Compare commits
No commits in common. "c8" and "a10s" have entirely different histories.
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
||||
1
|
65
.gitignore
vendored
65
.gitignore
vendored
@ -1 +1,64 @@
|
||||
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||
.build*.log
|
||||
clog
|
||||
*.src.rpm
|
||||
openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.0.0b-usa.tar.bz2
|
||||
/openssl-1.0.0c-usa.tar.bz2
|
||||
/openssl-1.0.0d-usa.tar.bz2
|
||||
/openssl-1.0.0e-usa.tar.bz2
|
||||
/openssl-1.0.0f-usa.tar.bz2
|
||||
/openssl-1.0.0g-usa.tar.xz
|
||||
/openssl-1.0.1-beta2-usa.tar.xz
|
||||
/openssl-1.0.1-beta3-usa.tar.xz
|
||||
/openssl-1.0.1-usa.tar.xz
|
||||
/openssl-1.0.1a-usa.tar.xz
|
||||
/openssl-1.0.1b-usa.tar.xz
|
||||
/openssl-1.0.1c-usa.tar.xz
|
||||
/openssl-1.0.1e-usa.tar.xz
|
||||
/openssl-1.0.1e-hobbled.tar.xz
|
||||
/openssl-1.0.1g-hobbled.tar.xz
|
||||
/openssl-1.0.1h-hobbled.tar.xz
|
||||
/openssl-1.0.1i-hobbled.tar.xz
|
||||
/openssl-1.0.1j-hobbled.tar.xz
|
||||
/openssl-1.0.1k-hobbled.tar.xz
|
||||
/openssl-1.0.2a-hobbled.tar.xz
|
||||
/openssl-1.0.2c-hobbled.tar.xz
|
||||
/openssl-1.0.2d-hobbled.tar.xz
|
||||
/openssl-1.0.2e-hobbled.tar.xz
|
||||
/openssl-1.0.2f-hobbled.tar.xz
|
||||
/openssl-1.0.2g-hobbled.tar.xz
|
||||
/openssl-1.0.2h-hobbled.tar.xz
|
||||
/openssl-1.0.2i-hobbled.tar.xz
|
||||
/openssl-1.0.2j-hobbled.tar.xz
|
||||
/openssl-1.1.0b-hobbled.tar.xz
|
||||
/openssl-1.1.0c-hobbled.tar.xz
|
||||
/openssl-1.1.0d-hobbled.tar.xz
|
||||
/openssl-1.1.0e-hobbled.tar.xz
|
||||
/openssl-1.1.0f-hobbled.tar.xz
|
||||
/openssl-1.1.0g-hobbled.tar.xz
|
||||
/openssl-1.1.0h-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||
/openssl-1.1.1-hobbled.tar.xz
|
||||
/openssl-1.1.1a-hobbled.tar.xz
|
||||
/openssl-1.1.1b-hobbled.tar.xz
|
||||
/openssl-1.1.1c-hobbled.tar.xz
|
||||
/openssl-1.1.1d-hobbled.tar.xz
|
||||
/openssl-1.1.1e-hobbled.tar.xz
|
||||
/openssl-1.1.1f-hobbled.tar.xz
|
||||
/openssl-1.1.1g-hobbled.tar.xz
|
||||
/openssl-1.1.1h-hobbled.tar.xz
|
||||
/openssl-1.1.1i-hobbled.tar.xz
|
||||
/openssl-1.1.1j-hobbled.tar.xz
|
||||
/openssl-1.1.1k-hobbled.tar.xz
|
||||
/openssl-3.0.0-hobbled.tar.xz
|
||||
/openssl-3.0.2-hobbled.tar.gz
|
||||
/openssl-3.0.3-hobbled.tar.gz
|
||||
/openssl-3.0.5-hobbled.tar.xz
|
||||
/openssl-3.0.7-hobbled.tar.gz
|
||||
/openssl-3.0.8-hobbled.tar.gz
|
||||
/openssl-3.0.8.tar.gz
|
||||
/openssl-3.1.1.tar.gz
|
||||
/openssl-3.1.4.tar.gz
|
||||
/openssl-3.2.1.tar.gz
|
||||
/openssl-3.2.2.tar.gz
|
||||
|
@ -1 +0,0 @@
|
||||
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
33
0001-Aarch64-and-ppc64le-use-lib64.patch
Normal file
33
0001-Aarch64-and-ppc64le-use-lib64.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:01:41 +0200
|
||||
Subject: Aarch64 and ppc64le use lib64
|
||||
|
||||
(Was openssl-1.1.1-build.patch)
|
||||
---
|
||||
Configurations/10-main.conf | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
|
||||
index d7580bf3e1..a7dbfd7f40 100644
|
||||
--- a/Configurations/10-main.conf
|
||||
+++ b/Configurations/10-main.conf
|
||||
@@ -723,6 +723,7 @@ my %targets = (
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
asm_arch => 'ppc64',
|
||||
perlasm_scheme => "linux64le",
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -765,6 +766,7 @@ my %targets = (
|
||||
inherit_from => [ "linux-generic64" ],
|
||||
asm_arch => 'aarch64',
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32" ],
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,7 +1,21 @@
|
||||
diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
|
||||
--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100
|
||||
+++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100
|
||||
@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi
|
||||
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:03:40 +0200
|
||||
Subject: Use more general default values in openssl.cnf
|
||||
|
||||
Also set sha256 as default hash, although that should not be
|
||||
necessary anymore.
|
||||
|
||||
(was openssl-1.1.1-defaults.patch)
|
||||
---
|
||||
apps/openssl.cnf | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||
index 97567a67be..eb25a0ac48 100644
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
@ -10,7 +24,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
@@ -106,6 +106,7 @@ emailAddress = optional
|
||||
@@ -136,6 +136,7 @@ emailAddress = optional
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
@ -18,7 +32,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@@ -128,17 +129,18 @@ string_mask = utf8only
|
||||
@@ -158,17 +159,18 @@ string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
@ -40,7 +54,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city
|
||||
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
@ -49,3 +63,6 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
--
|
||||
2.26.2
|
||||
|
30
0003-Do-not-install-html-docs.patch
Normal file
30
0003-Do-not-install-html-docs.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From a3e7963320ba44e96a60b389fccb8e1cccc30674 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 19 Oct 2023 13:12:39 +0200
|
||||
Subject: [PATCH 03/46] 0003-Do-not-install-html-docs.patch
|
||||
|
||||
Patch-name: 0003-Do-not-install-html-docs.patch
|
||||
Patch-id: 3
|
||||
Patch-status: |
|
||||
# # Do not install html docs
|
||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index a48fae5fb8..56b42926e7 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
|
||||
|
||||
-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
|
||||
+install_docs: install_man_docs ## Install manpages
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
|
||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
||||
--
|
||||
2.41.0
|
||||
|
78
0004-Override-default-paths-for-the-CA-directory-tree.patch
Normal file
78
0004-Override-default-paths-for-the-CA-directory-tree.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 04/35]
|
||||
0004-Override-default-paths-for-the-CA-directory-tree.patch
|
||||
|
||||
Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch
|
||||
Patch-id: 4
|
||||
Patch-status: |
|
||||
# Override default paths for the CA directory tree
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/CA.pl.in | 2 +-
|
||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
||||
index c0afb96716..d6a5fabd16 100644
|
||||
--- a/apps/CA.pl.in
|
||||
+++ b/apps/CA.pl.in
|
||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# Default values for various configuration settings.
|
||||
-my $CATOP = "./demoCA";
|
||||
+my $CATOP = "/etc/pki/CA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
||||
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
||||
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
||||
@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
+# Load default TLS policy configuration
|
||||
+ssl_conf = ssl_module
|
||||
+alg_section = evp_properties
|
||||
+
|
||||
+[ evp_properties ]
|
||||
+#This section is intentionally added empty here
|
||||
+#to be tuned on particular systems
|
||||
|
||||
# List of providers to load
|
||||
[provider_sect]
|
||||
@@ -64,6 +66,13 @@ default = default_sect
|
||||
[default_sect]
|
||||
# activate = 1
|
||||
|
||||
+[ ssl_module ]
|
||||
+
|
||||
+system_default = crypto_policy
|
||||
+
|
||||
+[ crypto_policy ]
|
||||
+
|
||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
||||
[ tsa_config1 ]
|
||||
|
||||
# These are used by the TSA reply generation only.
|
||||
-dir = ./demoCA # TSA root directory
|
||||
+dir = /etc/pki/CA # TSA root directory
|
||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||
crypto_device = builtin # OpenSSL engine to use for signing
|
||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
28
0005-apps-ca-fix-md-option-help-text.patch
Normal file
28
0005-apps-ca-fix-md-option-help-text.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:27:18 +0200
|
||||
Subject: apps/ca: fix md option help text
|
||||
|
||||
upstreamable
|
||||
|
||||
(was openssl-1.1.1-apps-dgst.patch)
|
||||
---
|
||||
apps/ca.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/apps/ca.c b/apps/ca.c
|
||||
index 0f21b4fa1c..3d4b2c1673 100755
|
||||
--- a/apps/ca.c
|
||||
+++ b/apps/ca.c
|
||||
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
|
||||
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
||||
|
||||
OPT_SECTION("Signing"),
|
||||
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
||||
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
||||
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
||||
{"keyform", OPT_KEYFORM, 'f',
|
||||
"Private key file format (ENGINE, other values ignored)"},
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,29 @@
|
||||
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:51:34 +0200
|
||||
Subject: Disable signature verification with totally unsafe hash algorithms
|
||||
|
||||
(was openssl-1.1.1-no-weak-verify.patch)
|
||||
---
|
||||
crypto/asn1/a_verify.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
||||
index b7eed914b0..af62f0ef08 100644
|
||||
--- a/crypto/asn1/a_verify.c
|
||||
+++ b/crypto/asn1/a_verify.c
|
||||
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
||||
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
||||
if (ret <= 1)
|
||||
goto err;
|
||||
+ } else if ((mdnid == NID_md5
|
||||
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
||||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
||||
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
+ goto err;
|
||||
} else {
|
||||
const EVP_MD *type = NULL;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,7 +1,29 @@
|
||||
diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200
|
||||
+++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200
|
||||
@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
From 8be4ef77c64fcada41041c00e02c34b07658ba66 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:14 +0100
|
||||
Subject: [PATCH 07/49]
|
||||
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
|
||||
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
Patch-id: 7
|
||||
Patch-status: |
|
||||
# # Add support for PROFILE=SYSTEM system default cipherlist
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 5 ++
|
||||
Configure | 11 +++-
|
||||
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||
include/openssl/ssl.h.in | 5 ++
|
||||
ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++----
|
||||
ssl/ssl_lib.c | 4 +-
|
||||
test/cipherlist_test.c | 2 +
|
||||
7 files changed, 109 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 5d61ce9550..e9fba957f1 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
@ -12,7 +34,7 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
@ -20,29 +42,31 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
|
||||
--- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200
|
||||
@@ -24,7 +24,7 @@ use OpenSSL::Glob;
|
||||
diff --git a/Configure b/Configure
|
||||
index cca1ac8d16..2ae1cd0bc2 100755
|
||||
--- a/Configure
|
||||
+++ b/Configure
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
# Options:
|
||||
#
|
||||
@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
#
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
||||
@@ -295,6 +298,7 @@ $config{prefix}="";
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -394,6 +398,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
@ -50,30 +74,22 @@ diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -824,6 +828,10 @@ while (@argvcopy)
|
||||
push @seed_sources, $x;
|
||||
}
|
||||
@@ -1047,6 +1052,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--cross-compile-prefix=(.*)$/)
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$user{CROSS_COMPILE}=$1;
|
||||
@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
|
||||
exit 0;
|
||||
}
|
||||
|
||||
+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
|
||||
+
|
||||
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
|
||||
print "for $target\n";
|
||||
|
||||
diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
|
||||
--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200
|
||||
@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
$banner = $1 . "\n";
|
||||
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
|
||||
index d4df30686f..cec4835268 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod.in
|
||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
@ -89,34 +105,27 @@ diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/do
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
|
||||
--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200
|
||||
@@ -186,6 +186,11 @@ extern "C" {
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index 9f91039f8a..fc34d4ca61 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -209,6 +209,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
*/
|
||||
+# ifdef SYSTEM_CIPHERS_FILE
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||
+# else
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||
+# endif
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200
|
||||
@@ -9,6 +9,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
+/* for secure_getenv */
|
||||
+#define _GNU_SOURCE
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <openssl/objects.h>
|
||||
@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index 8360991ce4..33c23efb0d 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -167,13 +176,13 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
const char *rule_p;
|
||||
@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
const SSL_METHOD *ssl_method = ctx->method;
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ char *new_rules = NULL;
|
||||
+
|
||||
@ -191,23 +200,23 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
#ifndef OPENSSL_NO_EC
|
||||
|
||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* To reduce the work to do we only want to process the compiled
|
||||
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
if (num_of_ciphers > 0) {
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
if (co_list == NULL)
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
@ -217,18 +226,17 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1611,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1637,8 +1693,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
@ -238,7 +246,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1646,10 +1701,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
@ -253,13 +261,8 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
+
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
if (!sk_SSL_CIPHER_push(cipherstack,
|
||||
sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
||||
+ OPENSSL_free(co_list);
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
return NULL;
|
||||
}
|
||||
@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||
@@ -1701,6 +1759,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
@ -274,31 +277,33 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200
|
||||
+++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200
|
||||
@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index cf59d2dfa5..1329841aaf 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -700,7 +700,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
&(ctx->cipher_list_by_id),
|
||||
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
- OSSL_default_cipher_list(), ctx->cert);
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
if (!ssl_create_cipher_list(ret->method,
|
||||
@@ -3966,7 +3966,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
if (!ssl_create_cipher_list(ret,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
- SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
- OSSL_default_cipher_list(), ret->cert)
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
|
||||
--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200
|
||||
@@ -251,7 +251,9 @@ end:
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err;
|
||||
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
|
||||
index c46e431b00..19d05e860b 100644
|
||||
--- a/test/cipherlist_test.c
|
||||
+++ b/test/cipherlist_test.c
|
||||
@@ -261,7 +261,9 @@ end:
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
@ -307,4 +312,7 @@ diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
ADD_TEST(test_stdname_cipherlist);
|
||||
--
|
||||
2.44.0
|
||||
|
83
0008-Add-FIPS_mode-compatibility-macro.patch
Normal file
83
0008-Add-FIPS_mode-compatibility-macro.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
|
||||
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
Patch-id: 8
|
||||
Patch-status: |
|
||||
# Add FIPS_mode() compatibility macro
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
|
||||
test/property_test.c | 14 ++++++++++++++
|
||||
2 files changed, 40 insertions(+)
|
||||
create mode 100644 include/openssl/fips.h
|
||||
|
||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
||||
new file mode 100644
|
||||
index 0000000000..4162cbf88e
|
||||
--- /dev/null
|
||||
+++ b/include/openssl/fips.h
|
||||
@@ -0,0 +1,26 @@
|
||||
+/*
|
||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_H
|
||||
+# define OPENSSL_FIPS_H
|
||||
+# pragma once
|
||||
+
|
||||
+# include <openssl/evp.h>
|
||||
+# include <openssl/macros.h>
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+#endif
|
||||
diff --git a/test/property_test.c b/test/property_test.c
|
||||
index 45b1db3e85..8894c1c1cb 100644
|
||||
--- a/test/property_test.c
|
||||
+++ b/test/property_test.c
|
||||
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+static int test_downstream_FIPS_mode(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
||||
+ && TEST_true(FIPS_mode())
|
||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
||||
+ && TEST_false(FIPS_mode());
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_TEST(test_property_string);
|
||||
@@ -690,6 +703,7 @@ int setup_tests(void)
|
||||
ADD_TEST(test_property);
|
||||
ADD_TEST(test_query_cache_stochastic);
|
||||
ADD_TEST(test_fips_mode);
|
||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
86
0009-Add-Kernel-FIPS-mode-flag-support.patch
Normal file
86
0009-Add-Kernel-FIPS-mode-flag-support.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
|
||||
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
Patch-id: 9
|
||||
Patch-status: |
|
||||
# Add check to see if fips flag is enabled in kernel
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
include/internal/provider.h | 3 +++
|
||||
2 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index e294ea1512..51002ba79a 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -16,6 +16,41 @@
|
||||
#include "crypto/decoder.h"
|
||||
#include "crypto/context.h"
|
||||
|
||||
+# include <sys/types.h>
|
||||
+# include <sys/stat.h>
|
||||
+# include <fcntl.h>
|
||||
+# include <unistd.h>
|
||||
+# include <openssl/evp.h>
|
||||
+
|
||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+static int kernel_fips_flag;
|
||||
+
|
||||
+static void read_kernel_fips_flag(void)
|
||||
+{
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ if (buf[0] == '1') {
|
||||
+ kernel_fips_flag = 1;
|
||||
+ }
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+int ossl_get_kernel_fips_flag()
|
||||
+{
|
||||
+ return kernel_fips_flag;
|
||||
+}
|
||||
+
|
||||
+
|
||||
struct ossl_lib_ctx_st {
|
||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
||||
OSSL_EX_DATA_GLOBAL global;
|
||||
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||
{
|
||||
+ read_kernel_fips_flag();
|
||||
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
||||
goto err;
|
||||
|
||||
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
||||
index 18937f84c7..1446bf7afb 100644
|
||||
--- a/include/internal/provider.h
|
||||
+++ b/include/internal/provider.h
|
||||
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
||||
const OSSL_DISPATCH *in);
|
||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||
|
||||
+/* FIPS flag access */
|
||||
+int ossl_get_kernel_fips_flag(void);
|
||||
+
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
--
|
||||
2.41.0
|
||||
|
1148
0010-Add-changes-to-ectest-and-eccurve.patch
Normal file
1148
0010-Add-changes-to-ectest-and-eccurve.patch
Normal file
File diff suppressed because it is too large
Load Diff
279
0011-Remove-EC-curves.patch
Normal file
279
0011-Remove-EC-curves.patch
Normal file
@ -0,0 +1,279 @@
|
||||
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 11:46:40 +0200
|
||||
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
|
||||
|
||||
Patch-name: 0011-Remove-EC-curves.patch
|
||||
Patch-id: 11
|
||||
Patch-status: |
|
||||
# remove unsupported EC curves
|
||||
---
|
||||
apps/speed.c | 8 +---
|
||||
crypto/evp/ec_support.c | 87 ------------------------------------
|
||||
test/acvp_test.inc | 9 ----
|
||||
test/ecdsatest.h | 17 -------
|
||||
test/recipes/15-test_genec.t | 27 -----------
|
||||
5 files changed, 1 insertion(+), 147 deletions(-)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index cace25eda1..d527f12f18 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
enum ec_curves_t {
|
||||
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
||||
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
|
||||
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
|
||||
@@ -395,8 +395,6 @@ enum ec_curves_t {
|
||||
};
|
||||
/* list of ecdsa curves */
|
||||
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
||||
- {"ecdsap160", R_EC_P160},
|
||||
- {"ecdsap192", R_EC_P192},
|
||||
{"ecdsap224", R_EC_P224},
|
||||
{"ecdsap256", R_EC_P256},
|
||||
{"ecdsap384", R_EC_P384},
|
||||
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
||||
};
|
||||
/* list of ecdh curves, extension of |ecdsa_choices| list above */
|
||||
static const OPT_PAIR ecdh_choices[EC_NUM] = {
|
||||
- {"ecdhp160", R_EC_P160},
|
||||
- {"ecdhp192", R_EC_P192},
|
||||
{"ecdhp224", R_EC_P224},
|
||||
{"ecdhp256", R_EC_P256},
|
||||
{"ecdhp384", R_EC_P384},
|
||||
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
|
||||
*/
|
||||
static const EC_CURVE ec_curves[EC_NUM] = {
|
||||
/* Prime Curves */
|
||||
- {"secp160r1", NID_secp160r1, 160},
|
||||
- {"nistp192", NID_X9_62_prime192v1, 192},
|
||||
{"nistp224", NID_secp224r1, 224},
|
||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
|
||||
index 1ec10143d2..82b95294b4 100644
|
||||
--- a/crypto/evp/ec_support.c
|
||||
+++ b/crypto/evp/ec_support.c
|
||||
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
|
||||
static const EC_NAME2NID curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
- {"secp112r1", NID_secp112r1 },
|
||||
- {"secp112r2", NID_secp112r2 },
|
||||
- {"secp128r1", NID_secp128r1 },
|
||||
- {"secp128r2", NID_secp128r2 },
|
||||
- {"secp160k1", NID_secp160k1 },
|
||||
- {"secp160r1", NID_secp160r1 },
|
||||
- {"secp160r2", NID_secp160r2 },
|
||||
- {"secp192k1", NID_secp192k1 },
|
||||
- {"secp224k1", NID_secp224k1 },
|
||||
{"secp224r1", NID_secp224r1 },
|
||||
{"secp256k1", NID_secp256k1 },
|
||||
{"secp384r1", NID_secp384r1 },
|
||||
{"secp521r1", NID_secp521r1 },
|
||||
/* X9.62 curves */
|
||||
- {"prime192v1", NID_X9_62_prime192v1 },
|
||||
- {"prime192v2", NID_X9_62_prime192v2 },
|
||||
- {"prime192v3", NID_X9_62_prime192v3 },
|
||||
- {"prime239v1", NID_X9_62_prime239v1 },
|
||||
- {"prime239v2", NID_X9_62_prime239v2 },
|
||||
- {"prime239v3", NID_X9_62_prime239v3 },
|
||||
{"prime256v1", NID_X9_62_prime256v1 },
|
||||
/* characteristic two field curves */
|
||||
/* NIST/SECG curves */
|
||||
- {"sect113r1", NID_sect113r1 },
|
||||
- {"sect113r2", NID_sect113r2 },
|
||||
- {"sect131r1", NID_sect131r1 },
|
||||
- {"sect131r2", NID_sect131r2 },
|
||||
- {"sect163k1", NID_sect163k1 },
|
||||
- {"sect163r1", NID_sect163r1 },
|
||||
- {"sect163r2", NID_sect163r2 },
|
||||
- {"sect193r1", NID_sect193r1 },
|
||||
- {"sect193r2", NID_sect193r2 },
|
||||
- {"sect233k1", NID_sect233k1 },
|
||||
- {"sect233r1", NID_sect233r1 },
|
||||
- {"sect239k1", NID_sect239k1 },
|
||||
- {"sect283k1", NID_sect283k1 },
|
||||
- {"sect283r1", NID_sect283r1 },
|
||||
- {"sect409k1", NID_sect409k1 },
|
||||
- {"sect409r1", NID_sect409r1 },
|
||||
- {"sect571k1", NID_sect571k1 },
|
||||
- {"sect571r1", NID_sect571r1 },
|
||||
- /* X9.62 curves */
|
||||
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
|
||||
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
|
||||
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
