,65 @@ ALPNProtocols = foo - ALPNProtocols = foo - - -+# =========================================================== -+ -+[16-alpn-empty-client-list] -+ssl_conf = 16-alpn-empty-client-list-ssl -+ -+[16-alpn-empty-client-list-ssl] -+server = 16-alpn-empty-client-list-server -+client = 16-alpn-empty-client-list-client -+ -+[16-alpn-empty-client-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[16-alpn-empty-client-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-16] -+server = 16-alpn-empty-client-list-server-extra -+client = 16-alpn-empty-client-list-client-extra -+ -+[16-alpn-empty-client-list-server-extra] -+ALPNProtocols = foo -+ -+[16-alpn-empty-client-list-client-extra] -+ALPNProtocols = -+ -+ -+# =========================================================== -+ -+[17-alpn-empty-server-list] -+ssl_conf = 17-alpn-empty-server-list-ssl -+ -+[17-alpn-empty-server-list-ssl] -+server = 17-alpn-empty-server-list-server -+client = 17-alpn-empty-server-list-client -+ -+[17-alpn-empty-server-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[17-alpn-empty-server-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-17] -+ExpectedResult = ServerFail -+ExpectedServerAlert = NoApplicationProtocol -+server = 17-alpn-empty-server-list-server-extra -+client = 17-alpn-empty-server-list-client-extra -+ -+[17-alpn-empty-server-list-server-extra] -+ALPNProtocols = -+ -+[17-alpn-empty-server-list-client-extra] -+ALPNProtocols = foo -+ -+ -diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in -index 81330756c6..322b7096a6 100644 ---- a/test/ssl-tests/09-alpn.cnf.in -+++ b/test/ssl-tests/09-alpn.cnf.in -@@ -322,4 +322,37 @@ our @tests = ( - "ExpectedALPNProtocol" => undef, - }, - }, -+ { -+ name => "alpn-empty-client-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ test => { -+ "ExpectedALPNProtocol" => undef, -+ }, -+ }, -+ { -+ name => "alpn-empty-server-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ test => { -+ "ExpectedResult" => "ServerFail", -+ "ExpectedServerAlert" => "NoApplicationProtocol", -+ }, -+ }, - ); --- -2.46.0 - diff --git a/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch b/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch deleted file mode 100644 index 97c28ee..0000000 --- a/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:41:55 +0100 -Subject: [PATCH 07/10] Correct return values for - tls_construct_stoc_next_proto_neg - -Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, -rather than EXT_RETURN_SENT. This actually makes no difference at all to -the current control flow since this return value is ignored in this case -anyway. But lets make it correct anyway. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - ssl/statem/extensions_srvr.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 800654450e..66ed7dacf2 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3.npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.46.0 - diff --git a/0131-Add-ALPN-validation-in-the-client.patch b/0131-Add-ALPN-validation-in-the-client.patch deleted file mode 100644 index 1406860..0000000 --- a/0131-Add-ALPN-validation-in-the-client.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 11:51:54 +0100 -Subject: [PATCH 08/10] Add ALPN validation in the client - -The ALPN protocol selected by the server must be one that we originally -advertised. We should verify that it is. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 1ab3c13d57..ff9c009ee5 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - X509 *x, size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3.alpn_sent) { -@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3.alpn_selected); - s->s3.alpn_selected = OPENSSL_malloc(len); - if (s->s3.alpn_selected == NULL) { --- -2.46.0 - diff --git a/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch b/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch deleted file mode 100644 index 135fa25..0000000 --- a/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch +++ /dev/null @@ -1,267 +0,0 @@ -From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:09:41 +0100 -Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest - -We already had some tests elsewhere - but this extends that testing with -additional tests. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 229 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 15cb9060cb..7a55a2b721 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx) - return ret; - } - -+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; -+static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; -+ -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+static int npn_advert_cb(SSL *ssl, const unsigned char **out, -+ unsigned int *outlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ default: -+ case 0: -+ *out = fooprot; -+ *outlen = sizeof(fooprot); -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 1: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ return SSL_TLSEXT_ERR_NOACK; -+ } -+} -+ -+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, -+ const unsigned char *in, unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ case 1: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 4: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 2: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ -+/* -+ * Test the NPN callbacks -+ * Test 0: advert = foo, select = foo -+ * Test 1: advert = , select = foo -+ * Test 2: no advert -+ * Test 3: advert = foo, select = bar -+ * Test 4: advert = foo, select = (should fail) -+ */ -+static int test_npn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, TLS1_2_VERSION, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); -+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 4) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ case 1: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 2: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ case 3: -+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ -+ return testresult; -+} -+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ -+ -+static int alpn_select_cb2(SSL *ssl, const unsigned char **out, -+ unsigned char *outlen, const unsigned char *in, -+ unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 1: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ return 0; -+} -+ -+/* -+ * Test the ALPN callbacks -+ * Test 0: client = foo, select = foo -+ * Test 1: client = , select = none -+ * Test 2: client = foo, select = bar (should fail) -+ * Test 3: client = foo, select = (should fail) -+ */ -+static int test_alpn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ const unsigned char *prots = fooprot; -+ unsigned int protslen = sizeof(fooprot); -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, 0, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 1) { -+ prots = NULL; -+ protslen = 0; -+ } -+ -+ /* SSL_set_alpn_protos returns 0 for success! */ -+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) -+ goto end; -+ -+ if (idx == 2 || idx == 3) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_alpn_selected(clientssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 1: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ -+ return testresult; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -12190,6 +12415,10 @@ int setup_tests(void) - ADD_TEST(test_data_retry); - ADD_ALL_TESTS(test_multi_resume, 5); - ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+ ADD_ALL_TESTS(test_npn, 5); -+#endif -+ ADD_ALL_TESTS(test_alpn, 4); - return 1; - - err: --- -2.46.0 - diff --git a/0133-Add-a-test-for-an-empty-NextProto-message.patch b/0133-Add-a-test-for-an-empty-NextProto-message.patch deleted file mode 100644 index 923ec66..0000000 --- a/0133-Add-a-test-for-an-empty-NextProto-message.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 14:29:26 +0100 -Subject: [PATCH 10/10] Add a test for an empty NextProto message - -It is valid according to the spec for a NextProto message to have no -protocols listed in it. The OpenSSL implementation however does not allow -us to create such a message. In order to check that we work as expected -when communicating with a client that does generate such messages we have -to use a TLSProxy test. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24717) ---- - test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++ - util/perl/TLSProxy/Message.pm | 9 ++++ - util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++ - util/perl/TLSProxy/Proxy.pm | 1 + - 4 files changed, 137 insertions(+) - create mode 100644 test/recipes/70-test_npn.t - create mode 100644 util/perl/TLSProxy/NextProto.pm - -diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t -new file mode 100644 -index 0000000000..f82e71af6a ---- /dev/null -+++ b/test/recipes/70-test_npn.t -@@ -0,0 +1,73 @@ -+#! /usr/bin/env perl -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; -+use OpenSSL::Test::Utils; -+ -+use TLSProxy::Proxy; -+ -+my $test_name = "test_npn"; -+setup($test_name); -+ -+plan skip_all => "TLSProxy isn't usable on $^O" -+ if $^O =~ /^(VMS)$/; -+ -+plan skip_all => "$test_name needs the dynamic engine feature enabled" -+ if disabled("engine") || disabled("dynamic-engine"); -+ -+plan skip_all => "$test_name needs the sock feature enabled" -+ if disabled("sock"); -+ -+plan skip_all => "$test_name needs NPN enabled" -+ if disabled("nextprotoneg"); -+ -+plan skip_all => "$test_name needs TLSv1.2 enabled" -+ if disabled("tls1_2"); -+ -+my $proxy = TLSProxy::Proxy->new( -+ undef, -+ cmdstr(app(["openssl"]), display => 1), -+ srctop_file("apps", "server.pem"), -+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -+); -+ -+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -+plan tests => 1; -+ -+my $npnseen = 0; -+ -+# Test 1: Check sending an empty NextProto message from the client works. This is -+# valid as per the spec, but OpenSSL does not allow you to send it. -+# Therefore we must be prepared to receive such a message but we cannot -+# generate it except via TLSProxy -+$proxy->clear(); -+$proxy->filter(\&npn_filter); -+$proxy->clientflags("-nextprotoneg foo -no_tls1_3"); -+$proxy->serverflags("-nextprotoneg foo"); -+$proxy->start(); -+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message"); -+ -+sub npn_filter -+{ -+ my $proxy = shift; -+ my $message; -+ -+ # The NextProto message always appears in flight 2 -+ return if $proxy->flight != 2; -+ -+ foreach my $message (@{$proxy->message_list}) { -+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) { -+ # Our TLSproxy NextProto message support doesn't support parsing of -+ # the message. If we repack it just creates an empty NextProto -+ # message - which is exactly the scenario we want to test here. -+ $message->repack(); -+ $npnseen = 1; -+ } -+ } -+} -diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm -index ce22187569..fb41b2ffc8 100644 ---- a/util/perl/TLSProxy/Message.pm -+++ b/util/perl/TLSProxy/Message.pm -@@ -384,6 +384,15 @@ sub create_message - [@message_frag_lens] - ); - $message->parse(); -+ } elsif ($mt == MT_NEXT_PROTO) { -+ $message = TLSProxy::NextProto->new( -+ $server, -+ $data, -+ [@message_rec_list], -+ $startoffset, -+ [@message_frag_lens] -+ ); -+ $message->parse(); - } else { - #Unknown message type - $message = TLSProxy::Message->new( -diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm -new file mode 100644 -index 0000000000..0e18347546 ---- /dev/null -+++ b/util/perl/TLSProxy/NextProto.pm -@@ -0,0 +1,54 @@ -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+ -+package TLSProxy::NextProto; -+ -+use vars '@ISA'; -+push @ISA, 'TLSProxy::Message'; -+ -+sub new -+{ -+ my $class = shift; -+ my ($server, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens) = @_; -+ -+ my $self = $class->SUPER::new( -+ $server, -+ TLSProxy::Message::MT_NEXT_PROTO, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens); -+ -+ return $self; -+} -+ -+sub parse -+{ -+ # We don't support parsing at the moment -+} -+ -+# This is supposed to reconstruct the on-the-wire message data following changes. -+# For now though since we don't support parsing we just create an empty NextProto -+# message - this capability is used in test_npn -+sub set_message_contents -+{ -+ my $self = shift; -+ my $data; -+ -+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00); -+ $self->data($data); -+} -+1; -diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm -index 3de10eccb9..b707722b6b 100644 ---- a/util/perl/TLSProxy/Proxy.pm -+++ b/util/perl/TLSProxy/Proxy.pm -@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest; - use TLSProxy::CertificateVerify; - use TLSProxy::ServerKeyExchange; - use TLSProxy::NewSessionTicket; -+use TLSProxy::NextProto; - - my $have_IPv6; - my $IP_factory; --- -2.46.0 - diff --git a/0136-CVE-2024-6119.patch b/0136-CVE-2024-6119.patch deleted file mode 100644 index a39106a..0000000 --- a/0136-CVE-2024-6119.patch +++ /dev/null @@ -1,233 +0,0 @@ -diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c -index 1a18174995..a09414c972 100644 ---- a/crypto/x509/v3_utl.c -+++ b/crypto/x509/v3_utl.c -@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, - ASN1_STRING *cstr; - - gen = sk_GENERAL_NAME_value(gens, i); -- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { -- if (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox) { -- san_present = 1; -- -- /* -- * If it is not a UTF8String then that is unexpected and we -- * treat it as no match -- */ -- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { -- cstr = gen->d.otherName->value->value.utf8string; -- -- /* Positive on success, negative on error! */ -- if ((rv = do_check_string(cstr, 0, equal, flags, -- chk, chklen, peername)) != 0) -- break; -- } -- } else -+ switch (gen->type) { -+ default: -+ continue; -+ case GEN_OTHERNAME: -+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { -+ default: - continue; -- } else { -- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) -+ case NID_id_on_SmtpUTF8Mailbox: -+ /*- -+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 -+ * -+ * Due to name constraint compatibility reasons described -+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT -+ * be used unless the local-part of the email address -+ * contains non-ASCII characters. When the local-part is -+ * ASCII, rfc822Name subjectAltName MUST be used instead -+ * of SmtpUTF8Mailbox. This is compatible with legacy -+ * software that supports only rfc822Name (and not -+ * SmtpUTF8Mailbox). [...] -+ * -+ * SmtpUTF8Mailbox is encoded as UTF8String. -+ * -+ * If it is not a UTF8String then that is unexpected, and -+ * we ignore the invalid SAN (neither set san_present nor -+ * consider it a candidate for equality). This does mean -+ * that the subject CN may be considered, as would be the -+ * case when the malformed SmtpUtf8Mailbox SAN is instead -+ * simply absent. -+ * -+ * When CN-ID matching is not desirable, applications can -+ * choose to turn it off, doing so is at this time a best -+ * practice. -+ */ -+ if (check_type != GEN_EMAIL -+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) -+ continue; -+ alt_type = 0; -+ cstr = gen->d.otherName->value->value.utf8string; -+ break; -+ } -+ break; -+ case GEN_EMAIL: -+ if (check_type != GEN_EMAIL) - continue; -- } -- san_present = 1; -- if (check_type == GEN_EMAIL) - cstr = gen->d.rfc822Name; -- else if (check_type == GEN_DNS) -+ break; -+ case GEN_DNS: -+ if (check_type != GEN_DNS) -+ continue; - cstr = gen->d.dNSName; -- else -+ break; -+ case GEN_IPADD: -+ if (check_type != GEN_IPADD) -+ continue; - cstr = gen->d.iPAddress; -+ break; -+ } -+ san_present = 1; - /* Positive on success, negative on error! */ - if ((rv = do_check_string(cstr, alt_type, equal, flags, - chk, chklen, peername)) != 0) -diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t -index 522982ddfb..e18735d89a 100644 ---- a/test/recipes/25-test_eai_data.t -+++ b/test/recipes/25-test_eai_data.t -@@ -21,16 +21,18 @@ setup("test_eai_data"); - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem - --plan tests => 12; -+plan tests => 16; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - my $folder = "test/recipes/25-test_eai_data"; - - my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); - my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); -+my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); - - my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); - my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); -+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); - - my $out; - my $outcnt = 0; -@@ -56,10 +58,18 @@ SKIP: { - - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); - - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); - -+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. -+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { -diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem -new file mode 100644 -index 0000000000..e8a2c6f55d ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-cert.pem -@@ -0,0 +1,21 