Fix reading SPKAC data from stdin
Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448 Return 0 after cleanup in OPENSSL_init_crypto() Cleanup the peer point formats on regotiation Fix default digest to SHA256 Resolves: rhbz#1958045, rhbz#1952850, rhbz#1961687 Related: rhbz#1958033 Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
parent
5fa0564b3a
commit
e863fff325
28
0012-Fix-SPKAC-data-from-stdin.patch
Normal file
28
0012-Fix-SPKAC-data-from-stdin.patch
Normal file
@ -0,0 +1,28 @@
|
||||
diff -up openssl-3.0.0-alpha16/apps/lib/apps.c.spkac openssl-3.0.0-alpha16/apps/lib/apps.c
|
||||
--- openssl-3.0.0-alpha16/apps/lib/apps.c.spkac 2021-06-04 09:28:48.162316896 +0200
|
||||
+++ openssl-3.0.0-alpha16/apps/lib/apps.c 2021-06-04 09:32:53.911795489 +0200
|
||||
@@ -403,14 +403,18 @@ CONF *app_load_config_verbose(const char
|
||||
|
||||
CONF *app_load_config_internal(const char *filename, int quiet)
|
||||
{
|
||||
- BIO *in = NULL; /* leads to empty config in case filename == "" */
|
||||
+ BIO *in;
|
||||
CONF *conf;
|
||||
|
||||
- if (*filename != '\0'
|
||||
- && (in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL)
|
||||
- return NULL;
|
||||
- conf = app_load_config_bio(in, filename);
|
||||
- BIO_free(in);
|
||||
+ if (filename == NULL || *filename != '\0') {
|
||||
+ if ((in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL)
|
||||
+ return NULL;
|
||||
+ conf = app_load_config_bio(in, filename);
|
||||
+ BIO_free(in);
|
||||
+ } else {
|
||||
+ /* Return empty config if filename is empty string. */
|
||||
+ conf = NCONF_new_ex(app_libctx, NULL);
|
||||
+ }
|
||||
return conf;
|
||||
}
|
||||
|
41
0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch
Normal file
41
0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff -up openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c.edsize openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c
|
||||
--- openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c.edsize 2021-06-04 09:51:12.567348198 +0200
|
||||
+++ openssl-3.0.0-alpha16/providers/implementations/keymgmt/ecx_kmgmt.c 2021-06-04 09:52:55.650321215 +0200
|
||||
@@ -309,14 +309,14 @@ static int x448_get_params(void *key, OS
|
||||
static int ed25519_get_params(void *key, OSSL_PARAM params[])
|
||||
{
|
||||
return ecx_get_params(key, params, ED25519_BITS, ED25519_SECURITY_BITS,
|
||||
- ED25519_KEYLEN)
|
||||
+ ED25519_SIGSIZE)
|
||||
&& ed_get_params(key, params);
|
||||
}
|
||||
|
||||
static int ed448_get_params(void *key, OSSL_PARAM params[])
|
||||
{
|
||||
return ecx_get_params(key, params, ED448_BITS, ED448_SECURITY_BITS,
|
||||
- ED448_KEYLEN)
|
||||
+ ED448_SIGSIZE)
|
||||
&& ed_get_params(key, params);
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c.edsize openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c
|
||||
--- openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c.edsize 2021-06-04 09:51:24.540461209 +0200
|
||||
+++ openssl-3.0.0-alpha16/test/evp_pkey_provided_test.c 2021-06-04 09:54:26.531182412 +0200
|
||||
@@ -979,7 +979,7 @@ static int test_fromdata_ecx(int tst)
|
||||
fromdata_params = ed25519_fromdata_params;
|
||||
bits = ED25519_BITS;
|
||||
security_bits = ED25519_SECURITY_BITS;
|
||||
- size = ED25519_KEYLEN;
|
||||
+ size = ED25519_SIGSIZE;
|
||||
alg = "ED25519";
|
||||
break;
|
||||
|
||||
@@ -987,7 +987,7 @@ static int test_fromdata_ecx(int tst)
|
||||
fromdata_params = ed448_fromdata_params;
|
||||
bits = ED448_BITS;
|
||||
security_bits = ED448_SECURITY_BITS;
|
||||
- size = ED448_KEYLEN;