|
||||
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
|
||||
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
|
||||
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
|
||||
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
|
||||
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
|
||||
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
|
||||
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
|
||||
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
|
||||
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
|
||||
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
|
||||
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
|
||||
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
|
||||
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
|
||||
- /*
|
||||
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
|
||||
- * from X9.62]
|
||||
- */
|
||||
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
|
||||
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
|
||||
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
|
||||
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
|
||||
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
|
||||
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
|
||||
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
|
||||
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
|
||||
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
|
||||
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
|
||||
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
|
||||
- /* IPSec curves */
|
||||
- {"Oakley-EC2N-3", NID_ipsec3 },
|
||||
- {"Oakley-EC2N-4", NID_ipsec4 },
|
||||
/* brainpool curves */
|
||||
- {"brainpoolP160r1", NID_brainpoolP160r1 },
|
||||
- {"brainpoolP160t1", NID_brainpoolP160t1 },
|
||||
- {"brainpoolP192r1", NID_brainpoolP192r1 },
|
||||
- {"brainpoolP192t1", NID_brainpoolP192t1 },
|
||||
- {"brainpoolP224r1", NID_brainpoolP224r1 },
|
||||
- {"brainpoolP224t1", NID_brainpoolP224t1 },
|
||||
{"brainpoolP256r1", NID_brainpoolP256r1 },
|
||||
{"brainpoolP256t1", NID_brainpoolP256t1 },
|
||||
{"brainpoolP320r1", NID_brainpoolP320r1 },
|
||||
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
|
||||
{"brainpoolP384t1", NID_brainpoolP384t1 },
|
||||
{"brainpoolP512r1", NID_brainpoolP512r1 },
|
||||
{"brainpoolP512t1", NID_brainpoolP512t1 },
|
||||
- /* SM2 curve */
|
||||
- {"SM2", NID_sm2 },
|
||||
};
|
||||
|
||||
const char *OSSL_EC_curve_nid2name(int nid)
|
||||
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
|
||||
static const EC_NAME2NID nist_curves[] = {
|
||||
- {"B-163", NID_sect163r2},
|
||||
- {"B-233", NID_sect233r1},
|
||||
- {"B-283", NID_sect283r1},
|
||||
- {"B-409", NID_sect409r1},
|
||||
- {"B-571", NID_sect571r1},
|
||||
- {"K-163", NID_sect163k1},
|
||||
- {"K-233", NID_sect233k1},
|
||||
- {"K-283", NID_sect283k1},
|
||||
- {"K-409", NID_sect409k1},
|
||||
- {"K-571", NID_sect571k1},
|
||||
- {"P-192", NID_X9_62_prime192v1},
|
||||
{"P-224", NID_secp224r1},
|
||||
{"P-256", NID_X9_62_prime256v1},
|
||||
{"P-384", NID_secp384r1},
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index ad11d3ae1e..894a0bff9d 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
|
||||
0xB1, 0xAC,
|
||||
};
|
||||
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
|
||||
- {
|
||||
- "SHA-1",
|
||||
- "P-192",
|
||||
- ITM(ecdsa_sigver_msg0),
|
||||
- ITM(ecdsa_sigver_pub0),
|
||||
- ITM(ecdsa_sigver_r0),
|
||||
- ITM(ecdsa_sigver_s0),
|
||||
- PASS,
|
||||
- },
|
||||
{
|
||||
"SHA2-512",
|
||||
"P-521",
|
||||
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
|
||||
index 63fe319025..06b5c0aac5 100644
|
||||
--- a/test/ecdsatest.h
|
||||
+++ b/test/ecdsatest.h
|
||||
@@ -32,23 +32,6 @@ typedef struct {
|
||||
} ecdsa_cavs_kat_t;
|
||||
|
||||
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
||||
- /* prime KATs from X9.62 */
|
||||
- {NID_X9_62_prime192v1, NID_sha1,
|
||||
- "616263", /* "abc" */
|
||||
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
||||
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
||||
- "5ca5c0d69716dfcb3474373902",
|
||||
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
||||
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
||||
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
||||
- {NID_X9_62_prime239v1, NID_sha1,
|
||||
- "616263", /* "abc" */
|
||||
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
||||
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
||||
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
||||
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
||||
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
||||
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
||||
/* prime KATs from NIST CAVP */
|
||||
{NID_secp224r1, NID_sha224,
|
||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
|
||||
index 2dfed387ca..c733b68f83 100644
|
||||
--- a/test/recipes/15-test_genec.t
|
||||
+++ b/test/recipes/15-test_genec.t
|
||||
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
|
||||
if disabled("ec");
|
||||
|
||||
my @prime_curves = qw(
|
||||
- secp112r1
|
||||
- secp112r2
|
||||
- secp128r1
|
||||
- secp128r2
|
||||
- secp160k1
|
||||
- secp160r1
|
||||
- secp160r2
|
||||
- secp192k1
|
||||
- secp224k1
|
||||
secp224r1
|
||||
secp256k1
|
||||
secp384r1
|
||||
secp521r1
|
||||
- prime192v1
|
||||
- prime192v2
|
||||
- prime192v3
|
||||
- prime239v1
|
||||
- prime239v2
|
||||
- prime239v3
|
||||
prime256v1
|
||||
- wap-wsg-idm-ecid-wtls6
|
||||
- wap-wsg-idm-ecid-wtls7
|
||||
- wap-wsg-idm-ecid-wtls8
|
||||
- wap-wsg-idm-ecid-wtls9
|
||||
- wap-wsg-idm-ecid-wtls12
|
||||
- brainpoolP160r1
|
||||
- brainpoolP160t1
|
||||
- brainpoolP192r1
|
||||
- brainpoolP192t1
|
||||
- brainpoolP224r1
|
||||
- brainpoolP224t1
|
||||
brainpoolP256r1
|
||||
brainpoolP256t1
|
||||
brainpoolP320r1
|
||||
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
|
||||
if !disabled("sm2");
|
||||
|
||||
my @curve_aliases = qw(
|
||||
- P-192
|
||||
P-224
|
||||
P-256
|
||||
P-384
|
||||
--
|
||||
2.41.0
|
||||
|
235
0012-Disable-explicit-ec.patch
Normal file
235
0012-Disable-explicit-ec.patch
Normal file
@ -0,0 +1,235 @@
|
||||
From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch
|
||||
|
||||
Patch-name: 0012-Disable-explicit-ec.patch
|
||||
Patch-id: 12
|
||||
Patch-status: |
|
||||
# Disable explicit EC curves
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/ec/ec_asn1.c | 11 ++++++++++
|
||||
crypto/ec/ec_lib.c | 6 +++++
|
||||
test/ectest.c | 22 ++++++++++---------
|
||||
test/endecode_test.c | 20 ++++++++---------
|
||||
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
|
||||
5 files changed, 39 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
|
||||
index 7a0b35a594..d19d57344e 100644
|
||||
--- a/crypto/ec/ec_asn1.c
|
||||
+++ b/crypto/ec/ec_asn1.c
|
||||
@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
|
||||
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
||||
group->decoded_from_explicit_params = 1;
|
||||
|
||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
||||
+ EC_GROUP_free(group);
|
||||
+ ECPKPARAMETERS_free(params);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
if (a) {
|
||||
EC_GROUP_free(*a);
|
||||
*a = group;
|
||||
@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
ret->version = priv_key->version;
|
||||
|
||||
if (priv_key->privateKey) {
|
||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||
index a84e088c19..6c37bf78ae 100644
|
||||
--- a/crypto/ec/ec_lib.c
|
||||
+++ b/crypto/ec/ec_lib.c
|
||||
@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
goto err;
|
||||
}
|
||||
if (named_group == group) {
|
||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||
+ goto err;
|
||||
+ }
|
||||
+#if 0
|
||||
/*
|
||||
* If we did not find a named group then the encoding should be explicit
|
||||
* if it was specified
|
||||
@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
||||
goto err;
|
||||
}
|
||||
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
|
||||
+#endif
|
||||
} else {
|
||||
EC_GROUP_free(group);
|
||||
group = named_group;
|
||||
diff --git a/test/ectest.c b/test/ectest.c
|
||||
index 4890b0555e..e11aec5b3b 100644
|
||||
--- a/test/ectest.c
|
||||
+++ b/test/ectest.c
|
||||
@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
|
||||
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|
||||
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|
||||
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
|
||||
- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
|
||||
+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
|
||||
EVP_PKEY_KEY_PARAMETERS, params), 0))
|
||||
goto err;
|
||||
-
|
||||
+/* As creating the key should fail, the rest of the test is pointless */
|
||||
+# if 0
|
||||
/*- Check that all the set values are retrievable -*/
|
||||
|
||||
/* There should be no match to a group name since the generator changed */
|
||||
@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
|
||||
#endif
|
||||
)
|
||||
goto err;
|
||||
+#endif
|
||||
ret = 1;
|
||||
err:
|
||||
BN_free(order_out);
|
||||
@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
|
||||
|
||||
/* Compute keyexchange in both directions */
|
||||
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
|
||||
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
|
||||
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|
||||
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
|
||||
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|
||||
|| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
|
||||
|| !TEST_int_gt(bsize, sslen)
|
||||
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
|
||||
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
|
||||
goto err;
|
||||
if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
|
||||
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
|
||||
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|
||||
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
|
||||
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|
||||
|| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
|
||||
|| !TEST_int_gt(bsize, t)
|
||||
|| !TEST_int_le(sslen, t)
|
||||
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
|
||||
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
|
||||
goto err;
|
||||
-
|
||||
+#if 0
|
||||
/* Both sides should expect the same shared secret */
|
||||
if (!TEST_mem_eq(buf1, sslen, buf2, t))
|
||||
goto err;
|
||||
@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
|
||||
/* compare with previous result */
|
||||
|| !TEST_mem_eq(buf1, t, buf2, sslen))
|
||||
goto err;
|
||||
-
|
||||
+#endif
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||
index 14648287eb..9a437d8c64 100644
|
||||
--- a/test/endecode_test.c
|
||||
+++ b/test/endecode_test.c
|
||||
@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL;
|
||||
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
|
||||
static OSSL_PARAM_BLD *bld_prime = NULL;
|
||||
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
|
||||
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
|
||||
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
|
||||
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
|
||||
@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
|
||||
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
||||
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
|
||||
-DOMAIN_KEYS(ECExplicitPrime2G);
|
||||
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
|
||||
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
|
||||
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
|
||||
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
|
||||
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
||||
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
|
||||
@@ -1352,7 +1352,7 @@ int setup_tests(void)
|
||||
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|
||||
|| !create_ec_explicit_prime_params(bld_prime)
|
||||
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
|
||||
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
|
||||
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|
||||
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
|
||||
@@ -1380,7 +1380,7 @@ int setup_tests(void)
|
||||
TEST_info("Generating EC keys...");
|
||||
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
|
||||
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
|
||||
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
|
||||
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
|
||||
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
|
||||
@@ -1423,8 +1423,8 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE_LEGACY(EC);
|
||||
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
|
||||
- ADD_TEST_SUITE(ECExplicitPrime2G);
|
||||
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
|
||||
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
|
||||
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
|
||||
@@ -1461,7 +1461,7 @@ void cleanup_tests(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_EC
|
||||
OSSL_PARAM_free(ec_explicit_prime_params_nc);
|
||||
- OSSL_PARAM_free(ec_explicit_prime_params_explicit);
|
||||
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
|
||||
OSSL_PARAM_BLD_free(bld_prime_nc);
|
||||
OSSL_PARAM_BLD_free(bld_prime);
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
@@ -1483,7 +1483,7 @@ void cleanup_tests(void)
|
||||
#ifndef OPENSSL_NO_EC
|
||||
FREE_DOMAIN_KEYS(EC);
|
||||
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
||||
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
|
||||
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
||||
FREE_DOMAIN_KEYS(ECExplicitTri2G);
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
index ec3c032aba..584ecee0eb 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
|
||||
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
-PrivateKey = EC_EXPLICIT
|
||||
------BEGIN PRIVATE KEY-----
|
||||
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
||||
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
||||
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
||||
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
|
||||
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
|
||||
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
|
||||
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
|
||||
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
|
||||
------END PRIVATE KEY-----
|
||||
-
|
||||
PrivateKey = B-163
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
|
||||
--
|
||||
2.41.0
|
||||
|
58
0013-skipped-tests-EC-curves.patch
Normal file
58
0013-skipped-tests-EC-curves.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch
|
||||
|
||||
Patch-name: 0013-skipped-tests-EC-curves.patch
|
||||
Patch-id: 13
|
||||
Patch-status: |
|
||||
# Skipped tests from former 0011-Remove-EC-curves.patch
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
test/recipes/15-test_ec.t | 2 +-
|
||||
test/recipes/65-test_cmp_protect.t | 2 +-
|
||||
test/recipes/65-test_cmp_vfy.t | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
|
||||
index 0638d626e7..c0efd77649 100644
|
||||
--- a/test/recipes/15-test_ec.t
|
||||
+++ b/test/recipes/15-test_ec.t
|
||||
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub {
|
||||
|
||||
subtest 'Check loading of fips and non-fips keys' => sub {
|
||||
plan skip_all => "FIPS is disabled"
|
||||
- if $no_fips;
|
||||
+ if 1; #Red Hat specific, original value is $no_fips;
|
||||
|
||||
plan tests => 2;
|
||||
|
||||
diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
|
||||
index 631603df7c..4cb2ffebbc 100644
|
||||
--- a/test/recipes/65-test_cmp_protect.t
|
||||
+++ b/test/recipes/65-test_cmp_protect.t
|
||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
|
||||
plan skip_all => "This test is not supported in a shared library build on Windows"
|
||||
if $^O eq 'MSWin32' && !disabled("shared");
|
||||
|
||||
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
||||
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
||||
|
||||
my @basic_cmd = ("cmp_protect_test",
|
||||
data_file("prot_RSA.pem"),
|
||||
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
|
||||
index f722800e27..26a01786bb 100644
|
||||
--- a/test/recipes/65-test_cmp_vfy.t
|
||||
+++ b/test/recipes/65-test_cmp_vfy.t
|
||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
|
||||
plan skip_all => "This test is not supported in a no-ec build"
|
||||
if disabled("ec");
|
||||
|
||||
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
||||
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
||||
|
||||
my @basic_cmd = ("cmp_vfy_test",
|
||||
data_file("server.crt"), data_file("client.crt"),
|
||||
--
|
||||
2.41.0
|
||||
|
95
0024-load-legacy-prov.patch
Normal file
95
0024-load-legacy-prov.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
|
||||
|
||||
Patch-name: 0024-load-legacy-prov.patch
|
||||
Patch-id: 24
|
||||
Patch-status: |
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/openssl.cnf | 37 +++++++++++++++----------------------
|
||||
doc/man5/config.pod | 8 ++++++++
|
||||
2 files changed, 23 insertions(+), 22 deletions(-)
|
||||
|
||||
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
||||
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
||||
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
|
||||
tsa_policy2 = 1.2.3.4.5.6
|
||||
tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
-# For FIPS
|
||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
||||
-# application. This file contains configuration data required by the OpenSSL
|
||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
||||
-# referenced from the [provider_sect] below.
|
||||
-# Refer to the OpenSSL security policy for more information.
|
||||
-# .include fipsmodule.cnf
|
||||
-
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
# Load default TLS policy configuration
|
||||
@@ -42,23 +42,27 @@ [ evp_properties ]
|
||||
#This section is intentionally added empty here
|
||||
#to be tuned on particular systems
|
||||
|
||||
-# List of providers to load
|
||||
-[provider_sect]
|
||||
-default = default_sect
|
||||
-# The fips section name should match the section name inside the
|
||||
-# included fipsmodule.cnf.
|
||||
-# fips = fips_sect
|
||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||
+# Loading the legacy provider enables support for the following algorithms:
|
||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
||||
+# Key Derivation Function (KDF): PBKDF1
|
||||
+# In general it is not recommended to use the above mentioned algorithms for
|
||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||
+# to side-channel attacks and as such have been deprecated.
|
||||
|
||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
||||
-#
|
||||
-# If you add a section explicitly activating any other provider(s), you most
|
||||
-# probably need to explicitly activate the default provider, otherwise it
|
||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
||||
-# OpenSSL may not work correctly which could lead to significant system
|
||||
-# problems including inability to remotely access the system.
|
||||
-[default_sect]
|
||||
-# activate = 1
|
||||
+[provider_sect]
|
||||
+default = default_sect
|
||||
+##legacy = legacy_sect
|
||||
+##
|
||||
+[default_sect]
|
||||
+activate = 1
|
||||
+
|
||||
+##[legacy_sect]
|
||||
+##activate = 1
|
||||
+
|
||||
+#Place the third party provider configuration files into this folder
|
||||
+.include /etc/pki/tls/openssl.d
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
||||
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
||||
@@ -273,6 +273,14 @@ significant.
|
||||
All parameters in the section as well as sub-sections are made
|
||||
available to the provider.
|
||||
|
||||
+=head3 Loading the legacy provider
|
||||
+
|
||||
+Uncomment the sections that start with ## in openssl.cnf
|
||||
+to enable the legacy provider.
|
||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
||||
+security critical operations, as they are cryptographically weak or vulnerable
|
||||
+to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
=head3 Default provider and its activation
|
||||
|
||||
If no providers are activated explicitly, the default one is activated implicitly.
|
18
0025-for-tests.patch
Normal file
18
0025-for-tests.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
|
||||
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
|
||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
|
||||
@@ -55,11 +55,11 @@ providers = provider_sect
|
||||
# to side-channel attacks and as such have been deprecated.
|
||||
|
||||
[provider_sect]
|
||||
-default = default_sect
|
||||
+##default = default_sect
|
||||
##legacy = legacy_sect
|
||||
##
|
||||
-[default_sect]
|
||||
-activate = 1
|
||||
+##[default_sect]
|
||||
+##activate = 1
|
||||
|
||||
##[legacy_sect]
|
||||
##activate = 1
|
81
0032-Force-fips.patch
Normal file
81
0032-Force-fips.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 11:59:02 +0200
|
||||
Subject: [PATCH 16/48] 0032-Force-fips.patch
|
||||
|
||||
Patch-name: 0032-Force-fips.patch
|
||||
Patch-id: 32
|
||||
Patch-status: |
|
||||
# We load FIPS provider and set FIPS properties implicitly
|
||||
---
|
||||
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
|
||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
|
||||
index 058fb58837..5274265a70 100644
|
||||
--- a/crypto/provider_conf.c
|
||||
+++ b/crypto/provider_conf.c
|
||||
@@ -10,6 +10,8 @@
|
||||
#include <string.h>
|
||||
#include <openssl/trace.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include <openssl/provider.h>
|
||||
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
|
||||
if (path != NULL)
|
||||
ossl_provider_set_module_path(prov, path);
|
||||
|
||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||
|
||||
if (ok == 1) {
|
||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||
@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
|
||||
|
||||
if (ok <= 0)
|
||||
ossl_provider_free(prov);
|
||||
+ } else {
|
||||
+ ok = 1;
|
||||
}
|
||||
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||
|
||||
@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
||||
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
||||
+# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
|
||||
+
|
||||
+ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
|
||||
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
|
||||
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
|
||||
+ NCONF_free(fips_conf);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ NCONF_free(fips_conf);
|
||||
+ } else {
|
||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
|
||||
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
|
||||
+ return 0;
|
||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
396
0033-FIPS-embed-hmac.patch
Normal file
396
0033-FIPS-embed-hmac.patch
Normal file
@ -0,0 +1,396 @@
|
||||
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
||||
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
|
||||
|
||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
||||
Patch-id: 33
|
||||
Patch-status: |
|
||||
# # Embed HMAC into the fips.so
|
||||
# Modify fips self test as per
|
||||
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
|
||||
test/fipsmodule.cnf | 2 +
|
||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/03-test_fipsinstall.t | 2 +-
|
||||
test/recipes/30-test_defltfips.t | 2 +-
|
||||
test/recipes/80-test_ssl_new.t | 2 +-
|
||||
test/recipes/90-test_sslapi.t | 2 +-
|
||||
8 files changed, 200 insertions(+), 18 deletions(-)
|
||||
create mode 100644 test/fipsmodule.cnf
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index b8dc9817b2..28f536d13c 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -230,11 +230,133 @@ err:
|
||||
return ok;
|
||||
}
|
||||
|
||||
+#define HMAC_LEN 32
|
||||
+/*
|
||||
+ * The __attribute__ ensures we've created the .rodata1 section
|
||||
+ * static ensures it's zero filled
|
||||
+*/
|
||||
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
||||
+
|
||||
/*
|
||||
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
||||
* the result matches the expected value.
|
||||
* Return 1 if verified, or 0 if it fails.