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 -+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU -+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ -+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry -+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 -+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx -+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT -+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 -+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj -+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG -+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU -+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA -+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA -+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb -+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU -+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 -+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 -+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI -+oDQ9fKfUOAmUFth2/R/eGA== -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem -new file mode 100644 -index 0000000000..a74c96bf31 ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS -+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD -+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj -+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 -+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK -+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS -+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj -+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 -+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI -+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT -+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl -+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW -+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS -+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh -new file mode 100755 -index 0000000000..7a8dbc719f ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc.sh -@@ -0,0 +1,41 @@ -+#! /usr/bin/env bash -+ -+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and -+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS -+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should -+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` -+# should likewise lead to ASAN issues with email name checks. -+ -+rm -f root-key.pem root-cert.pem -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ -+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem -+ -+exts=$( -+ printf "%s\n%s\n%s\n%s = " \ -+ "subjectKeyIdentifier = hash" \ -+ "authorityKeyIdentifier = keyid" \ -+ "basicConstraints = CA:false" \ -+ "subjectAltName" -+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" -+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" -+ printf "%s, " "email:joe@example.com" -+ printf "%s\n" "DNS:mx1.example.com" -+ printf "[kdc_princ_name]\n" -+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" -+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" -+ printf "[kdc_principal_seq]\n" -+ printf "name_type = EXP:0, INTEGER:1\n" -+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" -+ printf "[kdc_principal_components]\n" -+ printf "princ1 = GeneralString:krbtgt\n" -+ printf "princ2 = GeneralString:TEST.EXAMPLE\n" -+ ) -+ -+printf "%s\n" "$exts" -+ -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ -+ -subj "/CN=TEST.EXAMPLE" | -+ openssl x509 -req -out kdc-cert.pem \ -+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ -+ -set_serial 2 -days 36524 \ -+ -extfile <(printf "%s\n" "$exts") diff --git a/0140-CVE-2024-12797.patch b/0140-CVE-2024-12797.patch deleted file mode 100644 index 0f618e9..0000000 --- a/0140-CVE-2024-12797.patch +++ /dev/null @@ -1,238 +0,0 @@ -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c -index 436b397346..df2eed7594 100644 ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c -@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, - { - size_t certidx; - const SSL_CERT_LOOKUP *clu; -+ int v_ok; - - if (sc->session->peer_rpk == NULL) { - SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, -@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, - - if (sc->rwstate == SSL_RETRY_VERIFY) - sc->rwstate = SSL_NOTHING; -- if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0 -- && sc->rwstate == SSL_RETRY_VERIFY) -+ -+ ERR_set_mark(); -+ v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); -+ if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { -+ ERR_clear_last_mark(); -+ SSLfatal(sc, ssl_x509err2alert(sc->verify_result), -+ SSL_R_CERTIFICATE_VERIFY_FAILED); -+ return WORK_ERROR; -+ } -+ ERR_pop_to_mark(); /* but we keep s->verify_result */ -+ if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { - return WORK_MORE_A; -+ } - - if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, - SSL_CONNECTION_GET_CTX(sc))) == NULL) { -@@ -2071,10 +2082,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, - - if (s->rwstate == SSL_RETRY_VERIFY) - s->rwstate = SSL_NOTHING; -- i = ssl_verify_cert_chain(s, s->session->peer_chain); -- if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { -- return WORK_MORE_A; -- } -+ - /* - * The documented interface is that SSL_VERIFY_PEER should be set in order - * for client side verification of the server certificate to take place. -@@ -2089,12 +2097,17 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, - * (less clean) historic behaviour of performing validation if any flag is - * set. The *documented* interface remains the same. - */ -- if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { -+ ERR_set_mark(); -+ i = ssl_verify_cert_chain(s, s->session->peer_chain); -+ if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) { -+ ERR_clear_last_mark(); - SSLfatal(s, ssl_x509err2alert(s->verify_result), - SSL_R_CERTIFICATE_VERIFY_FAILED); - return WORK_ERROR; - } -- ERR_clear_error(); /* but we keep s->verify_result */ -+ ERR_pop_to_mark(); /* but we keep s->verify_result */ -+ if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) -+ return WORK_MORE_A; - - /* - * Inconsistency alert: cert_chain does include the peer's certificate, -diff --git a/test/rpktest.c b/test/rpktest.c -index ac824798f1..624d366508 100644 ---- a/test/rpktest.c -+++ b/test/rpktest.c -@@ -89,12 +89,14 @@ static int rpk_verify_server_cb(int ok, X509_STORE_CTX *ctx) - * idx = 13 - resumption with client authentication - * idx = 14 - resumption with client authentication, no ticket - * idx = 15 - like 0, but use non-default libctx -+ * idx = 16 - like 7, but with SSL_VERIFY_PEER connection should fail -+ * idx = 17 - like 8, but with SSL_VERIFY_PEER connection should fail - * -- * 16 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests -+ * 18 * 2 * 4 * 2 * 2 * 2 * 2 = 2048 tests - */ - static int test_rpk(int idx) - { --# define RPK_TESTS 16 -+# define RPK_TESTS 18 - # define RPK_DIMS (2 * 4 * 2 * 2 * 2 * 2) - SSL_CTX *cctx = NULL, *sctx = NULL; - SSL *clientssl = NULL, *serverssl = NULL; -@@ -114,6 +116,7 @@ static int test_rpk(int idx) - int idx_cert, idx_prot; - int client_auth = 0; - int resumption = 0; -+ int want_error = SSL_ERROR_NONE; - long server_verify_result = 0; - long client_verify_result = 0; - OSSL_LIB_CTX *test_libctx = NULL; -@@ -188,7 +191,7 @@ static int test_rpk(int idx) - #ifdef OPENSSL_NO_ECDSA - /* Can't get other_key if it's ECDSA */ - if (other_pkey == NULL && idx_cert == 0 -- && (idx == 4 || idx == 6 || idx == 7)) { -+ && (idx == 4 || idx == 6 || idx == 7 || idx == 16)) { - testresult = TEST_skip("EDCSA disabled"); - goto end; - } -@@ -266,8 +269,10 @@ static int test_rpk(int idx) - goto end; - /* Only a private key */ - if (idx == 1) { -- if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) -+ if (idx_server_server_rpk == 0 || idx_client_server_rpk == 0) { - expected = 0; -+ want_error = SSL_ERROR_SSL; -+ } - } else { - /* Add certificate */ - if (!TEST_int_eq(SSL_use_certificate_file(serverssl, cert_file, SSL_FILETYPE_PEM), 1)) -@@ -333,12 +338,14 @@ static int test_rpk(int idx) - client_expected = -1; - if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) - goto end; -+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); - client_verify_result = X509_V_ERR_DANE_NO_MATCH; - break; - case 8: - if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) - client_expected = -1; - /* no peer keys */ -+ SSL_set_verify(clientssl, SSL_VERIFY_NONE, rpk_verify_client_cb); - client_verify_result = X509_V_ERR_RPK_UNTRUSTED; - break; - case 9: -@@ -370,9 +377,13 @@ static int test_rpk(int idx) - if (!TEST_int_eq(SSL_use_PrivateKey_file(clientssl, privkey_file, SSL_FILETYPE_PEM), 1)) - goto end; - /* Since there's no cert, this is expected to fail without RPK support */ -- if (!idx_server_client_rpk || !idx_client_client_rpk) -+ if (!idx_server_client_rpk || !idx_client_client_rpk) { - expected = 0; -- SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); -+ } else { -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, rpk_verify_server_cb); -+ } - client_auth = 1; - break; - case 11: -@@ -449,31 +460,52 @@ static int test_rpk(int idx) - if (!TEST_true(SSL_add_expected_rpk(clientssl, pkey))) - goto end; - break; -+ case 16: -+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { -+ /* wrong expected server key */ -+ expected = 0; -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); -+ } -+ if (!TEST_true(SSL_add_expected_rpk(clientssl, other_pkey))) -+ goto end; -+ break; -+ case 17: -+ if (idx_server_server_rpk == 1 && idx_client_server_rpk == 1) { -+ /* no expected server keys */ -+ expected = 0; -+ want_error = SSL_ERROR_SSL; -+ SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); -+ } -+ break; - } - -- ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); -+ ret = create_ssl_connection(serverssl, clientssl, want_error); - if (!TEST_int_eq(expected, ret)) - goto end; - -+ if (expected <= 0) { -+ testresult = 1; -+ goto end; -+ } -+ - /* Make sure client gets RPK or certificate as configured */ -- if (expected == 1) { -- if (idx_server_server_rpk && idx_client_server_rpk) { -- if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result)) -- goto end; -- if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) -- goto end; -- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) -- goto end; -- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) -- goto end; -- } else { -- if (!TEST_ptr(SSL_get0_peer_certificate(clientssl))) -- goto end; -- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509)) -- goto end; -- if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509)) -- goto end; -- } -+ if (idx_server_server_rpk && idx_client_server_rpk) { -+ if (!TEST_long_eq(SSL_get_verify_result(clientssl), client_verify_result)) -+ goto end; -+ if (!TEST_ptr(SSL_get0_peer_rpk(clientssl))) -+ goto end; -+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_rpk)) -+ goto end; -+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_rpk)) -+ goto end; -+ } else { -+ if (!TEST_ptr(SSL_get0_peer_certificate(clientssl))) -+ goto end; -+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(serverssl), TLSEXT_cert_type_x509)) -+ goto end; -+ if (!TEST_int_eq(SSL_get_negotiated_server_cert_type(clientssl), TLSEXT_cert_type_x509)) -+ goto end; - } - - if (idx == 