|
||||
+ size = ED448_SIGSIZE;
|
||||
alg = "ED448";
|
||||
break;
|
||||
default:
|
34
0014-Return0-OPENSSL-init-crypto-cleanup.patch
Normal file
34
0014-Return0-OPENSSL-init-crypto-cleanup.patch
Normal file
@ -0,0 +1,34 @@
|
||||
diff -up openssl-3.0.0-alpha16/crypto/init.c.softhsm openssl-3.0.0-alpha16/crypto/init.c
|
||||
--- openssl-3.0.0-alpha16/crypto/init.c.softhsm 2021-06-04 09:40:22.637748149 +0200
|
||||
+++ openssl-3.0.0-alpha16/crypto/init.c 2021-06-04 09:44:09.695867437 +0200
|
||||
@@ -454,6 +454,13 @@ int OPENSSL_init_crypto(uint64_t opts, c
|
||||
uint64_t tmp;
|
||||
int aloaddone = 0;
|
||||
|
||||
+ /* Applications depend on 0 being returned when cleanup was already done */
|
||||
+ if (stopped) {
|
||||
+ if (!(opts & OPENSSL_INIT_BASE_ONLY))
|
||||
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We ignore failures from this function. It is probably because we are
|
||||
* on a platform that doesn't support lockless atomic loads (we may not
|
||||
@@ -476,15 +483,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
|
||||
/*
|
||||
* At some point we should look at this function with a view to moving
|
||||
* most/all of this into OSSL_LIB_CTX.
|
||||
- */
|
||||
-
|
||||
- if (stopped) {
|
||||
- if (!(opts & OPENSSL_INIT_BASE_ONLY))
|
||||
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
+ *
|
||||
* When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
|
||||
* *only* option specified. With that option we return immediately after
|
||||
* doing the requested limited initialization. Note that
|
36
0015-Cleanup-peer-point-formats-regotiation.patch
Normal file
36
0015-Cleanup-peer-point-formats-regotiation.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff -up openssl-3.0.0-alpha16/ssl/statem/extensions.c.reneg openssl-3.0.0-alpha16/ssl/statem/extensions.c
|
||||
--- openssl-3.0.0-alpha16/ssl/statem/extensions.c.reneg 2021-06-04 10:03:01.313023512 +0200
|
||||
+++ openssl-3.0.0-alpha16/ssl/statem/extensions.c 2021-06-04 10:05:43.019538516 +0200
|
||||
@@ -45,6 +45,7 @@ static int tls_parse_certificate_authori
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static int init_srp(SSL *s, unsigned int context);
|
||||
#endif
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
static int init_etm(SSL *s, unsigned int context);
|
||||
static int init_ems(SSL *s, unsigned int context);
|
||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||
@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
|
||||
TLSEXT_TYPE_ec_point_formats,
|
||||
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
|
||||
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
|
||||
- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
@@ -1144,6 +1145,15 @@ static int init_srp(SSL *s, unsigned int
|
||||
}
|
||||
#endif
|
||||
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
+{
|
||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
+ s->ext.peer_ecpointformats = NULL;
|
||||
+ s->ext.peer_ecpointformats_len = 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int init_etm(SSL *s, unsigned int context)
|
||||
{
|
||||
s->ext.use_etm = 0;
|
45
0016-Fix-default-digest-SHA256.patch
Normal file
45
0016-Fix-default-digest-SHA256.patch
Normal file
@ -0,0 +1,45 @@
|
||||
diff -up openssl-3.0.0-alpha16/apps/dgst.c.digest openssl-3.0.0-alpha16/apps/dgst.c
|
||||
--- openssl-3.0.0-alpha16/apps/dgst.c.digest 2021-06-04 10:21:03.153697643 +0200
|
||||
+++ openssl-3.0.0-alpha16/apps/dgst.c 2021-06-04 10:22:26.737489944 +0200
|
||||