|
||||
*/
|
||||
+
|
||||
+#ifndef __USE_GNU
|
||||
+#define __USE_GNU
|
||||
+#include <dlfcn.h>
|
||||
+#undef __USE_GNU
|
||||
+#else
|
||||
+#include <dlfcn.h>
|
||||
+#endif
|
||||
+#include <link.h>
|
||||
+
|
||||
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
||||
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
+ unsigned char *expected, size_t expected_len,
|
||||
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
+ const char *event_type)
|
||||
+{
|
||||
+ int ret = 0, status;
|
||||
+ unsigned char out[MAX_MD_SIZE];
|
||||
+ unsigned char buf[INTEGRITY_BUF_SIZE];
|
||||
+ size_t bytes_read = 0, out_len = 0;
|
||||
+ EVP_MAC *mac = NULL;
|
||||
+ EVP_MAC_CTX *ctx = NULL;
|
||||
+ OSSL_PARAM params[2], *p = params;
|
||||
+ Dl_info info;
|
||||
+ void *extra_info = NULL;
|
||||
+ struct link_map *lm = NULL;
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
+
|
||||
+ if (expected_len != HMAC_LEN)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!integrity_self_test(ev, libctx))
|
||||
+ goto err;
|
||||
+
|
||||
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
+
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||
+ goto err;
|
||||
+ lm = extra_info;
|
||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||
+
|
||||
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
+ if (mac == NULL)
|
||||
+ goto err;
|
||||
+ ctx = EVP_MAC_CTX_new(mac);
|
||||
+ if (ctx == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
|
||||
+ *p = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
+ goto err;
|
||||
+
|
||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ if (off < paddr) {
|
||||
+ int delta = paddr - off;
|
||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ /* read away the buffer */
|
||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+
|
||||
+ /* check that it is the expect bytes, no point in continuing otherwise */
|
||||
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ /* replace in-file HMAC buffer with the original zeros */
|
||||
+ memset(buf, 0, HMAC_LEN);
|
||||
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
|
||||
+ goto err;
|
||||
+ off += HMAC_LEN;
|
||||
+
|
||||
+ while (bytes_read > 0) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
+ goto err;
|
||||
+
|
||||
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
|
||||
+ if (expected_len != out_len
|
||||
+ || memcmp(expected, out, out_len) != 0)
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
|
||||
+ OSSL_SELF_TEST_onend(ev, ret);
|
||||
+ EVP_MAC_CTX_free(ctx);
|
||||
+ EVP_MAC_free(mac);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
unsigned char *expected, size_t expected_len,
|
||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
EVP_MAC *mac = NULL;
|
||||
EVP_MAC_CTX *ctx = NULL;
|
||||
OSSL_PARAM params[2], *p = params;
|
||||
+ Dl_info info;
|
||||
+ void *extra_info = NULL;
|
||||
+ struct link_map *lm = NULL;
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
|
||||
if (!integrity_self_test(ev, libctx))
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||
+ goto err;
|
||||
+ lm = extra_info;
|
||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||
+
|
||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
if (mac == NULL)
|
||||
goto err;
|
||||
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
goto err;
|
||||
|
||||
- while (1) {
|
||||
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
if (status != 1)
|
||||
break;
|
||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
goto err;
|
||||
+ off += bytes_read;
|
||||
}
|
||||
+
|
||||
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
||||
+ int delta = paddr - off;
|
||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+
|
||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||
+ memset(buf, 0, HMAC_LEN);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ while (bytes_read > 0) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
goto err;
|
||||
|
||||
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
+ OPENSSL_cleanse(out, sizeof(out));
|
||||
OSSL_SELF_TEST_onend(ev, ret);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
EVP_MAC_free(mac);
|
||||
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (st == NULL
|
||||
- || st->module_checksum_data == NULL) {
|
||||
+ if (st == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||
goto end;
|
||||
}
|
||||
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
- &checksum_len);
|
||||
+ if (st->module_checksum_data == NULL) {
|
||||
+ module_checksum = fips_hmac_container;
|
||||
+ checksum_len = sizeof(fips_hmac_container);
|
||||
+ } else {
|
||||
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
+ &checksum_len);
|
||||
+ }
|
||||
+
|
||||
if (module_checksum == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||
goto end;
|
||||
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
||||
|
||||
/* Always check the integrity of the fips module */
|
||||
- if (bio_module == NULL
|
||||
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
|
||||
- module_checksum, checksum_len, st->libctx,
|
||||
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ if (bio_module == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
goto end;
|
||||
}
|
||||
-
|
||||
+ if (st->module_checksum_data == NULL) {
|
||||
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
|
||||
+ module_checksum, checksum_len,
|
||||
+ st->libctx, ev,
|
||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
|
||||
+ module_checksum, checksum_len,
|
||||
+ st->libctx, ev,
|
||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
/* This will be NULL during installation - so the self test KATS will run */
|
||||
if (st->indicator_data != NULL) {
|
||||
/*
|
||||
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
end:
|
||||
EVP_RAND_free(testrand);
|
||||
OSSL_SELF_TEST_free(ev);
|
||||
- OPENSSL_free(module_checksum);
|
||||
OPENSSL_free(indicator_checksum);
|
||||
|
||||
if (st != NULL) {
|
||||
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
||||
new file mode 100644
|
||||
index 0000000000..f05d0dedbe
|
||||
--- /dev/null
|
||||
+++ b/test/fipsmodule.cnf
|
||||
@@ -0,0 +1,2 @@
|
||||
+[fips_sect]
|
||||
+activate = 1
|
||||
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
index 4e3a6d85e8..e8255ba974 100644
|
||||
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||
if $no_check;
|
||||
|
||||
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
index ce594817d5..00cebacff8 100644
|
||||
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "Test only supported in a fips build"
|
||||
if $no_check;
|
||||
plan tests => 1;
|
||||
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
||||
index b8b136d110..8242f4ebc3 100644
|
||||
--- a/test/recipes/03-test_fipsinstall.t
|
||||
+++ b/test/recipes/03-test_fipsinstall.t
|
||||
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||
|
||||
# Compatible options for pedantic FIPS compliance
|
||||
my @pedantic_okay =
|
||||
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
||||
index c8f145405b..56a2ec5dc4 100644
|
||||
--- a/test/recipes/30-test_defltfips.t
|
||||
+++ b/test/recipes/30-test_defltfips.t
|
||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||
plan skip_all => "Configuration loading is turned off"
|
||||
if disabled("autoload-config");
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 1 : 5);
|
||||
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
||||
index 195b85ea8c..92d48dbf7d 100644
|
||||
--- a/test/recipes/80-test_ssl_new.t
|
||||
+++ b/test/recipes/80-test_ssl_new.t
|
||||
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||
|
||||
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
||||
index 18d9f3d204..71780d8caa 100644
|
||||
--- a/test/recipes/90-test_sslapi.t
|
||||
+++ b/test/recipes/90-test_sslapi.t
|
||||
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
||||
setup("test_sslapi");
|
||||
}
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
||||
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
473
0034.fipsinstall_disable.patch
Normal file
473
0034.fipsinstall_disable.patch
Normal file
@ -0,0 +1,473 @@
|
||||
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
|
||||
|
||||
Patch-name: 0034.fipsinstall_disable.patch
|
||||
Patch-id: 34
|
||||
Patch-status: |
|
||||
# Comment out fipsinstall command-line utility
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/fipsinstall.c | 3 +
|
||||
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
|
||||
doc/man1/openssl.pod | 4 -
|
||||
doc/man5/config.pod | 1 -
|
||||
doc/man5/fips_config.pod | 104 +----------
|
||||
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
|
||||
6 files changed, 10 insertions(+), 375 deletions(-)
|
||||
|
||||
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
|
||||
index e1ef645b60..db92cb5fb2 100644
|
||||
--- a/apps/fipsinstall.c
|
||||
+++ b/apps/fipsinstall.c
|
||||
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
|
||||
+ return 1;
|
||||
+
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
|
||||
index b1768b7f91..b6b00e27d8 100644
|
||||
--- a/doc/man1/openssl-fipsinstall.pod.in
|
||||
+++ b/doc/man1/openssl-fipsinstall.pod.in
|
||||
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl fipsinstall>
|
||||
-[B<-help>]
|
||||
-[B<-in> I<configfilename>]
|
||||
-[B<-out> I<configfilename>]
|
||||
-[B<-module> I<modulefilename>]
|
||||
-[B<-provider_name> I<providername>]
|
||||
-[B<-section_name> I<sectionname>]
|
||||
-[B<-verify>]
|
||||
-[B<-mac_name> I<macname>]
|
||||
-[B<-macopt> I<nm>:I<v>]
|
||||
-[B<-noout>]
|
||||
-[B<-quiet>]
|
||||
-[B<-pedantic>]
|
||||
-[B<-no_conditional_errors>]
|
||||
-[B<-no_security_checks>]
|
||||
-[B<-ems_check>]
|
||||
-[B<-no_drbg_truncated_digests>]
|
||||
-[B<-self_test_onload>]
|
||||
-[B<-self_test_oninstall>]
|
||||
-[B<-corrupt_desc> I<selftest_description>]
|
||||
-[B<-corrupt_type> I<selftest_type>]
|
||||
-[B<-config> I<parent_config>]
|
||||
-
|
||||
-=head1 DESCRIPTION
|
||||
-
|
||||
-This command is used to generate a FIPS module configuration file.
|
||||
-This configuration file can be used each time a FIPS module is loaded
|
||||
-in order to pass data to the FIPS module self tests. The FIPS module always
|
||||
-verifies its MAC, but optionally only needs to run the KAT's once,
|
||||
-at installation.
|
||||
-
|
||||
-The generated configuration file consists of:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - A MAC of the FIPS module file.
|
||||
-
|
||||
-=item - A test status indicator.
|
||||
-
|
||||
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
|
||||
-
|
||||
-=item - A MAC of the status indicator.
|
||||
-
|
||||
-=item - A control for conditional self tests errors.
|
||||
-
|
||||
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
|
||||
-will enter an error state, and no services or cryptographic algorithms will be
|
||||
-able to be accessed after this point.
|
||||
-The default value of '1' will cause the fips module error state to be entered.
|
||||
-If the value is '0' then the module error state will not be entered.
|
||||
-Regardless of whether the error state is entered or not, the current operation
|
||||
-(e.g. key generation) will return an error. The user is responsible for retrying
|
||||
-the operation if the module error state is not entered.
|
||||
-
|
||||
-=item - A control to indicate whether run-time security checks are done.
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-The default value of '1' will perform the checks.
|
||||
-If the value is '0' the checks are not performed and FIPS compliance must
|
||||
-be done by procedures documented in the relevant Security Policy.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is described in L<fips_config(5)>.
|
||||
-
|
||||
-=head1 OPTIONS
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<-help>
|
||||
-
|
||||
-Print a usage message.
|
||||
-
|
||||
-=item B<-module> I<filename>
|
||||
-
|
||||
-Filename of the FIPS module to perform an integrity check on.
|
||||
-The path provided in the filename is used to load the module when it is
|
||||
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
|
||||
-
|
||||
-=item B<-out> I<configfilename>
|
||||
-
|
||||
-Filename to output the configuration data to; the default is standard output.
|
||||
-
|
||||
-=item B<-in> I<configfilename>
|
||||
-
|
||||
-Input filename to load configuration data from.
|
||||
-Must be used if the B<-verify> option is specified.
|
||||
-
|
||||
-=item B<-verify>
|
||||
-
|
||||
-Verify that the input configuration file contains the correct information.
|
||||
-
|
||||
-=item B<-provider_name> I<providername>
|
||||
-
|
||||
-Name of the provider inside the configuration file.
|
||||
-The default value is C<fips>.
|
||||
-
|
||||
-=item B<-section_name> I<sectionname>
|
||||
-
|
||||
-Name of the section inside the configuration file.
|
||||
-The default value is C<fips_sect>.
|
||||
-
|
||||
-=item B<-mac_name> I<name>
|
||||
-
|
||||
-Specifies the name of a supported MAC algorithm which will be used.
|
||||
-The MAC mechanisms that are available will depend on the options
|
||||
-used when building OpenSSL.
|
||||
-To see the list of supported MAC's use the command
|
||||
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
|
||||
-
|
||||
-=item B<-macopt> I<nm>:I<v>
|
||||
-
|
||||
-Passes options to the MAC algorithm.
|
||||
-A comprehensive list of controls can be found in the EVP_MAC implementation
|
||||
-documentation.
|
||||
-Common control strings used for this command are:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<key>:I<string>
|
||||
-
|
||||
-Specifies the MAC key as an alphanumeric string (use if the key contains
|
||||
-printable characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<hexkey>:I<string>
|
||||
-
|
||||
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
||||
-The key length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<digest>:I<string>
|
||||
-
|
||||
-Used by HMAC as an alphanumeric string (use if the key contains printable
|
||||
-characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-To see the list of supported digests, use the command
|
||||
-C<openssl list -digest-commands>.
|
||||
-The default digest is SHA-256.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=item B<-noout>
|
||||
-
|
||||
-Disable logging of the self tests.
|
||||
-
|
||||
-=item B<-pedantic>
|
||||
-
|
||||
-Configure the module so that it is strictly FIPS compliant rather
|
||||
-than being backwards compatible. This enables conditional errors,
|
||||
-security checks etc. Note that any previous configuration options will
|
||||
-be overwritten and any subsequent configuration options that violate
|
||||
-FIPS compliance will result in an error.
|
||||
-
|
||||
-=item B<-no_conditional_errors>
|
||||
-
|
||||
-Configure the module to not enter an error state if a conditional self test
|
||||
-fails as described above.
|
||||
-
|
||||
-=item B<-no_security_checks>
|
||||
-
|
||||
-Configure the module to not perform run-time security checks as described above.
|
||||
-
|
||||
-Enabling the configuration option "no-fips-securitychecks" provides another way to
|
||||
-turn off the check at compile time.
|
||||
-
|
||||
-=item B<-ems_check>
|
||||
-
|
||||
-Configure the module to enable a run-time Extended Master Secret (EMS) check
|
||||
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
|
||||
-See RFC 7627 for information related to EMS.
|
||||
-
|
||||
-=item B<-no_drbg_truncated_digests>
|
||||
-
|
||||
-Configure the module to not allow truncated digests to be used with Hash and
|
||||
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
|
||||
-
|
||||
-=item B<-self_test_onload>
|
||||
-
|
||||
-Do not write the two fields related to the "test status indicator" and
|
||||
-"MAC status indicator" to the output configuration file. Without these fields
|
||||
-the self tests KATS will run each time the module is loaded. This option could be
|
||||
-used for cross compiling, since the self tests need to run at least once on each
|
||||
-target machine. Once the self tests have run on the target machine the user
|
||||
-could possibly then add the 2 fields into the configuration using some other
|
||||
-mechanism.
|
||||
-
|
||||
-This is the default.
|
||||
-
|
||||
-=item B<-self_test_oninstall>
|
||||
-
|
||||
-The converse of B<-self_test_oninstall>. The two fields related to the
|
||||
-"test status indicator" and "MAC status indicator" are written to the
|
||||
-output configuration file.
|
||||
-
|
||||
-=item B<-quiet>
|
||||
-
|
||||
-Do not output pass/fail messages. Implies B<-noout>.
|
||||
-
|
||||
-=item B<-corrupt_desc> I<selftest_description>,
|
||||
-B<-corrupt_type> I<selftest_type>
|
||||
-
|
||||
-The corrupt options can be used to test failure of one or more self tests by
|
||||
-name.
|
||||
-Either option or both may be used to select the tests to corrupt.
|
||||
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
|
||||
-values that can be used.
|
||||
-
|
||||
-=item B<-config> I<parent_config>
|
||||
-
|
||||
-Test that a FIPS provider can be loaded from the specified configuration file.
|
||||
-A previous call to this application needs to generate the extra configuration
|
||||
-data that is included by the base C<parent_config> configuration file.
|
||||
-See L<config(5)> for further information on how to set up a provider section.
|
||||
-All other options are ignored if '-config' is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
||||
-are not specified, or if either of the options B<-corrupt_desc> or
|
||||
-B<-corrupt_type> are used.
|
||||
-If the base configuration file is set up to autoload the fips module, then the
|
||||
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
||||
-has a chance to set up its own self test callback. As a result of this the self
|
||||
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
||||
-For normal usage the base configuration file should use the default provider
|
||||
-when generating the fips configuration file.
|
||||
-
|
||||
-The B<-self_test_oninstall> option was added and the
|
||||
-B<-self_test_onload> option was made the default in OpenSSL 3.1.
|
||||
-
|
||||
-The command and all remaining options were added in OpenSSL 3.0.
|
||||
-
|
||||
-=head1 EXAMPLES
|
||||
-
|
||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||
-for the module, and save the F<fips.cnf> configuration file:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
|
||||
-
|
||||
-Verify that the configuration file F<fips.cnf> contains the correct info:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
|
||||
-
|
||||
-Corrupt any self tests which have the description C<SHA1>:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
|
||||
- -corrupt_desc 'SHA1'
|
||||
-
|
||||
-Validate that the fips module can be loaded from a base configuration file:
|
||||
-
|
||||
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
|
||||
- export OPENSSL_MODULES=<provider-path>
|
||||
- openssl fipsinstall -config' 'default.cnf'
|
||||
-
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>,
|
||||
-L<fips_config(5)>,
|
||||
-L<OSSL_PROVIDER-FIPS(7)>,
|
||||
-L<EVP_MAC(3)>
|
||||
+This command is disabled.
|
||||
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
|
||||
+enable FIPS mode on Red Hat Enterprise
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
|
||||
index d9c22a580f..d5ec3b9a6a 100644
|
||||
--- a/doc/man1/openssl.pod
|
||||
+++ b/doc/man1/openssl.pod
|
||||
@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.
|
||||
|
||||
Error Number to Error String Conversion.
|
||||
|
||||
-=item B<fipsinstall>
|
||||
-
|
||||
-FIPS configuration installation.
|
||||
-
|
||||
=item B<gendsa>
|
||||
|
||||
Generation of DSA Private Key from Parameters. Superseded by
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index 714a10437b..bd05736220 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<ASN1_generate_nconf(3)>,
|
||||
L<EVP_set_default_properties(3)>,
|
||||
L<CONF_modules_load(3)>,
|
||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||||
index 2255464304..1c15e32a5c 100644
|
||||
--- a/doc/man5/fips_config.pod
|
||||
+++ b/doc/man5/fips_config.pod
|
||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||
-is used to hold information about the FIPS module. This includes a digest
|
||||
-of the shared library file, and status about the self-testing.
|
||||
-This data is used automatically by the module itself for two
|
||||
-purposes:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||
-
|
||||
-This is normally done once, at installation time, but may also be set up to
|
||||
-run each time the module is used.
|
||||
-
|
||||
-=item - Verify the module's checksum.
|
||||
-
|
||||
-This is done each time the module is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||
-used internally by the FIPS module during its initialization.
|
||||
-
|
||||
-The following options are supported. They should all appear in a section
|
||||
-whose name is identified by the B<fips> option in the B<providers>
|
||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<activate>
|
||||
-
|
||||
-If present, the module is activated. The value assigned to this name is not
|
||||
-significant.
|
||||
-
|
||||
-=item B<install-version>
|
||||
-
|
||||
-A version number for the fips install process. Should be 1.
|
||||
-
|
||||
-=item B<conditional-errors>
|
||||
-
|
||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||
-Once this error mode is active, no services or cryptographic algorithms are
|
||||
-accessible from this point on.
|
||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||
-generation, or the CRNG output test).
|
||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||
-continuous test will return an error code if its continuous test fails. The
|
||||
-operation may then be retried if the error mode has not been triggered.
|
||||
-
|
||||
-=item B<security-checks>
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||
-are not performed and FIPS compliance must be done by procedures documented in
|
||||
-the relevant Security Policy.
|
||||
-
|
||||
-=item B<module-mac>
|
||||
-
|
||||
-The calculated MAC of the FIPS provider file.
|
||||
-
|
||||
-=item B<install-status>
|
||||
-
|
||||
-An indicator that the self-tests were successfully run.
|
||||
-This should only be written after the module has
|
||||
-successfully passed its self tests during installation.
|
||||
-If this field is not present, then the self tests will run when the module
|
||||
-loads.
|
||||
-
|
||||
-=item B<install-mac>
|
||||
-
|
||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||
-changes to that value.
|
||||
-It is written-to at the same time as B<install-status> is updated.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-For example:
|
||||
-
|
||||
- [fips_sect]
|
||||
- activate = 1
|
||||
- install-version = 1
|
||||
- conditional-errors = 1
|
||||
- security-checks = 1
|
||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-When using the FIPS provider, it is recommended that the
|
||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||
-See L<config(5)>.
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>
|
||||
-L<openssl-fipsinstall(1)>
|
||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
+for more information.
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
index 4f908888ba..ef00247770 100644
|
||||
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are:
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<fips_config(5)>,
|
||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||
L<OSSL_SELF_TEST_new(3)>,
|
||||
--
|
||||
2.41.0
|
||||
|
31
0035-speed-skip-unavailable-dgst.patch
Normal file
31
0035-speed-skip-unavailable-dgst.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch
|
||||
|
||||
Patch-name: 0035-speed-skip-unavailable-dgst.patch
|
||||
Patch-id: 35
|
||||
Patch-status: |
|
||||
# Skip unavailable algorithms running `openssl speed`
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/speed.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/apps/speed.c b/apps/speed.c
|
||||
index d527f12f18..2ff3eb53bd 100644
|
||||
--- a/apps/speed.c
|
||||
+++ b/apps/speed.c
|
||||
@@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args)
|
||||
for (count = 0; COND(c[algindex][testnum]); count++) {
|
||||
size_t outl;
|
||||
|
||||
+ if (mctx == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|
||||
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|
||||
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
|
||||
--
|
||||
2.41.0
|
||||
|
404
0044-FIPS-140-3-keychecks.patch
Normal file
404
0044-FIPS-140-3-keychecks.patch
Normal file
@ -0,0 +1,404 @@
|
||||
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 12:05:23 +0200
|
||||
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
|
||||
|
||||
Patch-name: 0044-FIPS-140-3-keychecks.patch
|
||||
Patch-id: 44
|
||||
Patch-status: |
|
||||
# Extra public/private key checks required by FIPS-140-3
|
||||
---
|
||||
crypto/dh/dh_key.c | 26 ++++++++++
|
||||
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
|
||||
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
|
||||
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
|
||||
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
|
||||
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
|
||||
6 files changed, 162 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 4e9705beef..83773cceea 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
BN_MONT_CTX *mont = NULL;
|
||||
BIGNUM *z = NULL, *pminus1;
|
||||
int ret = -1;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int validate = 0;
|
||||
+#endif
|
||||
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
ctx = BN_CTX_new_ex(dh->libctx);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
|
||||
#endif
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int validate = 0;
|
||||
+#endif
|
||||
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
|
||||
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
|
||||
goto err;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
||||
+ goto err;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
dh->pub_key = pub_key;
|
||||
dh->priv_key = priv_key;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (ossl_dh_check_pairwise(dh) <= 0) {
|
||||
+ abort();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
dh->dirty_cnt++;
|
||||
ok = 1;
|
||||
err:
|
||||
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
|
||||
index 43caedb6df..73873f9758 100644
|
||||
--- a/providers/implementations/exchange/ecdh_exch.c
|
||||
+++ b/providers/implementations/exchange/ecdh_exch.c
|
||||
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
|
||||
}
|
||||
|
||||
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ {
|
||||
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
|
||||
+ int check = 0;
|
||||
+
|
||||
+ if (bn_ctx == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
|
||||
+ BN_CTX_free(bn_ctx);
|
||||
+
|
||||
+ if (check <= 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
|
||||
|
||||
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
index a37cbbdba8..bca3f3c674 100644
|
||||
--- a/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
|
||||
EC_GROUP *gen_group;
|
||||
unsigned char *dhkem_ikm;
|
||||
size_t dhkem_ikmlen;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ void *ecdsa_sig_ctx;
|
||||
+#endif
|
||||
};
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *ecdsa_newctx(void *provctx, const char *propq);
|
||||
+void ecdsa_freectx(void *vctx);
|
||||
+int do_ec_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *ec_gen_init(void *provctx, int selection,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
|
||||
gctx = NULL;
|
||||
}
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
}
|
||||
|
||||
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
|
||||
if (gctx->ecdh_mode != -1)
|
||||
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
|
||||
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
|
||||
if (gctx->group_check != NULL)
|
||||
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
|
||||
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
|
||||
|
||||
if (gctx == NULL)
|
||||
return;
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
|
||||
+ gctx->ecdsa_sig_ctx = NULL;
|
||||
+#endif
|
||||
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
|
||||
EC_GROUP_free(gctx->gen_group);
|
||||
BN_free(gctx->p);
|
||||
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
index 3ba12c4889..ff49f8fcd8 100644
|
||||
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
/* ACVP test parameters */
|
||||
OSSL_PARAM *acvp_test_params;
|
||||
+ void *prov_rsa_ctx;
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
|
||||
return gctx->cb(params, gctx->cbarg);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *rsa_newctx(void *provctx, const char *propq);
|
||||
+void rsa_freectx(void *vctx);
|
||||
+int do_rsa_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
|
||||
if (!rsa_gen_set_params(gctx, params))
|
||||
goto err;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
|
||||
err:
|
||||
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
|
||||
rsa = rsa_tmp;
|
||||
rsa_tmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
err:
|
||||
BN_GENCB_free(gencb);
|
||||
RSA_free(rsa_tmp);
|
||||
@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
|
||||
gctx->acvp_test_params = NULL;
|
||||
+ rsa_freectx(gctx->prov_rsa_ctx);
|
||||
+ gctx->prov_rsa_ctx = NULL;
|
||||
#endif
|
||||
BN_clear_free(gctx->pub_exp);
|
||||
OPENSSL_free(gctx);
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 865d49d100..ebeb30e002 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -32,7 +32,7 @@
|
||||
#include "crypto/ec.h"
|
||||
#include "prov/der_ec.h"
|
||||
|
||||
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
||||
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
|
||||
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
|
||||
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
|
||||
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
||||
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
||||
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
|
||||
@@ -104,7 +104,7 @@ typedef struct {
|
||||
unsigned int nonce_type;
|
||||
} PROV_ECDSA_CTX;
|
||||
|
||||
-static void *ecdsa_newctx(void *provctx, const char *propq)
|
||||
+void *ecdsa_newctx(void *provctx, const char *propq)
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx;
|
||||
|
||||
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
|
||||
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
-static void ecdsa_freectx(void *vctx)
|
||||
+void ecdsa_freectx(void *vctx)
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
|
||||
|
||||
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
|
||||
return EVP_MD_settable_ctx_params(ctx->md);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
|
||||
+{
|
||||
+ static const unsigned char data[32];
|
||||
+ unsigned char sigbuf[256];
|
||||
+ size_t siglen = sizeof(sigbuf);
|
||||
+
|
||||
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
|
||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
|
||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index cd5de6bd51..d4261e8f7d 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -34,7 +34,7 @@
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
|
||||
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
|
||||
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
|
||||
@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
|
||||
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
||||
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
||||
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
|
||||
@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
|
||||
return 1;
|
||||
}
|
||||
|
||||
-static void *rsa_newctx(void *provctx, const char *propq)
|
||||
+void *rsa_newctx(void *provctx, const char *propq)
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = NULL;
|
||||
char *propq_copy = NULL;
|
||||
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
|
||||
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
-static void rsa_freectx(void *vprsactx)
|
||||
+void rsa_freectx(void *vprsactx)
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
|
||||
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
|
||||
return EVP_MD_settable_ctx_params(prsactx->md);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
|
||||
+{
|
||||
+ static const unsigned char data[32];
|
||||
+ unsigned char *sigbuf = NULL;
|
||||
+ size_t siglen = 0;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(sigbuf);
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
|
||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
|
||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
|
||||
--
|
||||
2.41.0
|
||||
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
|
||||
index e0d139d..35f23b2 100644
|
||||
--- a/crypto/rsa/rsa_gen.c
|
||||
+++ b/crypto/rsa/rsa_gen.c
|
||||
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
|
||||
rsa->dmp1 = NULL;
|
||||
rsa->dmq1 = NULL;
|
||||
rsa->iqmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ abort();
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
}
|
||||
}
|
||||
return ok;
|
||||
--
|
||||
2.41.0
|
||||
|
792
0045-FIPS-services-minimize.patch
Normal file
792
0045-FIPS-services-minimize.patch
Normal file
@ -0,0 +1,792 @@
|
||||
From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 12:55:57 +0200
|
||||
Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
|
||||
|
||||
Patch-name: 0045-FIPS-services-minimize.patch
|
||||
Patch-id: 45
|
||||
Patch-status: |
|
||||
# Minimize fips services
|
||||
---
|
||||
apps/ecparam.c | 7 +++
|
||||
apps/req.c | 2 +-
|
||||
providers/common/capabilities.c | 2 +-
|
||||
providers/fips/fipsprov.c | 44 +++++++++++--------
|
||||
providers/fips/self_test_data.inc | 9 +++-
|
||||
providers/implementations/signature/rsa_sig.c | 26 +++++++++++
|
||||
ssl/ssl_ciph.c | 3 ++
|
||||
test/acvp_test.c | 2 +
|
||||
test/endecode_test.c | 4 ++
|
||||
test/evp_libctx_test.c | 9 +++-
|
||||
test/recipes/15-test_gendsa.t | 2 +-
|
||||
test/recipes/20-test_cli_fips.t | 3 +-
|
||||
test/recipes/30-test_evp.t | 16 +++----
|
||||
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
|
||||
test/recipes/80-test_cms.t | 22 +++++-----
|
||||
test/recipes/80-test_ssl_old.t | 2 +-
|
||||
16 files changed, 128 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/apps/ecparam.c b/apps/ecparam.c
|
||||
index 9e9ad13683..9c66cf2434 100644
|
||||
--- a/apps/ecparam.c
|
||||
+++ b/apps/ecparam.c
|
||||
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
|
||||
const char *comment = curves[n].comment;
|
||||
const char *sname = OBJ_nid2sn(curves[n].nid);
|
||||
|
||||
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
|
||||
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
|
||||
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
|
||||
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
|
||||
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
|
||||
+ continue;
|
||||
+
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
diff --git a/apps/req.c b/apps/req.c
|
||||
index 23757044ab..5916914978 100644
|
||||
--- a/apps/req.c
|
||||
+++ b/apps/req.c
|
||||
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
|
||||
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
||||
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
||||
#endif
|
||||
|
||||
opt_set_unknown_name("digest");
|
||||
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
|
||||
index ed37e76969..eb836dfa6a 100644
|
||||
--- a/providers/common/capabilities.c
|
||||
+++ b/providers/common/capabilities.c
|
||||
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {
|
||||
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
|
||||
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
|
||||
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
|
||||
-# endif
|
||||
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
|
||||
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
|
||||
+# endif
|
||||
# ifndef FIPS_MODULE
|
||||
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
|
||||
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index 518226dfc6..29438faea8 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
||||
OSSL_LIB_CTX_FIPS_PROV_INDEX);
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
||||
@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
|
||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||
* KMAC128 and KMAC256.