9) { -@@ -500,8 +532,7 @@ static int test_rpk(int idx) - if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(clientssl), TLSEXT_cert_type_rpk)) - goto end; - } else { -- /* only if connection is expected to succeed */ -- if (expected == 1 && !TEST_ptr(SSL_get0_peer_certificate(serverssl))) -+ if (!TEST_ptr(SSL_get0_peer_certificate(serverssl))) - goto end; - if (!TEST_int_eq(SSL_get_negotiated_client_cert_type(serverssl), TLSEXT_cert_type_x509)) - goto end; -@@ -591,7 +622,7 @@ static int test_rpk(int idx) - } - - ret = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); -- if (!TEST_int_eq(expected, ret)) -+ if (!TEST_true(ret)) - goto end; - verify = SSL_get_verify_result(clientssl); - if (!TEST_int_eq(client_expected, verify)) diff --git a/Makefile.certificate b/Makefile.certificate deleted file mode 100644 index cc88c52..0000000 --- a/Makefile.certificate +++ /dev/null @@ -1,82 +0,0 @@ -UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) -DAYS=365 -KEYLEN=2048 -TYPE=rsa:$(KEYLEN) -EXTRA_FLAGS= -ifdef SERIAL - EXTRA_FLAGS+=-set_serial $(SERIAL) -endif - -.PHONY: usage -.SUFFIXES: .key .csr .crt .pem -.PRECIOUS: %.key %.csr %.crt %.pem - -usage: - @echo "This makefile allows you to create:" - @echo " o public/private key pairs" - @echo " o SSL certificate signing requests (CSRs)" - @echo " o self-signed SSL test certificates" - @echo - @echo "To create a key pair, run \"make SOMETHING.key\"." - @echo "To create a CSR, run \"make SOMETHING.csr\"." - @echo "To create a test certificate, run \"make SOMETHING.crt\"." - @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." - @echo - @echo "To create a key for use with Apache, run \"make genkey\"." - @echo "To create a CSR for use with Apache, run \"make certreq\"." - @echo "To create a test certificate for use with Apache, run \"make testcert\"." - @echo - @echo "To create a test certificate with serial number other than random, add SERIAL=num" - @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" - @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS" - @echo - @echo Examples: - @echo " make server.key" - @echo " make server.csr" - @echo " make server.crt" - @echo " make stunnel.pem" - @echo " make genkey" - @echo " make certreq" - @echo " make testcert" - @echo " make server.crt SERIAL=1" - @echo " make stunnel.pem EXTRA_FLAGS=-sha384" - @echo " make testcert DAYS=600" - -%.pem: - umask 77 ; \ - PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ - cat $$PEM1 > $@ ; \ - echo "" >> $@ ; \ - cat $$PEM2 >> $@ ; \ - $(RM) $$PEM1 $$PEM2 - -%.key: - umask 77 ; \ - /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ - -%.csr: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ - -%.crt: %.key - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) - -TLSROOT=/etc/pki/tls -KEY=$(TLSROOT)/private/localhost.key -CSR=$(TLSROOT)/certs/localhost.csr -CRT=$(TLSROOT)/certs/localhost.crt - -genkey: $(KEY) -certreq: $(CSR) -testcert: $(CRT) - -$(CSR): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) - -$(CRT): $(KEY) - umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS) diff --git a/fips-hmacify.sh b/fips-hmacify.sh new file mode 100755 index 0000000..bee0e65 --- /dev/null +++ b/fips-hmacify.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +dd if=/dev/zero bs=1 count=32 of=tmp.mac >/dev/null 2>&1 +objcopy --update-section .rodata1=tmp.mac $1 $1.zeromac +mv $1.zeromac $1 +LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $1 > $1.hmac +objcopy --update-section .rodata1=$1.hmac $1 $1.mac +rm $1.hmac +mv $1.mac $1 diff --git a/openssl.spec b/openssl.spec index 9497dce..c5640ad 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,152 +28,69 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.2.2 -Release: 7%{?dist} +Version: 3.5.0 +Release: 1%{?dist} Epoch: 1 -# We have to remove certain patented algorithms from the openssl source -# tarball with the hobble-openssl script which is included below. -# The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}.tar.gz -Source2: Makefile.certificate +Source0: openssl-%{version}.tar.gz +Source1: fips-hmacify.sh Source3: genpatches Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h -Source14: 0025-for-tests.patch -# Patches exported from source git -# Aarch64 and ppc64le use lib64 -Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch -# Use more general default values in openssl.cnf -Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch -# Do not install html docs -Patch3: 0003-Do-not-install-html-docs.patch -# Override default paths for the CA directory tree -Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch -# apps/ca: fix md option help text -Patch5: 0005-apps-ca-fix-md-option-help-text.patch -# Disable signature verification with totally unsafe hash algorithms -Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch -# Add support for PROFILE=SYSTEM system default cipherlist -Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -# Add FIPS_mode() compatibility macro -Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch -# Add check to see if fips flag is enabled in kernel -Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch -# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so -# that new modifications made to these files by upstream are not lost. -Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch -# remove unsupported EC curves -Patch11: 0011-Remove-EC-curves.patch -# Disable explicit EC curves -# https://bugzilla.redhat.com/show_bug.cgi?id=2066412 -Patch12: 0012-Disable-explicit-ec.patch -#Skipped tests from former 0011-Remove-EC-curves.patch -Patch13: 0013-skipped-tests-EC-curves.patch -# Instructions to load legacy provider in openssl.cnf -Patch24: 0024-load-legacy-prov.patch -# We load FIPS provider and set FIPS properties implicitly -Patch32: 0032-Force-fips.patch -# Embed HMAC into the fips.so -Patch33: 0033-FIPS-embed-hmac.patch -# Comment out fipsinstall command-line utility -Patch34: 0034.fipsinstall_disable.patch -# Skip unavailable algorithms running `openssl speed` -Patch35: 0035-speed-skip-unavailable-dgst.patch -# Extra public/private key checks required by FIPS-140-3 -Patch44: 0044-FIPS-140-3-keychecks.patch -# Minimize fips services -Patch45: 0045-FIPS-services-minimize.patch -# Execute KATS before HMAC verification -Patch47: 0047-FIPS-early-KATS.patch -# Selectively disallow SHA1 signatures -Patch49: 0049-Selectively-disallow-SHA1-signatures.