@@ -330,6 +330,8 @@ int dgst_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (hmac_key != NULL) {
|
||||
+ if (md == NULL)
|
||||
+ md = (EVP_MD *)EVP_sha256();
|
||||
sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl,
|
||||
(unsigned char *)hmac_key,
|
||||
strlen(hmac_key));
|
||||
diff -up openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t.digest openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t
|
||||
--- openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t.digest 2021-06-04 10:21:18.871846631 +0200
|
||||
+++ openssl-3.0.0-alpha16/test/recipes/20-test_dgst.t 2021-06-04 10:23:56.862344245 +0200
|
||||
@@ -17,7 +17,7 @@ use OpenSSL::Test::Utils;
|
||||
|
||||
setup("test_dgst");
|
||||
|
||||
-plan tests => 7;
|
||||
+plan tests => 8;
|
||||
|
||||
sub tsignverify {
|
||||
my $testtext = shift;
|
||||
@@ -115,6 +115,20 @@ subtest "HMAC generation with `dgst` CLI
|
||||
ok($hmacdata[0] =~ $expected, "HMAC: Check HMAC value is as expected ($hmacdata[0]) vs ($expected)");
|
||||
ok($hmacdata[1] =~ $expected,
|
||||
"HMAC: Check second HMAC value is consistent with the first ($hmacdata[1]) vs ($expected)");
|
||||
+};
|
||||
+
|
||||
+subtest "HMAC generation with `dgst` CLI, default digest" => sub {
|
||||
+ plan tests => 2;
|
||||
+
|
||||
+ my $testdata = srctop_file('test', 'data.bin');
|
||||
+ #HMAC the data twice to check consistency
|
||||
+ my @hmacdata = run(app(['openssl', 'dgst', '-hmac', '123456',
|
||||
+ $testdata, $testdata]), capture => 1);
|
||||
+ chomp(@hmacdata);
|
||||
+ my $expected = qr/HMAC-SHA256\(\Q$testdata\E\)= 6f12484129c4a761747f13d8234a1ff0e074adb34e9e9bf3a155c391b97b9a7c/;
|
||||
+ ok($hmacdata[0] =~ $expected, "HMAC: Check HMAC value is as expected ($hmacdata[0]) vs ($expected)");
|
||||
+ ok($hmacdata[1] =~ $expected,
|
||||
+ "HMAC: Check second HMAC value is consistent with the first ($hmacdata[1]) vs ($expected)");
|
||||
};
|
||||
|
||||
subtest "Custom length XOF digest generation with `dgst` CLI" => sub {
|
19
openssl.spec
19
openssl.spec
@ -15,7 +15,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.0
|
||||
Release: 0.alpha16.2%{?dist}
|
||||
Release: 0.alpha16.3%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -54,6 +54,16 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
Patch10: 0010-Avoid-sending-alert-after-shutdown.patch
|
||||
# remove unsupported EC curves
|
||||
Patch11: 0011-Remove-EC-curves.patch
|
||||
# Fix reading SPKAC data from stdin
|
||||
Patch12: 0012-Fix-SPKAC-data-from-stdin.patch
|
||||
# Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
|
||||
Patch13: 0013-Fix-incorrect-OSSL_PKEY_PARAM_MAX_SIZE.patch
|
||||
# Return 0 after cleanup in OPENSSL_init_crypto()
|
||||
Patch14: 0014-Return0-OPENSSL-init-crypto-cleanup.patch
|
||||
# Cleanup the peer point formats on regotiation
|
||||
Patch15: 0015-Cleanup-peer-point-formats-regotiation.patch
|
||||
# Fix default digest to SHA256
|
||||
Patch16: 0016-Fix-default-digest-SHA256.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -373,6 +383,13 @@ export LD_LIBRARY_PATH
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
|
||||
- Fix reading SPKAC data from stdin
|
||||
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
|
||||
- Return 0 after cleanup in OPENSSL_init_crypto()
|
||||
- Cleanup the peer point formats on regotiation
|
||||
- Fix default digest to SHA256
|
||||
|
||||
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
|
||||
- Enable FIPS via config options
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user