|
||||
*/
|
||||
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||
+ /* We don't certify KECCAK in our FIPS provider */
|
||||
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||
ossl_keccak_kmac_128_functions },
|
||||
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
||||
- ossl_keccak_kmac_256_functions },
|
||||
+ ossl_keccak_kmac_256_functions }, */
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
|
||||
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
||||
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||
+ /* We don't certify 3DES in our FIPS provider */
|
||||
+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||
+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
|
||||
#endif /* OPENSSL_NO_DES */
|
||||
{ { NULL, NULL, NULL }, NULL }
|
||||
};
|
||||
@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
|
||||
#endif
|
||||
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
||||
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
||||
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
||||
+ /* We don't certify KMAC in our FIPS provider */
|
||||
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
||||
# ifndef OPENSSL_NO_ECX
|
||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
|
||||
# endif
|
||||
#endif
|
||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
||||
@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
|
||||
PROV_DESCS_DHX },
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||
- PROV_DESCS_DSA },
|
||||
+ /* We don't certify DSA in our FIPS provider */
|
||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||
+ PROV_DESCS_DSA }, */
|
||||
#endif
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
||||
PROV_DESCS_RSA },
|
||||
@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
|
||||
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
||||
PROV_DESCS_EC },
|
||||
# ifndef OPENSSL_NO_ECX
|
||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||
PROV_DESCS_X25519 },
|
||||
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||
PROV_DESCS_X448 },
|
||||
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||
PROV_DESCS_ED25519 },
|
||||
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||
- PROV_DESCS_ED448 },
|
||||
+ PROV_DESCS_ED448 }, */
|
||||
# endif
|
||||
#endif
|
||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 2057378d3d..4b80bb70b9 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
|
||||
/*- CIPHER TEST DATA */
|
||||
|
||||
/* DES3 test data */
|
||||
+#if 0
|
||||
static const unsigned char des_ede3_cbc_pt[] = {
|
||||
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
||||
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
||||
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
|
||||
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
||||
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
||||
};
|
||||
-
|
||||
+#endif
|
||||
/* AES-256 GCM test data */
|
||||
static const unsigned char aes_256_gcm_key[] = {
|
||||
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
||||
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
|
||||
# endif /* OPENSSL_NO_EC2M */
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
||||
-#ifndef OPENSSL_NO_DSA
|
||||
/* dsa 2048 */
|
||||
+#if 0
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
static const unsigned char dsa_p[] = {
|
||||
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
|
||||
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
|
||||
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
+#endif
|
||||
|
||||
/* Hash DRBG inputs for signature KATs */
|
||||
static const unsigned char sig_kat_entropyin[] = {
|
||||
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
||||
},
|
||||
# endif
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
+#if 0
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
{
|
||||
OSSL_SELF_TEST_DESC_SIGN_DSA,
|
||||
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
||||
ITM(dsa_expected_sig)
|
||||
},
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
+#endif
|
||||
};
|
||||
|
||||
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index d4261e8f7d..2a5504d104 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -689,6 +689,19 @@ static int rsa_verify_recover(void *vprsactx,
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
int ret;
|
||||
+# ifdef FIPS_MODULE
|
||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
||||
+
|
||||
+ if (rsabits < 2048) {
|
||||
+ if (rsabits != 1024
|
||||
+ && rsabits != 1280
|
||||
+ && rsabits != 1536
|
||||
+ && rsabits != 1792) {
|
||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+# endif
|
||||
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
@@ -777,6 +790,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
size_t rslen;
|
||||
+# ifdef FIPS_MODULE
|
||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
||||
+
|
||||
+ if (rsabits < 2048) {
|
||||
+ if (rsabits != 1024
|
||||
+ && rsabits != 1280
|
||||
+ && rsabits != 1536
|
||||
+ && rsabits != 1792) {
|
||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+# endif
|
||||
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index a5e60e8839..f9af07d12b 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
||||
ctx->disabled_mkey_mask = 0;
|
||||
ctx->disabled_auth_mask = 0;
|
||||
|
||||
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
||||
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
||||
+
|
||||
/*
|
||||
* We ignore any errors from the fetches below. They are expected to fail
|
||||
* if these algorithms are not available.
|
||||
diff --git a/test/acvp_test.c b/test/acvp_test.c
|
||||
index fee880d441..13d7a0ea8b 100644
|
||||
--- a/test/acvp_test.c
|
||||
+++ b/test/acvp_test.c
|
||||
@@ -1476,6 +1476,7 @@ int setup_tests(void)
|
||||
OSSL_NELEM(dh_safe_prime_keyver_data));
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
||||
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
||||
@@ -1483,6 +1484,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
||||
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||
index 9a437d8c64..53385028fc 100644
|
||||
--- a/test/endecode_test.c
|
||||
+++ b/test/endecode_test.c
|
||||
@@ -1407,6 +1407,7 @@ int setup_tests(void)
|
||||
* so no legacy tests.
|
||||
*/
|
||||
#endif
|
||||
+ if (is_fips == 0) {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
ADD_TEST_SUITE(DSA);
|
||||
ADD_TEST_SUITE_PARAMS(DSA);
|
||||
@@ -1417,6 +1418,7 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
||||
# endif
|
||||
#endif
|
||||
+ }
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_TEST_SUITE(EC);
|
||||
ADD_TEST_SUITE_PARAMS(EC);
|
||||
@@ -1431,10 +1433,12 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE(ECExplicitTri2G);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
|
||||
# endif
|
||||
+ if (is_fips == 0) {
|
||||
ADD_TEST_SUITE(ED25519);
|
||||
ADD_TEST_SUITE(ED448);
|
||||
ADD_TEST_SUITE(X25519);
|
||||
ADD_TEST_SUITE(X448);
|
||||
+ }
|
||||
/*
|
||||
* ED25519, ED448, X25519 and X448 have no support for
|
||||
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
||||
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
||||
index 2448c35a14..a7913cda4c 100644
|
||||
--- a/test/evp_libctx_test.c
|
||||
+++ b/test/evp_libctx_test.c
|
||||
@@ -21,6 +21,7 @@
|
||||
*/
|
||||
#include "internal/deprecated.h"
|
||||
#include <assert.h>
|
||||
+#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/dsa.h>
|
||||
@@ -726,7 +727,9 @@ int setup_tests(void)
|
||||
return 0;
|
||||
|
||||
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
|
||||
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
||||
+ if (strcmp(prov_name, "fips") != 0) {
|
||||
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
|
||||
@@ -746,7 +749,9 @@ int setup_tests(void)
|
||||
ADD_TEST(kem_invalid_keytype);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- ADD_TEST(test_cipher_tdes_randkey);
|
||||
+ if (strcmp(prov_name, "fips") != 0) {
|
||||
+ ADD_TEST(test_cipher_tdes_randkey);
|
||||
+ }
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
|
||||
index b495b08bda..69bd299521 100644
|
||||
--- a/test/recipes/15-test_gendsa.t
|
||||
+++ b/test/recipes/15-test_gendsa.t
|
||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||
plan skip_all => "This test is unsupported in a no-dsa build"
|
||||
if disabled("dsa");
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1;
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 0 : 2) # FIPS related tests
|
||||
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
|
||||
index 6d3c5ba1bb..2ba47b5fca 100644
|
||||
--- a/test/recipes/20-test_cli_fips.t
|
||||
+++ b/test/recipes/20-test_cli_fips.t
|
||||
@@ -273,8 +273,7 @@ SKIP: {
|
||||
}
|
||||
|
||||
SKIP : {
|
||||
- skip "FIPS DSA tests because of no dsa in this build", 1
|
||||
- if disabled("dsa");
|
||||
+ skip "FIPS DSA tests because of no dsa in this build", 1;
|
||||
|
||||
subtest DSA => sub {
|
||||
my $testtext_prefix = 'DSA';
|
||||
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
|
||||
index 9d7040ced2..f8beb538d4 100644
|
||||
--- a/test/recipes/30-test_evp.t
|
||||
+++ b/test/recipes/30-test_evp.t
|
||||
@@ -42,10 +42,8 @@ my @files = qw(
|
||||
evpciph_aes_cts.txt
|
||||
evpciph_aes_wrap.txt
|
||||
evpciph_aes_stitched.txt
|
||||
- evpciph_des3_common.txt
|
||||
evpkdf_hkdf.txt
|
||||
evpkdf_kbkdf_counter.txt
|
||||
- evpkdf_kbkdf_kmac.txt
|
||||
evpkdf_pbkdf1.txt
|
||||
evpkdf_pbkdf2.txt
|
||||
evpkdf_ss.txt
|
||||
@@ -91,6 +83,7 @@ my @defltfiles = qw(
|
||||
evpciph_cast5.txt
|
||||
evpciph_chacha.txt
|
||||
evpciph_des.txt
|
||||
+ evpciph_des3_common.txt
|
||||
evpciph_idea.txt
|
||||
evpciph_rc2.txt
|
||||
evpciph_rc4.txt
|
||||
@@ -114,10 +107,17 @@ my @defltfiles = qw(
|
||||
evpmd_whirlpool.txt
|
||||
evppbe_scrypt.txt
|
||||
evppbe_pkcs12.txt
|
||||
+ evpkdf_kbkdf_kmac.txt
|
||||
evppkey_kdf_scrypt.txt
|
||||
evppkey_kdf_tls1_prf.txt
|
||||
evppkey_rsa.txt
|
||||
);
|
||||
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
|
||||
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
|
||||
+push @defltfiles, qw(
|
||||
+ evpkdf_x942_des.txt
|
||||
+ evpmac_cmac_des.txt
|
||||
+ ) unless $no_des;
|
||||
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
|
||||
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
|
||||
push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
|
||||
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
|
||||
index 93195df97c..315413cd9b 100644
|
||||
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
|
||||
@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C
|
||||
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
|
||||
Result = MAC_INIT_ERROR
|
||||
|
||||
+Availablein = default
|
||||
Title = KMAC Tests (From NIST)
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
@@ -350,12 +351,14 @@ Ctrl = xof:0
|
||||
OutputSize = 32
|
||||
BlockSize = 168
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Custom = "My Tagged Application"
|
||||
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -363,6 +366,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
|
||||
OutputSize = 64
|
||||
BlockSize = 136
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
Custom = ""
|
||||
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -386,12 +392,14 @@ Ctrl = size:64
|
||||
|
||||
Title = KMAC XOF Tests (From NIST)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -399,6 +407,7 @@ Custom = "My Tagged Application"
|
||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
|
||||
XOF = 1
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -414,6 +424,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -421,6 +432,7 @@ Custom = ""
|
||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -431,6 +443,7 @@ XOF = 1
|
||||
|
||||
Title = KMAC long customisation string (from NIST ACVP)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
||||
@@ -441,12 +454,14 @@ XOF = 1
|
||||
|
||||
Title = KMAC XOF Tests via ctrl (From NIST)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -454,6 +469,7 @@ Custom = "My Tagged Application"
|
||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
|
||||
Ctrl = xof:1
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -469,6 +486,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -476,6 +494,7 @@ Custom = ""
|
||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -486,6 +505,7 @@ Ctrl = xof:1
|
||||
|
||||
Title = KMAC long customisation string via ctrl (from NIST ACVP)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
||||
@@ -496,6 +516,7 @@ Ctrl = xof:1
|
||||
|
||||
Title = KMAC long customisation string negative test
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR
|
||||
|
||||
Title = KMAC output is too large
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 40dd585c18..cbec426137 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content DER format, DSA key",
|
||||
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
||||
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed detached content DER format, DSA key",
|
||||
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
||||
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
|
||||
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
||||
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, DSA key",
|
||||
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-stream",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-stream",
|
||||
"-signer", $smrsa1,
|
||||
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-noattr", "-nodetach", "-stream",
|
||||
"-signer", $smrsa1,
|
||||
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
|
||||
\&zero_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = (
|
||||
|
||||
my @smime_cms_tests = (
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-keyid",
|
||||
"-signer", $smrsa1,
|
||||
@@ -261,7 +261,7 @@ my @smime_cms_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -371,7 +371,7 @@ my @smime_cms_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "encrypted content test streaming PEM format, triple DES key",
|
||||
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
||||
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
||||
"-stream", "-out", "{output}.cms" ],
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index 50b74a1e29..e2dcb68fb5 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -436,7 +436,7 @@ sub testssl {
|
||||
my @exkeys = ();
|
||||
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
|
||||
|
||||
- if (!$no_dsa) {
|
||||
+ if (!$no_dsa && $provider ne "fips") {
|
||||
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/test/recipes/30-test_evp.t.patch openssl-3.2.0/test/recipes/30-test_evp.t
|
||||
--- openssl-3.2.0/test/recipes/30-test_evp.t.patch 2023-12-06 15:33:27.843751147 +0100
|
||||
+++ openssl-3.2.0/test/recipes/30-test_evp.t 2023-12-06 15:34:27.585351920 +0100
|
||||
@@ -70,15 +70,6 @@ push @files, qw(
|
||||
evppkey_dh.txt
|
||||
) unless $no_dh;
|
||||
push @files, qw(
|
||||
- evpkdf_x942_des.txt
|
||||
- evpmac_cmac_des.txt
|
||||
- ) unless $no_des;
|
||||
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
|
||||
-push @files, qw(
|
||||
- evppkey_ecx.txt
|
||||
- evppkey_mismatch_ecx.txt
|
||||
- ) unless $no_ecx;
|
||||
-push @files, qw(
|
||||
evppkey_ecc.txt
|
||||
evppkey_ecdh.txt
|
||||
evppkey_ecdsa.txt
|
||||
diff -up openssl-3.2.0/providers/fips/fipsprov.c.patch-fips openssl-3.2.0/providers/fips/fipsprov.c
|
||||
--- openssl-3.2.0/providers/fips/fipsprov.c.patch-fips 2023-12-06 15:49:08.711198219 +0100
|
||||
+++ openssl-3.2.0/providers/fips/fipsprov.c 2023-12-06 15:55:42.362078721 +0100
|
||||
@@ -426,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||
|
||||
static const OSSL_ALGORITHM fips_signature[] = {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
||||
+ /* We don't certify DSA in our FIPS provider */
|
||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
|
||||
#endif
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
||||
#ifndef OPENSSL_NO_EC
|
||||
# ifndef OPENSSL_NO_ECX
|
||||
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
||||
ossl_ed25519_signature_functions },
|
||||
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
|
||||
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
|
||||
# endif
|
||||
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
||||
#endif
|
||||
diff -up openssl-3.2.0/test/recipes/30-test_evp.t.fips-min openssl-3.2.0/test/recipes/30-test_evp.t
|
||||
--- openssl-3.2.0/test/recipes/30-test_evp.t.fips-min 2024-02-01 11:00:56.823687618 +0100
|
||||
+++ openssl-3.2.0/test/recipes/30-test_evp.t 2024-02-01 11:01:20.131934678 +0100
|
||||
@@ -124,7 +124,6 @@ push @defltfiles, qw(
|
||||
) unless $no_des;
|
||||
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
|
||||
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
|
||||
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
|
||||
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
|
||||
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
|
||||
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
|
57
0047-FIPS-early-KATS.patch
Normal file
57
0047-FIPS-early-KATS.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
||||
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
|
||||
|
||||
Patch-name: 0047-FIPS-early-KATS.patch
|
||||
Patch-id: 47
|
||||
Patch-status: |
|
||||
# # Execute KATS before HMAC verification
|
||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
||||
---
|
||||
providers/fips/self_test.c | 22 ++++++++++------------
|
||||
1 file changed, 10 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index e3a629018a..3c09bd8638 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
+ /*
|
||||
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
||||
+ */
|
||||
+ if (kats_already_passed == 0) {
|
||||
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (st->module_checksum_data == NULL) {
|
||||
module_checksum = fips_hmac_container;
|
||||
checksum_len = sizeof(fips_hmac_container);
|
||||
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
}
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Only runs the KAT's during installation OR on_demand().
|
||||
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||
- * path will always be run, since kats_already_passed will always be 0.
|
||||
- */
|
||||
- if (on_demand_test || kats_already_passed == 0) {
|
||||
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
- goto end;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
/* Verify that the RNG has been restored properly */
|
||||
rng = ossl_rand_get0_private_noncreating(st->libctx);
|
||||
if (rng != NULL)
|
||||
--
|
||||
2.41.0
|
||||
|
510
0049-Allow-disabling-of-SHA1-signatures.patch
Normal file
510
0049-Allow-disabling-of-SHA1-signatures.patch
Normal file
@ -0,0 +1,510 @@
|
||||
From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 13:07:07 +0200
|
||||
Subject: [PATCH 23/48] 0049-Allow-disabling-of-SHA1-signatures.patch
|
||||
|
||||
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
|
||||
Patch-id: 49
|
||||
Patch-status: |
|
||||
# Selectively disallow SHA1 signatures rhbz#2070977
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/context.c | 14 ++++
|
||||
crypto/evp/evp_cnf.c | 13 +++
|
||||
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
|
||||
crypto/evp/pmeth_lib.c | 15 ++++
|
||||
doc/man5/config.pod | 13 +++
|
||||
include/crypto/context.h | 3 +
|
||||
include/internal/cryptlib.h | 3 +-
|
||||
include/internal/sslconf.h | 4 +
|
||||
providers/common/securitycheck.c | 20 +++++
|
||||
providers/common/securitycheck_default.c | 9 ++-
|
||||
providers/implementations/signature/dsa_sig.c | 11 ++-
|
||||
.../implementations/signature/ecdsa_sig.c | 4 +
|
||||
providers/implementations/signature/rsa_sig.c | 20 ++++-
|
||||
ssl/t1_lib.c | 8 ++
|
||||
util/libcrypto.num | 2 +
|
||||
15 files changed, 209 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index 51002ba79a..e697974c9d 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
|
||||
void *fips_prov;
|
||||
#endif
|
||||
|
||||
+ void *legacy_digest_signatures;
|
||||
+
|
||||
unsigned int ischild:1;
|
||||
};
|
||||
|
||||
@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
|
||||
goto err;
|
||||
#endif
|
||||
|
||||
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
|
||||
+ if (ctx->legacy_digest_signatures == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
/* Low priority. */
|
||||
#ifndef FIPS_MODULE
|
||||
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
|
||||
@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if (ctx->legacy_digest_signatures != NULL) {
|
||||
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
|
||||
+ ctx->legacy_digest_signatures = NULL;
|
||||
+ }
|
||||
+
|
||||
/* Low priority. */
|
||||
#ifndef FIPS_MODULE
|
||||
if (ctx->child_provider != NULL) {
|
||||
@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
|
||||
return ctx->fips_prov;
|
||||
#endif
|
||||
|
||||
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
|
||||
+ return ctx->legacy_digest_signatures;
|
||||
+
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
||||
index 0e7fe64cf9..b9d3b6d226 100644
|
||||
--- a/crypto/evp/evp_cnf.c
|
||||
+++ b/crypto/evp/evp_cnf.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <stdio.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "internal/cryptlib.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
|
||||
+ int m;
|
||||
+
|
||||
+ /* Detailed error already reported. */
|
||||
+ if (!X509V3_get_value_bool(oval, &m))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
|
||||
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||
+ return 0;
|
||||
+ }
|
||||
} else {
|
||||
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
||||
"name=%s, value=%s", oval->name, oval->value);
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index 630d339c35..6e4e9f5ae7 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -15,6 +15,73 @@
|
||||
#include "internal/provider.h"
|
||||
#include "internal/numbers.h" /* includes SIZE_MAX */
|
||||
#include "evp_local.h"
|
||||
+#include "crypto/context.h"
|
||||
+
|
||||
+typedef struct ossl_legacy_digest_signatures_st {
|
||||
+ int allowed;
|
||||
+} OSSL_LEGACY_DIGEST_SIGNATURES;
|
||||
+
|
||||
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
||||
+
|
||||
+ if (ldsigs != NULL) {
|
||||
+ OPENSSL_free(ldsigs);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
+ ldsigs->allowed = 0;
|
||||
+ return ldsigs;
|
||||
+}
|
||||
+
|
||||
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
||||
+ OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
+{
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||
+ return NULL;
|
||||
+#endif
|
||||
+
|
||||
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
|
||||
+}
|
||||
+
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||
+
|
||||
+ #ifndef FIPS_MODULE
|
||||
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
|
||||
+ /* used in tests */
|
||||
+ return 1;
|
||||
+ #endif
|
||||
+
|
||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
||||
+ return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||
+}
|
||||
+
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||
+ int loadconfig)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||
+
|
||||
+ if (ldsigs == NULL) {
|
||||
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ ldsigs->allowed = allow;
|
||||
+ return 1;
|
||||
+}
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
|
||||
@@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (ctx->reqdigest != NULL
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
||||
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
||||
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (ver) {
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index ce6e1a1ccb..003926247b 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include "internal/ffc.h"
|
||||
#include "internal/numbers.h"
|
||||
#include "internal/provider.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include "evp_local.h"
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
||||
return -2;
|
||||
}
|
||||
|
||||
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
|
||||
+ && md != NULL
|
||||
+ && ctx->pkey != NULL
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
||||
+ int mdnid = EVP_MD_nid(md);
|
||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (fallback)
|
||||
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
||||
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index bd05736220..ed34ff4b9c 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning:
|
||||
The value may be anything that is acceptable as a property query
|
||||
string for EVP_set_default_properties().