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2049265 -Patch50: 0050-FIPS-enable-pkcs12-mac.patch -# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes -Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch -# Originally from https://github.com/openssl/openssl/pull/18103 -# As we rebased to 3.0.7 and used the version of the function -# not matching the upstream one, we have to use aliasing. -# When we eliminate this patch, the `-Wl,--allow-multiple-definition` -# should also be removed -Patch56: 0056-strcasecmp.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2053289 -Patch58: 0058-FIPS-limit-rsa-encrypt.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2087147 -Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch -Patch62: 0062-fips-Expose-a-FIPS-indicator.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 -Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 -Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 -Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch -# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) -# https://bugzilla.redhat.com/show_bug.cgi?id=2102541 -Patch76: 0076-FIPS-140-3-DRBG.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2102542 -Patch77: 0077-FIPS-140-3-zeroization.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 -# https://bugzilla.redhat.com/show_bug.cgi?id=2160733 -# https://bugzilla.redhat.com/show_bug.cgi?id=2164763 -Patch78: 0078-KDF-Add-FIPS-indicators.patch -#https://bugzilla.redhat.com/show_bug.cgi?id=2141748 -Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142131 -Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2136250 -Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2137557 -Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch -#https://bugzilla.redhat.com/show_bug.cgi?id=2142121 -Patch85: 0085-FIPS-RSA-disable-shake.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 -Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2144561 -Patch91: 0091-FIPS-RSA-encapsulate.patch -# FIPS-95 -Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +Patch0001: 0001-RH-Aarch64-and-ppc64le-use-lib64.patch +Patch0002: 0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch +Patch0003: 0003-RH-Do-not-install-html-docs.patch +Patch0004: 0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch +Patch0005: 0005-RH-Disable-signature-verification-with-bad-digests-R.patch +Patch0006: 0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch +Patch0007: 0007-RH-Add-FIPS_mode-compatibility-macro.patch +Patch0008: 0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch +Patch0009: 0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch +Patch0010: 0010-RH-Disable-explicit-ec-curves.patch +Patch0011: 0011-RH-skipped-tests-EC-curves.patch +Patch0012: 0012-RH-skip-quic-pairwise.patch +Patch0013: 0013-RH-version-aliasing.patch +Patch0014: 0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch +Patch0015: 0015-RH-TMP-KTLS-test-skip.patch +Patch0016: 0016-RH-Allow-disabling-of-SHA1-signatures.patch +Patch0017: 0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch +Patch0018: 0018-FIPS-disable-fipsinstall.patch +Patch0019: 0019-FIPS-Force-fips-provider-on.patch +Patch0020: 0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch +Patch0021: 0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch +Patch0022: 0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch +Patch0023: 0023-FIPS-RSA-encrypt-limits-REVIEW.patch +Patch0024: 0024-FIPS-RSA-PCTs.patch +Patch0025: 0025-FIPS-RSA-encapsulate-limits.patch +Patch0026: 0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch +Patch0027: 0027-FIPS-RSA-size-mode-restrictions.patch +Patch0028: 0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch +Patch0029: 0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch +Patch0030: 0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch +Patch0031: 0031-FIPS-Deny-SHA-1-signature-verification.patch +Patch0032: 0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch +Patch0033: 0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch +Patch0034: 0034-FIPS-PBKDF2-Set-minimum-password-length.patch +Patch0035: 0035-FIPS-DH-PCT.patch +Patch0036: 0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch +Patch0037: 0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch +Patch0038: 0038-FIPS-CMS-Set-default-padding-to-OAEP.patch +Patch0039: 0039-FIPS-PKCS12-PBMAC1-defaults.patch +Patch0040: 0040-FIPS-Fix-encoder-decoder-negative-test.patch +Patch0041: 0041-FIPS-EC-DH-DSA-PCTs.patch +Patch0042: 0042-FIPS-EC-disable-weak-curves.patch +Patch0043: 0043-FIPS-NO-DSA-Support.patch +Patch0044: 0044-FIPS-NO-DES-support.patch +Patch0045: 0045-FIPS-NO-Kmac.patch +Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch +Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch +Patch0048: 0048-Current-Rebase-status.patch +Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch +Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2168289 -Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch -Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 -Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2157951 -Patch114: 0114-FIPS-enforce-EMS-support.patch -# skip quic and pairwise tests temporarily -Patch115: 0115-skip-quic-pairwise.patch -# Add version aliasing due to -# https://github.com/openssl/openssl/issues/23534 -Patch116: 0116-version-aliasing.patch -# https://github.com/openssl/openssl/issues/23050 -Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=2160797 -Patch121: 0121-FIPS-cms-defaults.patch -# KTLS regression, temporary skip tests -Patch122: 0122-TMP-KTLS-test-skip.patch -# HKDF regression with older provider implementations -Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch -# https://github.com/openssl/openssl/pull/24717 -Patch124: 0124-Fix-SSL_select_next_proto.patch -Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch -Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch -Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch -Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch -Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch -Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch -Patch131: 0131-Add-ALPN-validation-in-the-client.patch -Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch -Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch -Patch136: 0136-CVE-2024-6119.patch -Patch140: 0140-CVE-2024-12797.patch - -License: ASL 2.0 +License: Apache-2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp @@ -183,7 +100,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/sbin/sysctl BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) -BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) +BuildRequires: perl(Time::HiRes), perl(Time::Piece), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) BuildRequires: git-core Requires: coreutils @@ -306,12 +223,13 @@ export HASHBANGPERL=/usr/bin/perl # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ - --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ - enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ - no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ - shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ - -Wl,--allow-multiple-definition -D_GNU_SOURCE + enable-cms enable-md2 enable-rc5 enable-ktls enable-fips -D_GNU_SOURCE\ + no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\ + -DREDHAT_FIPS_VENDOR='"\"Red Hat Enterprise Linux OpenSSL FIPS Provider\""' -DREDHAT_FIPS_VERSION='"\"%{fips}\""'\ + -Wl,--allow-multiple-definition # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -333,10 +251,6 @@ done touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) -# We must revert patch4 before tests otherwise they will fail -patch -p1 -R < %{PATCH4} -#We must disable default provider before tests otherwise they will fail -patch -p1 < %{SOURCE14} OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY @@ -345,9 +259,7 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE #embed HMAC into fips provider for test run -LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac -objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac -mv providers/fips.so.mac providers/fips.so +%{SOURCE1} providers/fips.so #run tests itself make test HARNESS_JOBS=8 @@ -366,10 +278,7 @@ make test HARNESS_JOBS=8 %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ - objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ - mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ - rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ + %{SOURCE1} $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ %{nil} %endif @@ -386,6 +295,7 @@ for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} done +mv rh-openssl.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf # Remove static libraries for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do @@ -396,7 +306,6 @@ done # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d -install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert @@ -417,8 +326,8 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts # Ensure the config file timestamps are identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade -touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf -touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf +touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf +touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist @@ -467,7 +376,6 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %{_mandir}/man1/* %{_mandir}/man5/* %{_mandir}/man7/* -%{_pkgdocdir}/Makefile.certificate %exclude %{_mandir}/man1/*.pl* %exclude %{_mandir}/man1/tsget* @@ -495,6 +403,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %{_libdir}/*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc +%{_libdir}/cmake/OpenSSL/OpenSSLConfig.cmake +%{_libdir}/cmake/OpenSSL/OpenSSLConfigVersion.cmake %files perl %{_bindir}/c_rehash @@ -511,6 +421,14 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Apr 16 2025 Dmitry Belyavskiy - 1:3.5.0-1 +- Rebasing OpenSSL to 3.5 + Resolves: RHEL-80854 + Resolves: RHEL-50208 + Resolves: RHEL-50210 + Resolves: RHEL-50211 + Resolves: RHEL-85954 + * Wed Jan 29 2025 Dmitry Belyavskiy - 1:3.2.2-7 - RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797) Resolves: RHEL-76756 diff --git a/sources b/sources index 6d3dc96..423bcc8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d +SHA512 (openssl-3.5.0.tar.gz) = 39cc80e2843a2ee30f3f5de25cd9d0f759ad8de71b0b39f5a679afaaa74f4eb58d285ae50e29e4a27b139b49343ac91d1f05478f96fb0c6b150f16d7b634676f