|
||||
|
||||
+=item B<rh-allow-sha1-signatures>
|
||||
+
|
||||
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
|
||||
+it behaves as if it was set to B<yes>.
|
||||
+
|
||||
+When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||
+digest will fail. To test whether your software will work with future versions
|
||||
+of OpenSSL, set this option to B<no>. This setting also affects TLS, where
|
||||
+signature algorithms that use SHA1 as digest will no longer be supported if
|
||||
+this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
|
||||
+pseudorandom function (PRF) to derive key material, disabling
|
||||
+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
|
||||
+
|
||||
=item B<fips_mode> (deprecated)
|
||||
|
||||
The value is a boolean that can be B<yes> or B<no>. If the value is
|
||||
diff --git a/include/crypto/context.h b/include/crypto/context.h
|
||||
index cc06c71be8..e9f74a414d 100644
|
||||
--- a/include/crypto/context.h
|
||||
+++ b/include/crypto/context.h
|
||||
@@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *);
|
||||
#if defined(OPENSSL_THREADS)
|
||||
void ossl_threads_ctx_free(void *);
|
||||
#endif
|
||||
+
|
||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
|
||||
+void ossl_ctx_legacy_digest_signatures_free(void *);
|
||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||
index ac50eb3bbd..3b115cc7df 100644
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
||||
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
||||
# define OSSL_LIB_CTX_THREAD_INDEX 19
|
||||
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
|
||||
-# define OSSL_LIB_CTX_MAX_INDEXES 20
|
||||
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
|
||||
+# define OSSL_LIB_CTX_MAX_INDEXES 21
|
||||
|
||||
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
|
||||
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
|
||||
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
||||
index fd7f7e3331..05464b0655 100644
|
||||
--- a/include/internal/sslconf.h
|
||||
+++ b/include/internal/sslconf.h
|
||||
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
||||
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
||||
char **arg);
|
||||
|
||||
+/* Methods to support disabling all signatures with legacy digests */
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||
+ int loadconfig);
|
||||
#endif
|
||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||
index 699ada7c52..e534ad0a5f 100644
|
||||
--- a/providers/common/securitycheck.c
|
||||
+++ b/providers/common/securitycheck.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include "prov/securitycheck.h"
|
||||
+#include "internal/sslconf.h"
|
||||
|
||||
/*
|
||||
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
||||
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
mdnid = -1; /* disallowed by security checks */
|
||||
}
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||
+ /* SHA1 is globally disabled, check whether we want to locally allow
|
||||
+ * it. */
|
||||
+ if (mdnid == NID_sha1 && !sha1_allowed)
|
||||
+ mdnid = -1;
|
||||
+#endif
|
||||
+
|
||||
return mdnid;
|
||||
}
|
||||
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index 246323493e..2ca7a59f39 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
+++ b/providers/common/securitycheck_default.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <openssl/obj_mac.h>
|
||||
#include "prov/securitycheck.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "internal/sslconf.h"
|
||||
|
||||
/* Disable the security checks in the default provider */
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
}
|
||||
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
- ossl_unused int sha1_allowed)
|
||||
+ int sha1_allowed)
|
||||
{
|
||||
int mdnid;
|
||||
+ int ldsigs_allowed;
|
||||
|
||||
static const OSSL_ITEM name_to_nid[] = {
|
||||
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
|
||||
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||
};
|
||||
|
||||
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
|
||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
||||
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
||||
if (mdnid == NID_undef)
|
||||
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
||||
+ mdnid = -1;
|
||||
return mdnid;
|
||||
}
|
||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||
index 70d0ea5d24..3c482e0181 100644
|
||||
--- a/providers/implementations/signature/dsa_sig.c
|
||||
+++ b/providers/implementations/signature/dsa_sig.c
|
||||
@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
mdprops = ctx->propq;
|
||||
|
||||
if (mdname != NULL) {
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
WPACKET pkt;
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
- sha1_allowed);
|
||||
+ int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
+#else
|
||||
+ int sha1_allowed = 0;
|
||||
+#endif
|
||||
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
+ sha1_allowed);
|
||||
|
||||
if (md == NULL || md_nid < 0) {
|
||||
if (md == NULL)
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index ebeb30e002..c874f87bd5 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
+#else
|
||||
+ sha1_allowed = 0;
|
||||
+#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
if (md_nid < 0) {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 2a5504d104..5f3a029566 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
@@ -33,6 +34,7 @@
|
||||
#include "prov/securitycheck.h"
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
|
||||
|
||||
OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
|
||||
if (mdname != NULL) {
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
+ int md_nid;
|
||||
+ size_t mdname_len = strlen(mdname);
|
||||
+#ifdef FIPS_MODULE
|
||||
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
+#else
|
||||
+ int sha1_allowed = 0;
|
||||
+#endif
|
||||
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
- size_t mdname_len = strlen(mdname);
|
||||
|
||||
if (md == NULL
|
||||
|| md_nid <= 0
|
||||
@@ -1396,8 +1403,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
prsactx->pad_mode = pad_mode;
|
||||
|
||||
if (prsactx->md == NULL && pmdname == NULL
|
||||
- && pad_mode == RSA_PKCS1_PSS_PADDING)
|
||||
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
|
||||
if (pmgf1mdname != NULL
|
||||
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 9cb8a4dda2..feb660d030 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5436,3 +5436,5 @@ EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/ssl/t1_lib.c.patch-sha1 openssl-3.2.0/ssl/t1_lib.c
|
||||
--- openssl-3.2.0/ssl/t1_lib.c.patch-sha1 2023-12-08 13:01:44.752501257 +0100
|
||||
+++ openssl-3.2.0/ssl/t1_lib.c 2023-12-08 13:04:18.969899853 +0100
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/param_build.h>
|
||||
+#include "internal/sslconf.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
#include "internal/tlsgroups.h"
|
||||
@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
uint16_t *tls12_sigalgs_list = NULL;
|
||||
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
||||
int ret = 0;
|
||||
+ int ldsigs_allowed;
|
||||
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
goto err;
|
||||
|
||||
ERR_set_mark();
|
||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
||||
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
|
||||
for (i = 0, lu = sigalg_lookup_tbl;
|
||||
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
||||
@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
||||
cache[i].enabled = 0;
|
||||
continue;
|
||||
}
|
||||
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
|
||||
+ && !ldsigs_allowed) {
|
||||
+ cache[i].enabled = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
||||
cache[i].enabled = 0;
|
53
0056-strcasecmp.patch
Normal file
53
0056-strcasecmp.patch
Normal file
@ -0,0 +1,53 @@
|
||||
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
|
||||
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
||||
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
||||
@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
|
||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
|
||||
--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
|
||||
+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
|
||||
@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
|
||||
#endif
|
||||
}
|
||||
|
||||
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||
+int
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
|
||||
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
|
||||
+#endif
|
||||
+OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||
{
|
||||
int t;
|
||||
|
||||
@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
|
||||
return t;
|
||||
}
|
||||
|
||||
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||
+int
|
||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
||||
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
|
||||
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
|
||||
+#endif
|
||||
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||
{
|
||||
int t;
|
||||
size_t i;
|
||||
diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
|
||||
--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
|
||||
+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
|
||||
@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
|
||||
s| .*||;
|
||||
# Drop OpenSSL dynamic version information if there is any
|
||||
s|\@\@.+$||;
|
||||
+ s|\@.+$||;
|
||||
# Return the result
|
||||
$_
|
||||
}
|
965
0058-FIPS-limit-rsa-encrypt.patch
Normal file
965
0058-FIPS-limit-rsa-encrypt.patch
Normal file
@ -0,0 +1,965 @@
|
||||
From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
|
||||
|
||||
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
|
||||
Patch-id: 58
|
||||
Patch-status: |
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
providers/common/securitycheck.c | 1 +
|
||||
.../implementations/asymciphers/rsa_enc.c | 35 +++++++++++
|
||||
.../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++-
|
||||
test/recipes/80-test_cms.t | 5 +-
|
||||
test/recipes/80-test_ssl_old.t | 27 +++++++--
|
||||
5 files changed, 118 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||
index e534ad0a5f..c017c658e5 100644
|
||||
--- a/providers/common/securitycheck.c
|
||||
+++ b/providers/common/securitycheck.c
|
||||
@@ -27,6 +27,7 @@
|
||||
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
||||
*/
|
||||
+/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
|
||||
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
|
||||
{
|
||||
int protect = 0;
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index d865968058..872967bcb3 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
|
||||
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
|
||||
}
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
|
||||
+{
|
||||
+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
|
||||
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+# endif
|
||||
+
|
||||
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
size_t outsize, const unsigned char *in, size_t inlen)
|
||||
{
|
||||
@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+# endif
|
||||
+
|
||||
if (out == NULL) {
|
||||
size_t len = RSA_size(prsactx->rsa);
|
||||
|
||||
@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+# endif
|
||||
+
|
||||
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
|
||||
if (out == NULL) {
|
||||
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
index 8680797b90..95d5d51102 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
|
||||
h90qjKHS9PvY4Q==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
|
||||
Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
|
||||
Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
|
||||
Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
|
||||
Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
|
||||
Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
|
||||
eG2e4XlBcKjI6A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
|
||||
Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
|
||||
Output=2d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
|
||||
Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
|
||||
Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
|
||||
Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
|
||||
Ya4qnqZe1onjY5o=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
|
||||
Output=087820b569e8fa8d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
|
||||
Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
|
||||
Output=d94cd0e08fa404ed89
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
|
||||
Output=6cc641b6b61e6f963974dad23a9013284ef1
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
|
||||
Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
|
||||
aD0x7TDrmEvkEro=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
|
||||
Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
|
||||
Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
|
||||
Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
|
||||
Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
|
||||
Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
|
||||
MSwGUGLx60i3nRyDyw==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
|
||||
Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
|
||||
Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
|
||||
Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
|
||||
Output=15c5b9ee1185
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
|
||||
Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
|
||||
Yejn5Ly8mU2q+jBcRQ==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
|
||||
Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
|
||||
Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
|
||||
Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
|
||||
Output=684e3038c5c041f7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
|
||||
Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
|
||||
FMlxv0gq65dqc3DC
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
|
||||
Output=47aae909
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
|
||||
Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
|
||||
Output=d976fc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
|
||||
Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
|
||||
Output=bb47231ca5ea1d3ad46c99345d9a8a61
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
|
||||
2MiPa249Z+lh3Luj0A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
|
||||
Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
|
||||
Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
|
||||
Output=8604ac56328c1ab5ad917861
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
|
||||
Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
|
||||
Output=4a5f4914bee25de3c69341de07
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
|
||||
tKo5Eb69iFQvBb4=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
|
||||
Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
|
||||
Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
|
||||
Output=fd326429df9b890e09b54b18b8f34f1e24
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
|
||||
Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
|
||||
Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index cbec426137..9ba7fbeed2 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
||||
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
"-aes256", "-stream", "-out", "{output}.cms",
|
||||
$smrsa1,
|
||||
@@ -1022,6 +1022,9 @@ sub check_availability {
|
||||
return "$tnam: skipped, DSA disabled\n"
|
||||
if ($no_dsa && $tnam =~ / DSA/);
|
||||
|
||||
+ return "$tnam: skipped, Red Hat FIPS\n"
|
||||
+ if ($tnam =~ /no Red Hat FIPS/);
|
||||
+
|
||||
return "";
|
||||
}
|
||||
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index e2dcb68fb5..0775112b40 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -493,6 +493,18 @@ sub testssl {
|
||||
# the default choice if TLSv1.3 enabled
|
||||
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
|
||||
my $ciphersuites = "";
|
||||
+ my %redhat_skip_cipher = map {$_ => 1} qw(
|
||||
+AES256-GCM-SHA384:@SECLEVEL=0
|
||||
+AES256-CCM8:@SECLEVEL=0
|
||||
+AES256-CCM:@SECLEVEL=0
|
||||
+AES128-GCM-SHA256:@SECLEVEL=0
|
||||
+AES128-CCM8:@SECLEVEL=0
|
||||
+AES128-CCM:@SECLEVEL=0
|
||||
+AES256-SHA256:@SECLEVEL=0
|
||||
+AES128-SHA256:@SECLEVEL=0
|
||||
+AES256-SHA:@SECLEVEL=0
|
||||
+AES128-SHA:@SECLEVEL=0
|
||||
+ );
|
||||
foreach my $cipher (@{$ciphersuites{$protocol}}) {
|
||||
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
|
||||
note "*****SKIPPING $protocol $cipher";
|
||||
@@ -504,11 +516,16 @@ sub testssl {
|
||||
} else {
|
||||
$cipher = $cipher.':@SECLEVEL=0';
|
||||
}
|
||||
- ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
- $cipher,
|
||||
- "-ciphersuites", $ciphersuites,
|
||||
- $flag || ()])),
|
||||
- "Testing $cipher");
|
||||
+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
|
||||
+ note "*****SKIPPING $cipher in Red Hat FIPS mode";
|
||||
+ ok(1);
|
||||
+ } else {
|
||||
+ ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
+ $cipher,
|
||||
+ "-ciphersuites", $ciphersuites,
|
||||
+ $flag || ()])),
|
||||
+ "Testing $cipher");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
next if $protocol eq "-tls1_3";
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.patch-58 openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.patch-58 2023-12-11 19:15:32.167790754 +0100
|
||||
+++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2023-12-11 21:16:08.390089120 +0100
|
||||
@@ -248,7 +248,7 @@ Input = 64b0e9f9892371110c40ba5739dc0974
|
||||
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||
|
||||
# RSA decrypt
|
||||
-
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048
|
||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
|
||||
Output = "Hello World"
|
||||
@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
|
||||
Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Corrupted ciphertext
|
||||
# Note: disable the Bleichenbacher workaround to see if it fails
|
||||
Decrypt = RSA-2048
|
||||
diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default 2024-02-01 15:09:31.498568631 +0100
|
||||
+++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-02-01 15:14:45.858384004 +0100
|
||||
@@ -365,28 +365,28 @@ Input = 8bfe264e85d3bdeaa6b8851b8e3b956e
|
||||
Output = "lorem ipsum dolor sit amet"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case decrypting to empty
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
|
||||
Output =
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# invalid decrypting to max length message
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
|
||||
Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
# invalid decrypting to message with length specified by second to last value from PRF
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
|
||||
Output = 0f9b
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# invalid decrypting to message with length specified by third to last value from PRF
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
|
||||
@@ -428,14 +428,14 @@ Input = 1ea0b50ca65203d0a09280d39704b24f
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test that generates an 11 byte long message
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
|
||||
Output = af9ac70191c92413cb9f2d
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise correct plaintext, but with wrong first byte
|
||||
# (0x01 instead of 0x00), generates a random 11 byte long plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -443,7 +443,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5
|
||||
Output = a1f8c9255c35cfba403ccc
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise correct plaintext, but with wrong second byte
|
||||
# (0x01 instead of 0x02), generates a random 11 byte long plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -451,7 +451,7 @@ Input = 782c2b59a21a511243820acedd567c13
|
||||
Output = e6d700309ca0ed62452254
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with a zero byte in first byte of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -460,7 +460,7 @@ Input = 0096136621faf36d5290b16bd26295de
|
||||
Output = ba27b1842e7c21c0e7ef6a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with a zero byte removed from first byte of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -469,7 +469,7 @@ Input = 96136621faf36d5290b16bd26295de27
|
||||
Output = ba27b1842e7c21c0e7ef6a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with two zero bytes in first bytes of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -478,7 +478,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880
|
||||
Output = d5cf555b1d6151029a429a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an invalid ciphertext, with two zero bytes removed from first bytes of
|
||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
||||
# plaintext
|
||||
@@ -487,7 +487,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa
|
||||
Output = d5cf555b1d6151029a429a
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
|
||||
# to random 11 byte long synthetic plaintext
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -495,7 +495,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30
|
||||
Output = 3d4a054d9358209e9cbbb9
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with otherwise valid padding but a zero byte in first byte
|
||||
# of padding
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -503,7 +503,7 @@ Input = 179598823812d2c58a7eb50521150a48
|
||||
Output = 1f037dd717b07d3e7f7359
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with otherwise valid padding but a zero byte at the eighth
|
||||
# byte of padding
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -511,7 +511,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3
|
||||
Output = 63cb0bf65fc8255dd29e17
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# negative test with an otherwise valid plaintext but with missing separator
|
||||
# byte
|
||||
Decrypt = RSA-2048-2
|
||||
@@ -566,53 +566,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI
|
||||
# RSA decrypt
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# malformed that generates length specified by 3rd last value from PRF
|
||||
Decrypt = RSA-2049
|
||||
Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
|
||||
Output = 42
|
||||
|
||||
# simple positive test case
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with double null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test case with double null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2049
|
||||
Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates an 11 byte long message
|
||||
Decrypt = RSA-2049
|
||||
Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
|
||||
Output = 1189b6f5498fd6df532b00
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
|
||||
Decrypt = RSA-2049
|
||||
Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
|
||||
Output = f6d0f5b78082fe61c04674
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
|
||||
Decrypt = RSA-2049
|
||||
Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
|
||||
diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default 2024-02-01 15:22:09.981463726 +0100
|
||||
+++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-02-01 15:28:41.789966051 +0100
|
||||
@@ -269,7 +269,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
|
||||
Output = "Hello World"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Note: disable the Bleichenbacher workaround to see if it passes
|
||||
Decrypt = RSA-2048
|
||||
Ctrl = rsa_pkcs1_implicit_rejection:0
|
||||
@@ -277,7 +277,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
|
||||
Output = "Hello World"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# Corrupted ciphertext
|
||||
# Note: output is generated synthethically by the Bleichenbacher workaround
|
||||
Decrypt = RSA-2048
|
||||
@@ -360,6 +360,7 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P
|
||||
# RSA decrypt
|
||||
|
||||
# a random positive test case
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
|
||||
Output = "lorem ipsum dolor sit amet"
|
||||
@@ -393,36 +394,43 @@ Input = 1690ebcceece2ce024f382e467cf8510
|
||||
Output = 4f02
|
||||
|
||||
# positive test with 11 byte long value
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and zero padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and zero truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and double zero padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive test with 11 byte long value and double zero truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive that generates a 0 byte long synthetic message internally
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
|
||||
Output = "lorem ipsum"
|
||||
|
||||
# positive that generates a 245 byte long synthetic message internally
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048-2
|
||||
Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
|
||||
Output = "lorem ipsum"
|
||||
@@ -681,14 +690,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu
|
||||
PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid ciphertext that generates an empty synthetic one
|
||||
Decrypt = RSA-3072
|
||||
Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
|
||||
Output =
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid that has PRF output with a length one byte too long
|
||||
# in the last value
|
||||
Decrypt = RSA-3072
|
||||
@@ -696,46 +705,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8
|
||||
Output = 56a3bea054e01338be9b7d7957539c
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random invalid that generates a synthetic of maximum size
|
||||
Decrypt = RSA-3072
|
||||
Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
|
||||
Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
|
||||
|
||||
# a positive test case that decrypts to 9 byte long value
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with double null padded ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
||||
Output = "forty two"
|
||||
|
||||
# a positive test case with double null truncated ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-3072
|
||||
Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
||||
Output = "forty two"
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates a 9 byte long message
|
||||
Decrypt = RSA-3072
|
||||
Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
|
||||
Output = 257906ca6de8307728
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test case that generates a 9 byte long message based on
|
||||
# second to last value from PRF
|
||||
Decrypt = RSA-3072
|
||||
@@ -743,7 +757,7 @@ Input = 758c215aa6acd61248062b88284bf43c
|
||||
Output = 043383c929060374ed
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# a random negative test that generates message based on 3rd last value from
|
||||
# PRF
|
||||
Decrypt = RSA-3072
|
||||
@@ -751,35 +765,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4
|
||||
Output = 70263fa6050534b9e0
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
|
||||
Decrypt = RSA-3072
|
||||
Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
|
||||
Output = 6d8d3a094ff3afff4c
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
|
||||
Decrypt = RSA-3072
|
||||
Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
|
||||
Output = c6ae80ffa80bc184b0
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with zero byte in first byte of padding
|
||||
Decrypt = RSA-3072
|
||||
Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
|
||||
Output = a8a9301daa01bb25c7
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with zero byte in eight byte of padding
|
||||
Decrypt = RSA-3072
|
||||
Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
|
||||
Output = 6c716fe01d44398018
|
||||
|
||||
# The old FIPS provider doesn't include the workaround (#13817)
|
||||
-FIPSversion = >=3.2.0
|
||||
+Availablein = default
|
||||
# an otherwise valid plaintext, but with null separator missing
|
||||
Decrypt = RSA-3072
|
||||
Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
|
570
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Normal file
570
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Normal file
@ -0,0 +1,570 @@
|
||||
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Wed, 18 May 2022 17:25:59 +0200
|
||||
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
|
||||
|
||||
For RHEL, we already disable SHA-1 signatures by default in the default
|
||||
provider, so it is unexpected that the FIPS provider would have a more
|
||||
lenient configuration in this regard. Additionally, we do not think
|
||||
continuing to accept SHA-1 signatures is a good idea due to the
|
||||
published chosen-prefix collision attacks.
|
||||
|
||||
As a consequence, disable verification of SHA-1 signatures in the FIPS
|
||||
provider.
|
||||
|
||||
This requires adjusting a few tests that would otherwise fail:
|
||||
- 30-test_acvp: Remove the test vectors that use SHA-1.
|
||||
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
|
||||
evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
|
||||
which will not run them when the FIPS provider is enabled.
|
||||
- 80-test_cms: Re-create all certificates in test/smime-certificates
|
||||
with SHA256 signatures while keeping the same private keys. These
|
||||
certificates were signed with SHA-1 and thus fail verification in the
|
||||
FIPS provider.
|
||||
Fix some other tests by explicitly running them in the default
|
||||
provider, where SHA-1 is available.
|
||||
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
|
||||
the FIPS provider.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/implementations/signature/dsa_sig.c | 4 --
|
||||
.../implementations/signature/ecdsa_sig.c | 4 --
|
||||
providers/implementations/signature/rsa_sig.c | 8 +--
|
||||
test/acvp_test.inc | 20 -------
|
||||
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++
|
||||
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++-
|
||||
test/recipes/80-test_cms.t | 4 +-
|
||||
test/recipes/80-test_ssl_old.t | 4 ++
|
||||
test/smime-certs/smdh.pem | 18 +++---
|
||||
test/smime-certs/smdsa1.pem | 60 +++++++++----------
|
||||
test/smime-certs/smdsa2.pem | 60 +++++++++----------
|
||||
test/smime-certs/smdsa3.pem | 60 +++++++++----------
|
||||
test/smime-certs/smec1.pem | 30 +++++-----
|
||||
test/smime-certs/smec2.pem | 30 +++++-----
|
||||
test/smime-certs/smec3.pem | 30 +++++-----
|
||||
test/smime-certs/smroot.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa1.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa2.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa3.pem | 38 ++++++------
|
||||
19 files changed, 286 insertions(+), 256 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||
index fa3822f39f..c365d7b13a 100644
|
||||
--- a/providers/implementations/signature/dsa_sig.c
|
||||
+++ b/providers/implementations/signature/dsa_sig.c
|
||||
@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
-#ifdef FIPS_MODULE
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
int sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 99b228e82c..44a22832ec 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
-#ifdef FIPS_MODULE
|
||||
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
if (md_nid < 0) {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index f66d7705c3..34f45175e8 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
-#ifdef FIPS_MODULE
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
int sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
|
||||
@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
|
||||
if (prsactx->md == NULL && pmdname == NULL
|
||||
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
+#else
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
||||
-#ifndef FIPS_MODULE
|
||||
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
}
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index ad11d3ae1e..73b24bdb0c 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
NO_PSS_SALT_LEN,
|
||||
FAIL
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 3072,
|
||||
- "SHA1",
|
||||
- ITM(rsa_sigverx931_0_msg),
|
||||
- ITM(rsa_sigverx931_0_n),
|
||||
- ITM(rsa_sigverx931_0_e),
|
||||
- ITM(rsa_sigverx931_0_sig),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- PASS
|
||||
- },
|
||||
{
|
||||
"x931",
|
||||
3072,
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
index f36982845d..51e507a61c 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
|
||||
|
||||
Title = ECDSA tests
|
||||
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
|
||||
|
||||
# Digest too long
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF12345"
|
||||
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Digest too short
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF123"
|
||||
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Digest invalid
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1235"
|
||||
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Invalid signature
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# BER signature
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
Verify = P-256-PUBLIC
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
index b8d8bb2993..8dd566067b 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
@@ -96,6 +96,7 @@ NDL6WCBbets=
|
||||
|
||||
Title = RSA tests
|
||||
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
|
||||
Input = "0123456789ABCDEF123456789ABC"
|
||||
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Output = "0123456789ABCDEF1234"
|
||||
|
||||
# Leading zero in the signature
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# Mismatched digest
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1233"
|
||||
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Corrupted signature
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1233"
|
||||
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# parameter is not NULLt
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# embedded digest too long
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# embedded digest too short
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# Garbage after DigestInfo
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# invalid tag for parameter
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
|
||||
|
||||
# Verify using public key
|
||||
|
||||
+Availablein = default
|
||||
Verify = RSA-2048-PUBLIC
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
|
||||
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
|
||||
|
||||
# Verify using salt length auto detect
|
||||
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
|
||||
+Availablein = default
|
||||
Verify = RSA-2048-PUBLIC
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:auto
|
||||
@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Verify using default parameters, explicitly setting parameters
|
||||
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
|
||||
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked
|
||||
+# Availablein = default.
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:20
|
||||
@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"
|
||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
||||
|
||||
# Verify explicitly setting parameters "digest" salt length
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:digest
|
||||
@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"
|
||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
||||
|
||||
# Verify using salt length larger than minimum
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:30
|
||||
Input="0123456789ABCDEF0123"
|
||||
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
|
||||
|
||||
# Verify using maximum salt length
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:max
|
||||
Input="0123456789ABCDEF0123"
|
||||
Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
|
||||
|
||||
# Attempt to change salt length below minimum
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:0
|
||||
Result = PKEY_CTRL_ERROR
|
||||
@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR
|
||||
# Attempt to change padding mode
|
||||
# Note this used to return PKEY_CTRL_INVALID
|
||||
# but it is limited because setparams only returns 0 or 1.
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pkcs1
|
||||
Result = PKEY_CTRL_ERROR
|
||||
|
||||
# Attempt to change digest
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = digest:sha256
|
||||
Result = PKEY_CTRL_ERROR
|
||||
|
||||
# Invalid key: rejected when we try to init
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-BAD
|
||||
Result = KEYOP_INIT_ERROR
|
||||
Reason = invalid salt length
|
||||
|
||||
# Invalid key: rejected when we try to init
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-BAD2
|
||||
Result = KEYOP_INIT_ERROR
|
||||
Reason = invalid salt length
|
||||
@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
|
||||
4fINDOjP+yJJvZohNwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
|
||||
Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
|
||||
Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0652ec67bcee30f9d2699122b91c19abdba89f91
|
||||
Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=39c21c4cceda9c1adf839c744e1212a6437575ec
|
||||
Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=36dae913b77bd17cae6e7b09453d24544cebb33c
|
||||
Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
|
||||
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
|
||||
Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2dac956d53964748ac364d06595827c6b4f143cd
|
||||
Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
|
||||
Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
|
||||
Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
|
||||
Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
|
||||
BQIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
|
||||
Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=b503319399277fd6c1c8f1033cbf04199ea21716
|
||||
Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=50aaede8536b2c307208b275a67ae2df196c7628
|
||||
Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
|
||||
Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=fad3902c9750622a2bc672622c48270cc57d3ea8
|
||||
Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests
|
||||
|
||||
# FIPS tests
|
||||
|
||||
-# Verifying with SHA1 is permitted in fips mode for older applications
|
||||
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
|
||||
+Availablein = fips
|
||||
DigestVerify = SHA1
|
||||
Key = RSA-2048
|
||||
Input = "Hello "
|
||||
Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
|
||||
+Result = DIGESTVERIFYINIT_ERROR
|
||||
|
||||
# Verifying with a 1024 bit key is permitted in fips mode for older applications
|
||||
DigestVerify = SHA256
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 48a92f735d..34afe91b88 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (
|
||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
|
||||
"-certfile", $smroot,
|
||||
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
||||
\&final_compare
|
||||
],
|
||||
@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (
|
||||
[ "signed zero-length content S/MIME format, RSA key SHA1",
|
||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
|
||||
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
||||
\&zero_compare
|
||||
],
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index 8c52b637fc..ff75c5b6ec 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -394,6 +394,9 @@ sub testssl {
|
||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
||||
}
|
||||
|
||||
+ SKIP: {
|
||||
+ skip "SSLv3 is not supported by the FIPS provider", 4
|
||||
+ if $provider eq "fips";
|
||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
|
||||
'test sslv2/sslv3 with server authentication');
|
||||
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
|
||||
@@ -402,6 +405,7 @@ sub testssl {
|
||||
'test sslv2/sslv3 with both client and server authentication via BIO pair');
|
||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
|
||||
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
|
||||
+ }
|
||||
|
||||
SKIP: {
|
||||
skip "No IPv4 available on this machine", 4
|
466
0062-fips-Expose-a-FIPS-indicator.patch
Normal file
466
0062-fips-Expose-a-FIPS-indicator.patch
Normal file
@ -0,0 +1,466 @@
|
||||
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Tue, 7 Jun 2022 12:02:49 +0200
|
||||
Subject: [PATCH] fips: Expose a FIPS indicator
|
||||
|
||||
FIPS 140-3 requires us to indicate whether an operation was using
|
||||
approved services or not. The FIPS 140-3 implementation guidelines
|
||||
provide two basic approaches to doing this: implicit indicators, and
|
||||
explicit indicators.
|
||||
|
||||
Implicit indicators are basically the concept of "if the operation
|
||||
passes, it was approved". We were originally aiming for implicit
|
||||
indicators in our copy of OpenSSL. However, this proved to be a problem,
|
||||
because we wanted to certify a signature service, and FIPS 140-3
|
||||
requires that a signature service computes the digest to be signed
|
||||
within the boundaries of the FIPS module. Since we were planning to
|
||||
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
|
||||
would have to be blocked. Unfortunately, EVP_SignFinal uses
|
||||
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
|
||||
FIPS module boundary. This means that using implicit indicators in
|
||||
combination with certifying only fips.so would require us to block both
|
||||
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
|
||||
by most users of OpenSSL for signatures.
|
||||
|
||||
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
|
||||
is thus not yet widely used.
|
||||
|
||||
As a consequence, we've decided to introduce explicit indicators so that
|
||||
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
|
||||
FIPS-aware applications can query the explicit indicator to check
|
||||
whether the operation was approved.
|
||||
|
||||
To avoid affecting the ABI and public API too much, this is implemented
|
||||
as an exported symbol in fips.so and a private header, so applications
|
||||
that wish to use this will have to dlopen(3) fips.so, locate the
|
||||
function using dlsym(3), and then call it. These applications will have
|
||||
to build against the private header in order to use the returned
|
||||
pointer.
|
||||
|
||||
Modify util/mkdef.pl to support exposing a symbol only for a specific
|
||||
provider identified by its name and path.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
doc/build.info | 6 ++
|
||||
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
|
||||
providers/fips/fipsprov.c | 71 +++++++++++++
|
||||
providers/fips/indicator.h | 66 ++++++++++++
|
||||
util/mkdef.pl | 25 ++++-
|
||||
util/providers.num | 1 +
|
||||
6 files changed, 322 insertions(+), 1 deletion(-)
|
||||
create mode 100644 doc/man7/fips_module_indicators.pod
|
||||
create mode 100644 providers/fips/indicator.h
|
||||
|
||||
diff --git a/doc/build.info b/doc/build.info
|
||||
index b0aa4297a4..af235113bb 100644
|
||||
--- a/doc/build.info
|
||||
+++ b/doc/build.info
|
||||
@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
|
||||
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
|
||||
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
|
||||
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
|
||||
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
||||
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
||||
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
||||
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
||||
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
||||
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
||||
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
|
||||
@@ -4631,6 +4635,7 @@ html/man7/ct.html \
|
||||
html/man7/des_modes.html \
|
||||
html/man7/evp.html \
|
||||
html/man7/fips_module.html \
|
||||
+html/man7/fips_module_indicators.html \
|
||||
html/man7/life_cycle-cipher.html \
|
||||
html/man7/life_cycle-digest.html \
|
||||
html/man7/life_cycle-kdf.html \
|
||||
@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
|
||||
man/man7/des_modes.7 \
|
||||
man/man7/evp.7 \
|
||||
man/man7/fips_module.7 \
|
||||
+man/man7/fips_module_indicators.7 \
|
||||
man/man7/life_cycle-cipher.7 \
|
||||
man/man7/life_cycle-digest.7 \
|
||||
man/man7/life_cycle-kdf.7 \
|
||||
diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
|
||||
new file mode 100644
|
||||
index 0000000000..23db2b395c
|
||||
--- /dev/null
|
||||
+++ b/doc/man7/fips_module_indicators.pod
|
||||
@@ -0,0 +1,154 @@
|
||||
+=pod
|
||||
+
|
||||
+=head1 NAME
|
||||
+
|
||||
+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
|
||||
+
|
||||
+=head1 DESCRIPTION
|
||||
+
|
||||
+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
|
||||
+implements Approved Security Service Indicators according to the FIPS 140-3
|
||||
+Implementation Guidelines, section 2.4.C. See
|
||||
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
|
||||
+for the FIPS 140-3 Implementation Guidelines.
|
||||
+
|
||||
+For all approved services except signatures, the Red Hat OpenSSL FIPS provider
|
||||
+uses the return code as the indicator as understood by FIPS 140-3. That means
|
||||
+that every operation that succeeds denotes use of an approved security service.
|
||||
+Operations that do not succeed may not have been approved security services, or
|
||||
+may have been used incorrectly.
|
||||
+
|
||||
+For signatures, an explicit indicator API is available to determine whether
|
||||
+a selected operation is an approved security service, in combination with the
|
||||
+return code of the operation. For a signature operation to be approved, the
|
||||
+explicit indicator must claim it as approved, and it must succeed.
|
||||
+
|
||||
+=head2 Querying the explicit indicator
|
||||
+
|
||||
+The Red Hat OpenSSL FIPS provider exports a symbol named
|
||||
+I<redhat_ossl_query_fipsindicator> that provides information on which signature
|
||||
+operations are approved security functions. To use this function, either link
|
||||
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
|
||||
+dlsym(3).
|
||||
+
|
||||
+ #include <openssl/core_dispatch.h>
|
||||
+ #include "providers/fips/indicator.h"
|
||||
+
|
||||
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
|
||||
+ if (provider == NULL) {
|
||||
+ fprintf(stderr, "%s\n", dlerror());
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
|
||||
+ = dlsym(provider, "redhat_ossl_query_fipsindicator");
|
||||
+ if (redhat_ossl_query_fipsindicator == NULL) {
|
||||
+ fprintf(stderr, "%s\n", dlerror());
|
||||
+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
|
||||
+ " patches?\n");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+Note that this uses the I<providers/fips/indicator.h> header, which is not
|
||||
+public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
|
||||
+repository using I<dnf debuginfo-install openssl> and include
|
||||
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
|
||||
+
|
||||
+I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
|
||||
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
|
||||
+obtain the indicators for signature operations. On success, the return value is
|
||||
+a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
|
||||
+returned. The last entry in the array is indicated by I<algorithm_names> being
|
||||
+NULL.
|
||||
+
|
||||
+ typedef struct ossl_rh_fipsindicator_algorithm_st {
|
||||
+ const char *algorithm_names; /* key */
|
||||
+ const char *property_definition; /* key */
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
||||
+ } OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
||||
+
|
||||
+ typedef struct ossl_rh_fipsindicator_dispatch_st {
|
||||
+ int function_id;
|
||||
+ int approved;
|
||||
+ } OSSL_RH_FIPSINDICATOR_DISPATCH;
|
||||
+
|
||||
+The I<algorithm_names> field is a colon-separated list of algorithm names from
|
||||
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
|
||||
+be used to locate the appropriate entry. See the example below, where
|
||||
+I<algorithm> contains the algorithm name to search for:
|
||||
+
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
|
||||
+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
|
||||
+ redhat_ossl_query_fipsindicator(operation_id);
|
||||
+ if (indicator == NULL) {
|
||||
+ fprintf(stderr, "No indicator for operation, probably using implicit"
|
||||
+ " indicators.\n");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ for (; indicator->algorithm_names != NULL; ++indicator) {
|
||||
+ char *algorithm_names = strdup(indicator->algorithm_names);
|
||||
+ if (algorithm_names == NULL) {
|
||||
+ perror("strdup(3)");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ const char *algorithm_name = strtok(algorithm_names, ":");
|
||||
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
|
||||
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
|
||||
+ indicator_dispatch = indicator->indicators;
|
||||
+ free(algorithm_names);
|
||||
+ algorithm_names = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ free(algorithm_names);
|
||||
+ }
|
||||
+ if (indicator_dispatch == NULL) {
|
||||
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
|
||||
+given algorithm name, it maps function IDs to their approval status. The last
|
||||
+entry is indicated by a zero I<function_id>. I<approved> is
|
||||
+I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
|
||||
+service, or part of an approved security service, or
|
||||
+I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
|
||||
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
|
||||
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
|
||||
+
|
||||
+Assuming I<function_id> is the function in question, the following code can be
|
||||
+used to query the approval status:
|
||||
+
|
||||
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
|
||||
+ if (indicator_dispatch->function_id == function_id) {
|
||||
+ switch (indicator_dispatch->approved) {
|
||||
+ case OSSL_RH_FIPSINDICATOR_APPROVED:
|
||||
+ // approved security service
|
||||
+ break;
|
||||
+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
|
||||
+ // unapproved security service
|
||||
+ break;
|
||||
+ default:
|
||||
+ // invalid result
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+=head1 SEE ALSO
|
||||
+
|
||||
+L<fips_module(7)>, L<provider(7)>
|
||||
+
|
||||
+=head1 COPYRIGHT
|
||||
+
|
||||
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
|
||||
+
|
||||
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+this file except in compliance with the License. You can obtain a copy
|
||||
+in the file LICENSE in the source distribution or at
|
||||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index de391ce067..1cfd71c5cf 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "self_test.h"
|
||||
#include "crypto/context.h"
|
||||
#include "internal/core.h"
|
||||
+#include "indicator.h"
|
||||
|
||||
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
|
||||
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
|
||||
@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
|
||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
||||
+};
|
||||
+
|
||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
|
||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
||||
+};
|
||||
+
|
||||
+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
|
||||
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
|
||||
+ redhat_rsa_signature_indicators },
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
|
||||
+ redhat_ecdsa_signature_indicators },
|
||||
+#endif
|
||||
+ { NULL, NULL, NULL }
|
||||
+};
|
||||
+
|
||||
static const OSSL_ALGORITHM fips_asym_cipher[] = {
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
|
||||
+ switch (operation_id) {
|
||||
+ case OSSL_OP_SIGNATURE:
|
||||
+ return redhat_indicator_fips_signature;
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static void fips_teardown(void *provctx)
|
||||
{
|
||||
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
|
||||
diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
|
||||
new file mode 100644
|
||||
index 0000000000..b323efe44c
|
||||
--- /dev/null
|
||||
+++ b/providers/fips/indicator.h
|
||||
@@ -0,0 +1,66 @@
|
||||
+/*
|
||||
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_INDICATOR_H
|
||||
+# define OPENSSL_FIPS_INDICATOR_H
|
||||
+# pragma once
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
|
||||
+# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
|
||||
+
|
||||
+/*
|
||||
+ * FIPS indicator dispatch table element. function_id numbers and the
|
||||
+ * functions are defined in core_dispatch.h, see macros with
|
||||
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
|
||||
+ *
|
||||
+ * An array of these is always terminated by function_id == 0
|
||||
+ */
|
||||
+typedef struct ossl_rh_fipsindicator_dispatch_st {
|
||||
+ int function_id;
|
||||
+ int approved;
|
||||
+} OSSL_RH_FIPSINDICATOR_DISPATCH;
|
||||
+
|
||||
+/*
|
||||
+ * Type to tie together algorithm names, property definition string and the
|
||||
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
|
||||
+ * indicator dispatch table.
|
||||
+ *
|
||||
+ * An array of these is always terminated by algorithm_names == NULL
|
||||
+ */
|
||||
+typedef struct ossl_rh_fipsindicator_algorithm_st {
|
||||
+ const char *algorithm_names; /* key */
|
||||
+ const char *property_definition; /* key */
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
||||
+} OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
||||
+
|
||||
+/**
|
||||
+ * Query FIPS indicator status for the given operation. Possible values for
|
||||
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
|
||||
+ * use implicit indicators. The return value is an array of
|
||||
+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
|
||||
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
|
||||
+ * algorithm names, 'property_definition' a comma-separated list of properties,
|
||||
+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This
|
||||
+ * list is terminated by function_id == 0. 'function_id' is one of the
|
||||
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
|
||||
+ *
|
||||
+ * If there is no entry in the returned struct for the given operation_id,
|
||||
+ * algorithm name, or function_id, the algorithm is unapproved.
|
||||
+ */
|
||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+
|
||||
+#endif
|
||||
diff --git a/util/mkdef.pl b/util/mkdef.pl
|
||||
index a1c76f7c97..eda39b71ee 100755
|
||||
--- a/util/mkdef.pl
|
||||
+++ b/util/mkdef.pl
|
||||
@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
|
||||
return
|
||||
$item->exists()
|
||||
&& platform_filter($item)
|
||||
- && feature_filter($item);
|
||||
+ && feature_filter($item)
|
||||
+ && fips_filter($item, $name);
|
||||
};
|
||||
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
|
||||
|
||||
@@ -205,6 +206,28 @@ sub feature_filter {
|
||||
return $verdict;
|
||||
}
|
||||
|
||||
+sub fips_filter {
|
||||
+ my $item = shift;
|
||||
+ my $name = uc(shift);
|
||||
+ my @features = ( $item->features() );
|
||||
+
|
||||
+ # True if no features are defined
|
||||
+ return 1 if scalar @features == 0;
|
||||
+
|
||||
+ my @matches = grep(/^ONLY_.*$/, @features);
|
||||
+ if (@matches) {
|
||||
+ # There is at least one only_* flag on this symbol, check if any of
|
||||
+ # them match the name
|
||||
+ for (@matches) {
|
||||
+ if ($_ eq "ONLY_${name}") {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
sub sorter_unix {
|
||||
my $by_name = OpenSSL::Ordinals::by_name();
|
||||
my %weight = (
|
||||
diff --git a/util/providers.num b/util/providers.num
|
||||
index 4e2fa81b98..77879d0e5f 100644
|
||||
--- a/util/providers.num
|
||||
+++ b/util/providers.num
|
||||
@@ -1 +1,2 @@
|
||||
OSSL_provider_init 1 * EXIST::FUNCTION:
|
||||
+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
|
||||
--
|
||||
2.35.3
|
||||
|
347
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Normal file
347
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Normal file
@ -0,0 +1,347 @@
|
||||
From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 29/35]
|
||||
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
||||
|
||||
Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
||||
Patch-id: 73
|
||||
Patch-status: |
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/rsa/rsa_local.h | 8 ++
|
||||
crypto/rsa/rsa_oaep.c | 34 ++++++--
|
||||
include/openssl/core_names.h | 3 +
|
||||
providers/fips/self_test_data.inc | 79 ++++++++++---------
|
||||
providers/fips/self_test_kats.c | 7 ++
|
||||
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
|
||||
6 files changed, 128 insertions(+), 44 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
|
||||
index ea70da05ad..dde57a1a0e 100644
|
||||
--- a/crypto/rsa/rsa_local.h
|
||||
+++ b/crypto/rsa/rsa_local.h
|
||||
@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
|
||||
int tlen, const unsigned char *from,
|
||||
int flen);
|
||||
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md,
|
||||
+ const char *redhat_st_seed);
|
||||
+
|
||||
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
|
||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
||||
index d9be1a4f98..b2f7f7dc4b 100644
|
||||
--- a/crypto/rsa/rsa_oaep.c
|
||||
+++ b/crypto/rsa/rsa_oaep.c
|
||||
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
param, plen, NULL, NULL);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
/*
|
||||
* Perform the padding as per NIST 800-56B 7.2.2.3
|
||||
* from (K) is the key material.
|
||||
@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
* Step numbers are included here but not in the constant time inverse below
|
||||
* to avoid complicating an already difficult enough function.
|
||||
*/
|
||||
-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
- unsigned char *to, int tlen,
|
||||
- const unsigned char *from, int flen,
|
||||
- const unsigned char *param,
|
||||
- int plen, const EVP_MD *md,
|
||||
- const EVP_MD *mgf1md)
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md,
|
||||
+ const char *redhat_st_seed)
|
||||
{
|
||||
int rv = 0;
|
||||
int i, emlen = tlen - 1;
|
||||
@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
db[emlen - flen - mdlen - 1] = 0x01;
|
||||
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
|
||||
/* step 3d: generate random byte string */
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
|
||||
+ memcpy(seed, redhat_st_seed, mdlen);
|
||||
+ } else
|
||||
+#endif
|
||||
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
|
||||
goto err;
|
||||
|
||||
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md)
|
||||
+{
|
||||
+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
|
||||
+ flen, param, plen, md,
|
||||
+ mgf1md, NULL);
|
||||
+}
|
||||
+
|
||||
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
const unsigned char *from, int flen,
|
||||
const unsigned char *param, int plen,
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index e0fdc0daa4..aa2012c04a 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
|
||||
};
|
||||
|
||||
/*-
|
||||
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
|
||||
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
|
||||
* ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
|
||||
* HP/UX PA-RISC compilers.
|
||||
*/
|
||||
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
|
||||
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
|
||||
+static const char oaep_fixed_seed[] = {
|
||||
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
|
||||
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
|
||||
+ 0x2e, 0x4b, 0x2c, 0xe6
|
||||
+};
|
||||
|
||||
static const ST_KAT_PARAM rsa_enc_params[] = {
|
||||
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
|
||||
+ oaep_fixed_seed),
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
|
||||
@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
|
||||
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
|
||||
};
|
||||
|
||||
-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
|
||||
+static const unsigned char rsa_asym_plaintext_encrypt[208] = {
|
||||
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
|
||||
};
|
||||
static const unsigned char rsa_asym_expected_encrypt[256] = {
|
||||
- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
|
||||
- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
|
||||
- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
|
||||
- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
|
||||
- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
|
||||
- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
|
||||
- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
|
||||
- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
|
||||
- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
|
||||
- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
|
||||
- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
|
||||
- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
|
||||
- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
|
||||
- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
|
||||
- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
|
||||
- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
|
||||
- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
|
||||
- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
|
||||
- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
|
||||
- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
|
||||
- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
|
||||
- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
|
||||
- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
|
||||
- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
|
||||
- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
|
||||
- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
|
||||
- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
|
||||
- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
|
||||
- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
|
||||
- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
|
||||
- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
|
||||
- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
|
||||
+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
|
||||
+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
|
||||
+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
|
||||
+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
|
||||
+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
|
||||
+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
|
||||
+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
|
||||
+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
|
||||
+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
|
||||
+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
|
||||
+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
|
||||
+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
|
||||
+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
|
||||
+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
|
||||
+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
|
||||
+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
|
||||
+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
|
||||
+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
|
||||
+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
|
||||
+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
|
||||
+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
|
||||
+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
|
||||
+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
|
||||
+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
|
||||
+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
|
||||
+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
|
||||
+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
|
||||
+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
|
||||
+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
|
||||
+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
|
||||
+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
|
||||
+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
|
||||
};
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
||||
index 74ee25dcb6..a9bc8be7fa 100644
|
||||
--- a/providers/fips/self_test_kats.c
|
||||
+++ b/providers/fips/self_test_kats.c
|
||||
@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int REDHAT_FIPS_asym_cipher_st = 0;
|
||||
+
|
||||
static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
int i, ret = 1;
|
||||
|
||||
+ REDHAT_FIPS_asym_cipher_st = 1;
|
||||
+
|
||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
|
||||
if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
|
||||
ret = 0;
|
||||
}
|
||||
+
|
||||
+ REDHAT_FIPS_asym_cipher_st = 0;
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index 9cd8904131..40de5ce8fa 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -30,6 +30,9 @@
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/securitycheck.h"
|
||||
+#ifdef FIPS_MODULE
|
||||
+# include "crypto/rsa/rsa_local.h"
|
||||
+#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
@@ -75,6 +78,9 @@ typedef struct {
|
||||
/* TLS padding */
|
||||
unsigned int client_version;
|
||||
unsigned int alt_version;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ char *redhat_st_oaep_seed;
|
||||
+#endif /* FIPS_MODULE */
|
||||
/* PKCS#1 v1.5 decryption mode */
|
||||
unsigned int implicit_rejection;
|
||||
} PROV_RSA_CTX;
|
||||
@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
}
|
||||
}
|
||||
ret =
|
||||
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
|
||||
+#ifdef FIPS_MODULE
|
||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
|
||||
+#else
|
||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
|
||||
+#endif
|
||||
+ prsactx->libctx, tbuf,
|
||||
rsasize, in, inlen,
|
||||
prsactx->oaep_label,
|
||||
prsactx->oaep_labellen,
|
||||
prsactx->oaep_md,
|
||||
- prsactx->mgf1_md);
|
||||
+ prsactx->mgf1_md
|
||||
+#ifdef FIPS_MODULE
|
||||
+ , prsactx->redhat_st_oaep_seed
|
||||
+#endif
|
||||
+ );
|
||||
|
||||
if (!ret) {
|
||||
OPENSSL_free(tbuf);
|
||||
@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)
|
||||
EVP_MD_free(prsactx->oaep_md);
|
||||
EVP_MD_free(prsactx->mgf1_md);
|
||||
OPENSSL_free(prsactx->oaep_label);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
||||
+#endif /* FIPS_MODULE */
|
||||
|
||||
OPENSSL_free(prsactx);
|
||||
}
|
||||
@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
NULL, 0),
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
prsactx->oaep_labellen = tmp_labellen;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
|
||||
+ if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
|
||||
+ void *tmp_oaep_seed = NULL;
|
||||
+
|
||||
+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
|
||||
+ return 0;
|
||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
||||
+ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
|
||||
+ }
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
|
||||
if (p != NULL) {
|
||||
unsigned int client_version;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config 2023-12-14 13:48:23.398025507 +0100
|
||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2023-12-14 14:24:49.519488385 +0100
|
||||
@@ -401,6 +401,7 @@ my %params = (
|
||||
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
|
||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||
+ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
||||
|
||||
# Encoder / decoder parameters
|
||||
|
408
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Normal file
408
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Normal file
@ -0,0 +1,408 @@
|
||||
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 15 Jul 2022 17:45:40 +0200
|
||||
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
|
||||
|
||||
In review for FIPS 140-3, the lack of a self-test for the digest_sign
|
||||
and digest_verify provider functions was highlighted as a problem. NIST
|
||||
no longer provides ACVP tests for the RSA SigVer primitive (see
|
||||
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
|
||||
recommends the use of functions that compute the digest and signature
|
||||
within the module, we have been advised in our module review that the
|
||||
self tests should also use the combined digest and signature APIs, i.e.
|
||||
the digest_sign and digest_verify provider functions.
|
||||
|
||||
Modify the signature self-test to use these instead by switching to
|
||||
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
|
||||
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
|
||||
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
|
||||
2 files changed, 56 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index db1a1d7bc3..c94c3c53bd 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
||||
return 0;
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
/*
|
||||
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
||||
@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
reinit = 0;
|
||||
if (e == NULL)
|
||||
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
||||
+#ifndef FIPS_MODULE
|
||||
else
|
||||
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
if (ctx->pctx == NULL)
|
||||
return 0;
|
||||
@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
locpctx = ctx->pctx;
|
||||
ERR_set_mark();
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (evp_pkey_ctx_is_legacy(locpctx))
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
/* do not reinitialize if pkey is set or operation is different */
|
||||
if (reinit
|
||||
@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
signature =
|
||||
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
||||
supported_sig, locpctx->propquery);
|
||||
+#ifndef FIPS_MODULE
|
||||
if (signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
break;
|
||||
}
|
||||
if (signature == NULL)
|
||||
@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
||||
if (ctx->fetched_digest != NULL) {
|
||||
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
||||
+#ifndef FIPS_MODULE
|
||||
} else {
|
||||
/* legacy engine support : remove the mark when this is deleted */
|
||||
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
||||
@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
}
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (ctx->reqdigest != NULL
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||
@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if (ver) {
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
EVP_KEYMGMT_free(tmp_keymgmt);
|
||||
return 0;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
/*
|
||||
* If we don't have the full support we need with provided methods,
|
||||
@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->pctx->flag_call_digest_custom = 1;
|
||||
|
||||
ret = 1;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
end:
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
||||
NULL);
|
||||
}
|
||||
-#endif /* FIPS_MDOE */
|
||||
|
||||
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
{
|
||||
@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
|
||||
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
if (vctx || !r)
|
||||
return r;
|
||||
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
|
||||
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
return -1;
|
||||
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
||||
}
|
||||
-#endif /* FIPS_MODULE */
|
||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
||||
index b6d5e8e134..77eec075e6 100644
|
||||
--- a/providers/fips/self_test_kats.c
|
||||
+++ b/providers/fips/self_test_kats.c
|
||||
@@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
int ret = 0;
|
||||
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
+ EVP_MD *md = NULL;
|
||||
+ EVP_MD_CTX *ctx = NULL;
|
||||
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
- unsigned char sig[256];
|
||||
BN_CTX *bnctx = NULL;
|
||||
+ const char *msg = "Hello World!";
|
||||
+ unsigned char sig[256];
|
||||
size_t siglen = sizeof(sig);
|
||||
static const unsigned char dgst[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
||||
goto err;
|
||||
|
||||
- /* Create a EVP_PKEY_CTX to use for the signing operation */
|
||||
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
|
||||
- if (sctx == NULL
|
||||
- || EVP_PKEY_sign_init(sctx) <= 0)
|
||||
- goto err;
|
||||
-
|
||||
- /* set signature parameters */
|
||||
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
|
||||
- t->mdalgorithm,
|
||||
- strlen(t->mdalgorithm) + 1))
|
||||
- goto err;
|
||||
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
|
||||
+ * parameters and sign */
|
||||
params_sig = OSSL_PARAM_BLD_to_param(bld);
|
||||
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
||||
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
|
||||
+ ctx = EVP_MD_CTX_new();
|
||||
+ if (md == NULL || ctx == NULL)
|
||||
+ goto err;
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
||||
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
|
||||
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
|
||||
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
|
||||
+ || EVP_MD_CTX_reset(ctx) <= 0)
|
||||
goto err;
|
||||
|
||||
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
|
||||
- || EVP_PKEY_verify_init(sctx) <= 0
|
||||
+ /* sctx is not freed automatically inside the FIPS module */
|
||||
+ EVP_PKEY_CTX_free(sctx);
|
||||
+ sctx = NULL;
|
||||
+
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
||||
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|
||||
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
||||
goto err;
|
||||
|
||||
@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
||||
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
|
||||
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_free(bnctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
- EVP_PKEY_CTX_free(kctx);
|
||||
+ EVP_MD_free(md);
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ /* sctx is not freed automatically inside the FIPS module */
|
||||
EVP_PKEY_CTX_free(sctx);
|
||||
+ EVP_PKEY_CTX_free(kctx);
|
||||
OSSL_PARAM_free(params);
|
||||
OSSL_PARAM_free(params_sig);
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
--
|
||||
2.37.1
|
||||
|
||||
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
|
||||
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 11:44:18.761559765 +0100
|
||||
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 11:51:18.297195401 +0100
|
||||
@@ -560,26 +560,33 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
|
||||
return EVP_DigestUpdate(ctx, data, dsize);
|
||||
}
|
||||
|
||||
-#ifndef FIPS_MODULE
|
||||
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
size_t *siglen)
|
||||
{
|
||||
- int sctx = 0, r = 0;
|
||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
||||
+ int r = 0;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ int sctx = 0;
|
||||
+ EVP_PKEY_CTX *dctx = NULL;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
+
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|
||||
|| pctx->op.sig.algctx == NULL
|
||||
|| pctx->op.sig.signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
+#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx != NULL)
|
||||
pctx = dctx;
|
||||
@@ -591,8 +598,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
return r;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
@@ -704,25 +713,32 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
|
||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
size_t siglen)
|
||||
{
|
||||
- unsigned char md[EVP_MAX_MD_SIZE];
|
||||
int r = 0;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned int mdlen = 0;
|
||||
int vctx = 0;
|
||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
||||
+ EVP_PKEY_CTX *dctx = NULL;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
+
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|
||||
|| pctx->op.sig.algctx == NULL
|
||||
|| pctx->op.sig.signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
+#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx != NULL)
|
||||
pctx = dctx;
|
||||
@@ -733,8 +749,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
||||
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
return r;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
|
||||
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:39:26.858137284 +0100
|
||||
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:40:28.201680446 +0100
|
||||
@@ -736,9 +736,9 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
||||
goto legacy;
|
||||
#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
-#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx != NULL)
|
||||
pctx = dctx;
|
||||
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
|
||||
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:55:41.172653897 +0100
|
||||
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:56:23.562017396 +0100
|
||||
@@ -584,9 +584,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
goto legacy;
|
||||
#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
||||
/* try dup */
|
||||
-#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx != NULL)
|
||||
pctx = dctx;
|
||||
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fips-new openssl-3.2.0/crypto/evp/m_sigver.c
|
||||
--- openssl-3.2.0/crypto/evp/m_sigver.c.fips-new 2024-01-30 23:50:10.115710238 +0100
|
||||
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-31 00:04:31.448164500 +0100
|
||||
@@ -598,7 +598,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+ return r;
|
||||
#endif /* !defined(FIPS_MODULE) */
|
||||
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
||||
+ sigret, siglen,
|
||||
+ sigret == NULL ? 0 : *siglen);
|
||||
return r;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -749,7 +753,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
||||
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+ return r;
|
||||
#endif /* !defined(FIPS_MODULE) */
|
||||
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
||||
+ sig, siglen);
|
||||
return r;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef openssl-3.2.0/crypto/evp/m_sigver.c
|
||||
--- openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef 2024-02-01 09:23:07.877696442 +0100
|
||||
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-02-01 09:25:30.857169997 +0100
|
||||
@@ -599,11 +599,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
return r;
|
||||
-#endif /* !defined(FIPS_MODULE) */
|
||||
+#else
|
||||
r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
||||
sigret, siglen,
|
||||
sigret == NULL ? 0 : *siglen);
|
||||
return r;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
@@ -754,10 +755,11 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
|
||||
else
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
return r;
|
||||
-#endif /* !defined(FIPS_MODULE) */
|
||||
+#else
|
||||
r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
||||
sig, siglen);
|
||||
return r;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
legacy:
|
378
0075-FIPS-Use-FFDHE2048-in-self-test.patch
Normal file
378
0075-FIPS-Use-FFDHE2048-in-self-test.patch
Normal file
@ -0,0 +1,378 @@
|
||||
From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 22 Jul 2022 17:51:16 +0200
|
||||
Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
|
||||
1 file changed, 172 insertions(+), 170 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index a29cc650b5..1b5623833f 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
/* DH KAT */
|
||||
+/* RFC7919 FFDHE2048 p */
|
||||
static const unsigned char dh_p[] = {
|
||||
- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
|
||||
- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
|
||||
- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
|
||||
- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
|
||||
- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
|
||||
- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
|
||||
- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
|
||||
- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
|
||||
- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
|
||||
- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
|
||||
- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
|
||||
- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
|
||||
- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
|
||||
- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
|
||||
- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
|
||||
- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
|
||||
- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
|
||||
- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
|
||||
- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
|
||||
- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
|
||||
- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
|
||||
- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
|
||||
- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
|
||||
- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
|
||||
- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
|
||||
- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
|
||||
- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
|
||||
- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
|
||||
- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
|
||||
- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
|
||||
- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
|
||||
- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
|
||||
-};
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
|
||||
+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
|
||||
+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
|
||||
+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
|
||||
+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
|
||||
+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
|
||||
+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
|
||||
+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
|
||||
+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
|
||||
+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
|
||||
+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
|
||||
+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
|
||||
+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
|
||||
+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
|
||||
+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
|
||||
+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
|
||||
+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
|
||||
+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
|
||||
+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
|
||||
+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
||||
+};
|
||||
+/* RFC7919 FFDHE2048 q */
|
||||
static const unsigned char dh_q[] = {
|
||||
- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
|
||||
- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
|
||||
- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
|
||||
- 0x11, 0xac, 0xb5, 0x7d
|
||||
-};
|
||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
|
||||
+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
|
||||
+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
|
||||
+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
|
||||
+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
|
||||
+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
|
||||
+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
|
||||
+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
|
||||
+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
|
||||
+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
|
||||
+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
|
||||
+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
|
||||
+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
|
||||
+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
|
||||
+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
|
||||
+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
|
||||
+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
|
||||
+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
|
||||
+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
|
||||
+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
||||
+};
|
||||
+/* RFC7919 FFDHE2048 g */
|
||||
static const unsigned char dh_g[] = {
|
||||
- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
|
||||
- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
|
||||
- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
|
||||
- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
|
||||
- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
|
||||
- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
|
||||
- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
|
||||
- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
|
||||
- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
|
||||
- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
|
||||
- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
|
||||
- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
|
||||
- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
|
||||
- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
|
||||
- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
|
||||
- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
|
||||
- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
|
||||
- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
|
||||
- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
|
||||
- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
|
||||
- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
|
||||
- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
|
||||
- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
|
||||
- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
|
||||
- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
|
||||
- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
|
||||
- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
|
||||
- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
|
||||
- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
|
||||
- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
|
||||
- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
|
||||
- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
|
||||
+ 0x02
|
||||
};
|
||||
static const unsigned char dh_priv[] = {
|
||||
- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
|
||||
- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
|
||||
- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
|
||||
- 0x40, 0xb8, 0xfc, 0xe6
|
||||
+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
|
||||
+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
|
||||
+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
|
||||
+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94
|
||||
};
|
||||
static const unsigned char dh_pub[] = {
|
||||
- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
|
||||
- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
|
||||
- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
|
||||
- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
|
||||
- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
|
||||
- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
|
||||
- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
|
||||
- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
|
||||
- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
|
||||
- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
|
||||
- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
|
||||
- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
|
||||
- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
|
||||
- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
|
||||
- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
|
||||
- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
|
||||
- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
|
||||
- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
|
||||
- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
|
||||
- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
|
||||
- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
|
||||
- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
|
||||
- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
|
||||
- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
|
||||
- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
|
||||
- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
|
||||
- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
|
||||
- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
|
||||
- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
|
||||
- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
|
||||
- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
|
||||
- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
|
||||
+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
|
||||
+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
|
||||
+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
|
||||
+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
|
||||
+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
|
||||
+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
|
||||
+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
|
||||
+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
|
||||
+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
|
||||
+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
|
||||
+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
|
||||
+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
|
||||
+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
|
||||
+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
|
||||
+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
|
||||
+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
|
||||
+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
|
||||
+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
|
||||
+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
|
||||
+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
|
||||
+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
|
||||
+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
|
||||
+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
|
||||
+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
|
||||
+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
|
||||
+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
|
||||
+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
|
||||
+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
|
||||
+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
|
||||
+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
|
||||
+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
|
||||
+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
|
||||
+ 0x32
|
||||
};
|
||||
static const unsigned char dh_peer_pub[] = {
|
||||
- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
|
||||
- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
|
||||
- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
|
||||
- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
|
||||
- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
|
||||
- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
|
||||
- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
|
||||
- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
|
||||
- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
|
||||
- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
|
||||
- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
|
||||
- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
|
||||
- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
|
||||
- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
|
||||
- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
|
||||
- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
|
||||
- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
|
||||
- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
|
||||
- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
|
||||
- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
|
||||
- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
|
||||
- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
|
||||
- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
|
||||
- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
|
||||
- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
|
||||
- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
|
||||
- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
|
||||
- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
|
||||
- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
|
||||
- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
|
||||
- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
|
||||
- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
|
||||
+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
|
||||
+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
|
||||
+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
|
||||
+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
|
||||
+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
|
||||
+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
|
||||
+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
|
||||
+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
|
||||
+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
|
||||
+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
|
||||
+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
|
||||
+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
|
||||
+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
|
||||
+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
|
||||
+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
|
||||
+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
|
||||
+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
|
||||
+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
|
||||
+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
|
||||
+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
|
||||
+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
|
||||
+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
|
||||
+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
|
||||
+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
|
||||
+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
|
||||
+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
|
||||
+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
|
||||
+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
|
||||
+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
|
||||
+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
|
||||
+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
|
||||
+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
|
||||
+ 0x64
|
||||
};
|
||||
|
||||
static const unsigned char dh_secret_expected[] = {
|
||||
- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
|
||||
- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
|
||||
- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
|
||||
- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
|
||||
- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
|
||||
- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
|
||||
- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
|
||||
- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
|
||||
- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
|
||||
- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
|
||||
- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
|
||||
- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
|
||||
- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
|
||||
- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
|
||||
- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
|
||||
- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
|
||||
- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
|
||||
- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
|
||||
- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
|
||||
- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
|
||||
- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
|
||||
- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
|
||||
- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
|
||||
- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
|
||||
- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
|
||||
- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
|
||||
- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
|
||||
- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
|
||||
- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
|
||||
- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
|
||||
- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
|
||||
- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
|
||||
+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
|
||||
+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
|
||||
+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
|
||||
+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
|
||||
+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
|
||||
+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
|
||||
+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
|
||||
+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
|
||||
+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
|
||||
+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
|
||||
+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
|
||||
+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
|
||||
+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
|
||||
+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
|
||||
+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
|
||||
+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
|
||||
+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
|
||||
+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
|
||||
+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
|
||||
+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
|
||||
+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
|
||||
+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
|
||||
+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
|
||||
+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
|
||||
+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
|
||||
+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
|
||||
+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
|
||||
+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
|
||||
+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
|
||||
+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
|
||||
+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
|
||||
+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
|
||||
};
|
||||
|
||||
static const ST_KAT_PARAM dh_group[] = {
|
||||
--
|
||||
2.35.3
|
||||
|
317
0076-FIPS-140-3-DRBG.patch
Normal file
317
0076-FIPS-140-3-DRBG.patch
Normal file
@ -0,0 +1,317 @@
|
||||
From 0329eb6523363705946887d4f145dd77c741ae4a Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:16 +0100
|
||||
Subject: [PATCH 30/49] 0076-FIPS-140-3-DRBG.patch
|
||||
|
||||
Patch-name: 0076-FIPS-140-3-DRBG.patch
|
||||
Patch-id: 76
|
||||
Patch-status: |
|
||||
# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
|
||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
crypto/rand/prov_seed.c | 9 ++-
|
||||
providers/implementations/rands/crngt.c | 6 +-
|
||||
providers/implementations/rands/drbg.c | 11 ++-
|
||||
providers/implementations/rands/drbg_local.h | 2 +-
|
||||
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
|
||||
5 files changed, 28 insertions(+), 68 deletions(-)
|
||||
|
||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||
size_t entropy_available;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
- bytes_needed = (entropy + 7) / 8;
|
||||
+ /*
|
||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
||||
+ * + 128 bits during initial seeding
|
||||
+ */
|
||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ prediction_resistance = 1;
|
||||
+#endif
|
||||
/* Reseed using our sources in addition */
|
||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen, drbg->max_entropylen,
|
||||
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->parent != NULL
|
||||
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
|
||||
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
|
||||
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
|
||||
+#else
|
||||
reseed_required = 1;
|
||||
+#endif
|
||||
+ }
|
||||
|
||||
if (reseed_required || prediction_resistance) {
|
||||
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
|
||||
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
||||
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
||||
@@ -38,7 +38,7 @@
|
||||
*
|
||||
* The value is in bytes.
|
||||
*/
|
||||
-#define CRNGT_BUFSIZ 16
|
||||
+#define CRNGT_BUFSIZ 32
|
||||
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
||||
@@ -48,6 +48,8 @@
|
||||
# include <fcntl.h>
|
||||
# include <unistd.h>
|
||||
# include <sys/time.h>
|
||||
+# include <sys/random.h>
|
||||
+# include <openssl/evp.h>
|
||||
|
||||
static uint64_t get_time_stamp(void);
|
||||
|
||||
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||
* between size_t and ssize_t is safe even without a range check.
|
||||
*/
|
||||
-
|
||||
- /*
|
||||
- * Do runtime detection to find getentropy().
|
||||
- *
|
||||
- * Known OSs that should support this:
|
||||
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
|
||||
- * - Solaris since 11.3
|
||||
- * - OpenBSD since 5.6
|
||||
- * - Linux since 3.17 with glibc 2.25
|
||||
- * - FreeBSD since 12.0 (1200061)
|
||||
- *
|
||||
- * Note: Sometimes getentropy() can be provided but not implemented
|
||||
- * internally. So we need to check errno for ENOSYS
|
||||
- */
|
||||
-# if !defined(__DragonFly__) && !defined(__NetBSD__)
|
||||
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||
-
|
||||
- if (getentropy != NULL) {
|
||||
- if (getentropy(buf, buflen) == 0)
|
||||
- return (ssize_t)buflen;
|
||||
- if (errno != ENOSYS)
|
||||
- return -1;
|
||||
- }
|
||||
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
|
||||
-
|
||||
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
|
||||
- return (ssize_t)buflen;
|
||||
-
|
||||
- return -1;
|
||||
-# else
|
||||
- union {
|
||||
- void *p;
|
||||
- int (*f)(void *buffer, size_t length);
|
||||
- } p_getentropy;
|
||||
-
|
||||
- /*
|
||||
- * We could cache the result of the lookup, but we normally don't
|
||||
- * call this function often.
|
||||
- */
|
||||
- ERR_set_mark();
|
||||
- p_getentropy.p = DSO_global_lookup("getentropy");
|
||||
- ERR_pop_to_mark();
|
||||
- if (p_getentropy.p != NULL)
|
||||
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||
-# endif
|
||||
-# endif /* !__DragonFly__ */
|
||||
-
|
||||
- /* Linux supports this since version 3.17 */
|
||||
-# if defined(__linux) && defined(__NR_getrandom)
|
||||
- return syscall(__NR_getrandom, buf, buflen, 0);
|
||||
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||
- return sysctl_random(buf, buflen);
|
||||
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
|
||||
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
|
||||
- return getrandom(buf, buflen, 0);
|
||||
-# elif defined(__wasi__)
|
||||
- if (getentropy(buf, buflen) == 0)
|
||||
- return (ssize_t)buflen;
|
||||
- return -1;
|
||||
-# else
|
||||
- errno = ENOSYS;
|
||||
- return -1;
|
||||
-# endif
|
||||
+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||
}
|
||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||
|
||||
diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
|
||||
--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
|
||||
+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
|
||||
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
|
||||
return 0;
|
||||
}
|
||||
|
||||
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
|
||||
size_t i;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
||||
return 0;
|
||||
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
||||
index 14999540ab..b05b84717b 100644
|
||||
--- a/crypto/rand/rand_lib.c
|
||||
+++ b/crypto/rand/rand_lib.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include "internal/cryptlib.h"
|
||||
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#ifndef FIPS_MODULE
|
||||
- if (dgbl->seed == NULL) {
|
||||
- ERR_set_mark();
|
||||
- dgbl->seed = rand_new_seed(ctx);
|
||||
- ERR_pop_to_mark();
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
|
||||
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
|
||||
PRIMARY_RESEED_INTERVAL,
|
||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
||||
/*
|
||||
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
|
||||
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
|
||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||
return NULL;
|
||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||
CRYPTO_THREAD_set_local(&dgbl->public, rand);
|
||||
}
|
||||
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
|
||||
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
|
||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
||||
return NULL;
|
||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
||||
CRYPTO_THREAD_set_local(&dgbl->private, rand);
|
||||
}
|
||||
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
|
||||
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
|
||||
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
|
||||
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
|
||||
reseed_when = time(NULL);
|
||||
|
||||
/* Generate random output from the public and private DRBG */
|
||||
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
|
||||
+ before_reseed = 0;
|
||||
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
|
||||
RANDOM_SIZE), expect_success)
|
||||
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
|
||||
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
|
||||
*/
|
||||
|
||||
/* Test whether reseeding succeeded as expected */
|
||||
- if (!TEST_int_eq(state(primary), expected_state)
|
||||
- || !TEST_int_eq(state(public), expected_state)
|
||||
+ if (/*!TEST_int_eq(state(primary), expected_state)
|
||||
+ ||*/ !TEST_int_eq(state(public), expected_state)
|
||||
|| !TEST_int_eq(state(private), expected_state))
|
||||
return 0;
|
||||
|
||||
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
|
||||
if (expect_public_reseed >= 0) {
|
||||
/* Test whether public DRBG was reseeded as expected */
|
||||
if (!TEST_int_ge(reseed_counter(public), public_reseed)
|
||||
- || !TEST_uint_ge(reseed_counter(public),
|
||||
- reseed_counter(primary)))
|
||||
+ /*|| !TEST_uint_ge(reseed_counter(public),
|
||||
+ reseed_counter(primary))*/)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (expect_private_reseed >= 0) {
|
||||
/* Test whether public DRBG was reseeded as expected */
|
||||
if (!TEST_int_ge(reseed_counter(private), private_reseed)
|
||||
- || !TEST_uint_ge(reseed_counter(private),
|
||||
- reseed_counter(primary)))
|
||||
+ /*|| !TEST_uint_ge(reseed_counter(private),
|
||||
+ reseed_counter(primary))*/)
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
|
||||
if (!TEST_ptr_ne(public, private)
|
||||
|| !TEST_ptr_ne(public, primary)
|
||||
|| !TEST_ptr_ne(private, primary)
|
||||
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
|
||||
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
||||
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
|
||||
return 0;
|
||||
|
||||
/* Disable CRNG testing for the primary DRBG */
|
102
0077-FIPS-140-3-zeroization.patch
Normal file
102
0077-FIPS-140-3-zeroization.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 9c667a7ba589329f3a777b012bf69a0db7f7eda9 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:29 +0200
|
||||
Subject: [PATCH 33/35] 0077-FIPS-140-3-zeroization.patch
|
||||
|
||||
Patch-name: 0077-FIPS-140-3-zeroization.patch
|
||||
Patch-id: 77
|
||||
Patch-status: |
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/ec/ec_lib.c | 4 ++++
|
||||
crypto/ffc/ffc_params.c | 8 ++++----
|
||||
crypto/rsa/rsa_lib.c | 4 ++--
|
||||
providers/implementations/kdfs/hkdf.c | 2 +-
|
||||
providers/implementations/kdfs/pbkdf2.c | 2 +-
|
||||
5 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
||||
index 6c37bf78ae..cfbc3c3c1d 100644
|
||||
--- a/crypto/ec/ec_lib.c
|
||||
+++ b/crypto/ec/ec_lib.c
|
||||
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group)
|
||||
|
||||
void EC_POINT_free(EC_POINT *point)
|
||||
{
|
||||
+#ifdef FIPS_MODULE
|
||||
+ EC_POINT_clear_free(point);
|
||||
+#else
|
||||
if (point == NULL)
|
||||
return;
|
||||
|
||||
if (point->meth->point_finish != 0)
|
||||
point->meth->point_finish(point);
|
||||
OPENSSL_free(point);
|
||||
+#endif
|
||||
}
|
||||
|
||||
void EC_POINT_clear_free(EC_POINT *point)
|
||||
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
|
||||
index 3536efd1ad..f3c164b8fc 100644
|
||||
--- a/crypto/ffc/ffc_params.c
|
||||
+++ b/crypto/ffc/ffc_params.c
|
||||
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
|
||||
|
||||
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
|
||||
{
|
||||
- BN_free(params->p);
|
||||
- BN_free(params->q);
|
||||
- BN_free(params->g);
|
||||
- BN_free(params->j);
|
||||
+ BN_clear_free(params->p);
|
||||
+ BN_clear_free(params->q);
|
||||
+ BN_clear_free(params->g);
|
||||
+ BN_clear_free(params->j);
|
||||
OPENSSL_free(params->seed);
|
||||
ossl_ffc_params_init(params);
|
||||
}
|
||||
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
|
||||
index 9588a75964..76b4aac6fc 100644
|
||||
--- a/crypto/rsa/rsa_lib.c
|
||||
+++ b/crypto/rsa/rsa_lib.c
|
||||
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
|
||||
CRYPTO_THREAD_lock_free(r->lock);
|
||||
CRYPTO_FREE_REF(&r->references);
|
||||
|
||||
- BN_free(r->n);
|
||||
- BN_free(r->e);
|
||||
+ BN_clear_free(r->n);
|
||||
+ BN_clear_free(r->e);
|
||||
BN_clear_free(r->d);
|
||||
BN_clear_free(r->p);
|
||||
BN_clear_free(r->q);
|
||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
||||
index daa619b8af..5304baa6c9 100644
|
||||
--- a/providers/implementations/kdfs/hkdf.c
|
||||
+++ b/providers/implementations/kdfs/hkdf.c
|
||||
@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)
|
||||
void *provctx = ctx->provctx;
|
||||
|
||||
ossl_prov_digest_reset(&ctx->digest);
|
||||
- OPENSSL_free(ctx->salt);
|
||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
||||
OPENSSL_free(ctx->prefix);
|
||||
OPENSSL_free(ctx->label);
|
||||
OPENSSL_clear_free(ctx->data, ctx->data_len);
|
||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||
index 5c3e7b95ce..349c3dd657 100644
|
||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||
@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provctx)
|
||||
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
|
||||
{
|
||||
ossl_prov_digest_reset(&ctx->digest);
|
||||
- OPENSSL_free(ctx->salt);
|
||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
||||
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
911
0078-KDF-Add-FIPS-indicators.patch
Normal file
911
0078-KDF-Add-FIPS-indicators.patch
Normal file
@ -0,0 +1,911 @@
|
||||
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
||||
Subject: KDF: Add FIPS indicators
|
||||
|
||||
FIPS requires a number of restrictions on the parameters of the various
|
||||
key derivation functions implemented in OpenSSL. The KDFs that use
|
||||
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
|
||||
C.C). Additionally, some application-specific KDFs have further
|
||||
restrictions defined in SP 800-135r1.
|
||||
|
||||
Generally, all KDFs shall use a key-derivation key length of at least
|
||||
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
|
||||
to generate and output length of less than 112 bits will also set the
|
||||
indicator to unapproved.
|
||||
|
||||
Add explicit indicators to all KDFs usable in FIPS mode except for
|
||||
PBKDF2 (which has its specific FIPS limits already implemented). The
|
||||
indicator can be queried using EVP_KDF_CTX_get_params() after setting
|
||||
the required parameters and keys for the KDF.
|
||||
|
||||
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
|
||||
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
|
||||
truncated versions -224 and -384), as well as SHAKE-128 and -256.
|
||||
|
||||
The SHAKE functions are generally not allowed in KDFs. For the rest, the
|
||||
support matrix is:
|
||||
|
||||
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
|
||||
==========================================================================
|
||||
KBKDF | x | x | x | x | x
|
||||
HKDF | x | x | x | x | x
|
||||
TLS1PRF | | SHA-{256,384,512} only | |
|
||||
SSHKDF | x | x | x | |
|
||||
SSKDF | x | x | x | x | x
|
||||
X9.63KDF | | x | x | x | x
|
||||
X9.42-ASN1 | x | x | x | x | x
|
||||
TLS1.3PRF | | SHA-{256,384} only | |
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Resolves: rhbz#2160733 rhbz#2164763
|
||||
Related: rhbz#2114772 rhbz#2141695
|
||||
---
|
||||
include/crypto/evp.h | 7 ++
|
||||
include/openssl/kdf.h | 4 +
|
||||
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
||||
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
||||
util/perl/OpenSSL/paramnames.pm | 1 +
|
||||
9 files changed, 487 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index e70d8e9e84..76fb990de4 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
||||
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
||||
};
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
||||
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
||||
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
||||
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
||||
+#endif
|
||||
+
|
||||
struct evp_kdf_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
||||
index 0983230a48..86171635ea 100644
|
||||
--- a/include/openssl/kdf.h
|
||||
+++ b/include/openssl/kdf.h
|
||||
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
||||
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
||||
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
||||
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
||||
index dfa7786bde..f01e40ff5a 100644
|
||||
--- a/providers/implementations/kdfs/hkdf.c
|
||||
+++ b/providers/implementations/kdfs/hkdf.c
|
||||
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
||||
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
||||
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
||||
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
|
||||
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
||||
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
||||
@@ -85,6 +86,10 @@ typedef struct {
|
||||
size_t data_len;
|
||||
unsigned char *info;
|
||||
size_t info_len;
|
||||
+ int is_tls13;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_HKDF;
|
||||
|
||||
static void *kdf_hkdf_new(void *provctx)
|
||||
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
switch (ctx->mode) {
|
||||
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
||||
default:
|
||||
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
|
||||
{
|
||||
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
size_t sz = kdf_hkdf_size(ctx);
|
||||
|
||||
+ any_valid = 1;
|
||||
if (sz == 0)
|
||||
return 0;
|
||||
return OSSL_PARAM_set_size_t(p, sz);
|
||||
}
|
||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
if (ctx->info == NULL || ctx->info_len == 0) {
|
||||
p->return_size = 0;
|
||||
return 1;
|
||||
}
|
||||
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
|
||||
}
|
||||
- return -2;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (ctx->is_tls13) {
|
||||
+ if (md != NULL
|
||||
+ && !EVP_MD_is_a(md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(md, "SHA2-384")) {
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
|
||||
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
|
||||
+ * key derivation function documented in Section 7.1 of RFC
|
||||
+ * 8446. This is considered an approved CVL because the
|
||||
+ * underlying functions performed within the TLS 1.3 KDF map to
|
||||
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
|
||||
+ * Option #3), SP 800-56Crev2, and SP 800-108."
|
||||
+ *
|
||||
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (md != NULL
|
||||
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
|
||||
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
|
||||
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the
|
||||
+ * standalone algorithms." */
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static void *kdf_tls1_3_new(void *provctx)
|
||||
+{
|
||||
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
|
||||
+
|
||||
+ if (hkdf != NULL)
|
||||
+ hkdf->is_tls13 = 1;
|
||||
+
|
||||
+ return hkdf;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
switch (ctx->mode) {
|
||||
default:
|
||||
return 0;
|
||||
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
||||
}
|
||||
|
||||
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
||||
index a542f84dfa..6b6dfb94ac 100644
|
||||
--- a/providers/implementations/kdfs/kbkdf.c
|
||||
+++ b/providers/implementations/kdfs/kbkdf.c
|
||||
@@ -59,6 +59,9 @@ typedef struct {
|
||||
kbkdf_mode mode;
|
||||
EVP_MAC_CTX *ctx_init;
|
||||
|
||||
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
|
||||
+ PROV_DIGEST digest;
|
||||
+
|
||||
/* Names are lowercased versions of those found in SP800-108. */
|
||||
int r;
|
||||
unsigned char *ki;
|
||||
@@ -73,6 +76,9 @@ typedef struct {
|
||||
int use_l;
|
||||
int is_kmac;
|
||||
int use_separator;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KBKDF;
|
||||
|
||||
/* Definitions needed for typechecking. */
|
||||
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
|
||||
void *provctx = ctx->provctx;
|
||||
|
||||
EVP_MAC_CTX_free(ctx->ctx_init);
|
||||
+ ossl_prov_digest_reset(&ctx->digest);
|
||||
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
||||
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
||||
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
||||
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
||||
if (h == 0)
|
||||
goto done;
|
||||
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||
+ return 0;
|
||||
+
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
||||
if (p != NULL
|
||||
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
||||
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
||||
- if (p == NULL)
|
||||
+ if (p != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* KBKDF can produce results as large as you like. */
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ KBKDF *ctx = (KBKDF *)vctx;
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." Note that the digest is only used when the MAC
|
||||
+ * algorithm is HMAC. */
|
||||
+ if (ctx->ctx_init != NULL
|
||||
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
|
||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||
+ if (md != NULL
|
||||
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
return -2;
|
||||
|
||||
- /* KBKDF can produce results as large as you like. */
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
ossl_unused void *provctx)
|
||||
{
|
||||
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
||||
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
||||
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
||||
index c592ba72f1..4a52b38266 100644
|
||||
--- a/providers/implementations/kdfs/sshkdf.c
|
||||
+++ b/providers/implementations/kdfs/sshkdf.c
|
||||
@@ -48,6 +48,9 @@ typedef struct {
|
||||
char type; /* X */
|
||||
unsigned char *session_id;
|
||||
size_t session_id_len;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_SSHKDF;
|
||||
|
||||
static void *kdf_sshkdf_new(void *provctx)
|
||||
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return SSHKDF(md, ctx->key, ctx->key_len,
|
||||
ctx->xcghash, ctx->xcghash_len,
|
||||
ctx->session_id, ctx->session_id_len,
|
||||
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ KDF_SSHKDF *ctx = vctx;
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms."
|
||||
+ *
|
||||
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
|
||||
+ * function used in SSHKDF "is one of the hash functions specified in
|
||||
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
|
||||
+ * */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
||||
index eb54972e1c..23865cd70f 100644
|
||||
--- a/providers/implementations/kdfs/sskdf.c
|
||||
+++ b/providers/implementations/kdfs/sskdf.c
|
||||
@@ -64,6 +64,10 @@ typedef struct {
|
||||
size_t salt_len;
|
||||
size_t out_len; /* optional KMAC parameter */
|
||||
int is_kmac;
|
||||
+ int is_x963kdf;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_SSKDF;
|
||||
|
||||
#define SSKDF_MAX_INLEN (1<<30)
|
||||
@@ -73,6 +77,7 @@ typedef struct {
|
||||
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
||||
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
||||
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
||||
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
||||
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
||||
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
||||
return ctx;
|
||||
}
|
||||
|
||||
+static void *x963kdf_new(void *provctx)
|
||||
+{
|
||||
+ KDF_SSKDF *ctx = sskdf_new(provctx);
|
||||
+
|
||||
+ if (ctx)
|
||||
+ ctx->is_x963kdf = 1;
|
||||
+
|
||||
+ return ctx;
|
||||
+}
|
||||
+
|
||||
static void sskdf_reset(void *vctx)
|
||||
{
|
||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
}
|
||||
md = ossl_prov_digest_md(&ctx->digest);
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
if (ctx->macctx != NULL) {
|
||||
/* H(x) = KMAC or H(x) = HMAC */
|
||||
int ret;
|
||||
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||
ctx->info, ctx->info_len, 1, key, keylen);
|
||||
}
|
||||
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
|
||||
- return -2;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." */
|
||||
+ if (ctx->macctx == NULL
|
||||
+ || (ctx->macctx != NULL &&
|
||||
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
|
||||
+ * should only be used for 80-bit key agreement, but FIPS 140-3
|
||||
+ * requires a security strength of 112 bits, so SHA-1 cannot be
|
||||
+ * used with X9.63. See the discussion in
|
||||
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
|
||||
+ */
|
||||
+ if (ctx->is_x963kdf
|
||||
+ && ctx->digest.md != NULL
|
||||
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
||||
};
|
||||
|
||||
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index a4d64b9352..f6782a6ca2 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||
@@ -93,6 +93,13 @@ typedef struct {
|
||||
/* Buffer of concatenated seed data */
|
||||
unsigned char seed[TLS1_PRF_MAXBUF];
|
||||
size_t seedlen;
|
||||
+
|
||||
+ /* MAC digest algorithm; used to compute FIPS indicator */
|
||||
+ PROV_DIGEST digest;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} TLS1_PRF;
|
||||
|
||||
static void *kdf_tls1_prf_new(void *provctx)
|
||||
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
||||
EVP_MAC_CTX_free(ctx->P_sha1);
|
||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
||||
+ ossl_prov_digest_reset(&ctx->digest);
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
ctx->provctx = provctx;
|
||||
}
|
||||
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
/*
|
||||
* The seed buffer is prepended with a label.
|
||||
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||
+ return 0;
|
||||
+
|
||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||
ctx->sec = NULL;
|
||||
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
||||
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ TLS1_PRF *ctx = vctx;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
|
||||
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
||||
index b1bc6f7e1b..8173fc2cc7 100644
|
||||
--- a/providers/implementations/kdfs/x942kdf.c
|
||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||
@@ -13,11 +13,13 @@
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/proverr.h>
|
||||
#include "internal/packet.h"
|
||||
#include "internal/der.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "crypto/evp.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
@@ -47,6 +50,9 @@ typedef struct {
|
||||
const unsigned char *cek_oid;
|
||||
size_t cek_oid_len;
|
||||
int use_keybits;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_X942;
|
||||
|
||||
/*
|
||||
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||
der, der_len, ctr, key, keylen);
|
||||
OPENSSL_free(der);
|
||||
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
|
||||
- return -2;
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||
index 70f7c50fe4..6618122417 100644
|
||||
--- a/util/perl/OpenSSL/paramnames.pm
|
||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||
@@ -183,6 +183,7 @@ my %params = (
|
||||
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
||||
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
||||
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
|
||||
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
||||
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
||||
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
||||
--
|
||||
2.39.2
|
||||
|
1102
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Normal file
1102
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Normal file
File diff suppressed because it is too large
Load Diff
273
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Normal file
273
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Normal file
@ -0,0 +1,273 @@
|
||||
From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 15:43:57 +0200
|
||||
Subject: [PATCH 37/48]
|
||||
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
||||
|
||||
Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
||||
Patch-id: 81
|
||||
---
|
||||
providers/implementations/signature/rsa_sig.c | 6 +
|
||||
test/acvp_test.inc | 214 ------------------
|
||||
2 files changed, 6 insertions(+), 214 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 63ee11e566..cfaa4841cb 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -1279,7 +1279,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
err_extra_text = "No padding not allowed with RSA-PSS";
|
||||
goto cont;
|
||||
case RSA_X931_PADDING:
|
||||
+#ifndef FIPS_MODULE
|
||||
err_extra_text = "X.931 padding not allowed with RSA-PSS";
|
||||
+#else /* !defined(FIPS_MODULE) */
|
||||
+ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
|
||||
+ " since it was removed from FIPS 186-5";
|
||||
+ goto bad_pad;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
cont:
|
||||
if (RSA_test_flags(prsactx->rsa,
|
||||
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index 73b24bdb0c..96a72073f9 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
|
||||
ITM(rsa_siggen0_msg),
|
||||
NO_PSS_SALT_LEN,
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 2048,
|
||||
- "SHA384",
|
||||
- ITM(rsa_siggen0_msg),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- },
|
||||
{
|
||||
"pss",
|
||||
2048,
|
||||
@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
|
||||
0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
|
||||
};
|
||||
|
||||
-static const unsigned char rsa_sigverx931_0_n[] = {
|
||||
- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
|
||||
- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
|
||||
- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
|
||||
- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
|
||||
- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
|
||||
- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
|
||||
- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
|
||||
- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
|
||||
- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
|
||||
- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
|
||||
- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
|
||||
- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
|
||||
- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
|
||||
- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
|
||||
- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
|
||||
- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
|
||||
- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
|
||||
- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
|
||||
- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
|
||||
- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
|
||||
- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
|
||||
- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
|
||||
- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
|
||||
- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
|
||||
- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
|
||||
- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
|
||||
- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
|
||||
- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
|
||||
- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
|
||||
- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
|
||||
- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
|
||||
- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
|
||||
- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
|
||||
- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
|
||||
- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
|
||||
- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
|
||||
- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
|
||||
- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
|
||||
- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
|
||||
- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
|
||||
- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
|
||||
- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
|
||||
- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
|
||||
- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
|
||||
- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
|
||||
- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
|
||||
- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
|
||||
- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
|
||||
-
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_e[] = {
|
||||
- 0x01, 0x00, 0x01,
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_msg[] = {
|
||||
- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
|
||||
- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
|
||||
- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
|
||||
- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
|
||||
- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
|
||||
- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
|
||||
- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
|
||||
- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
|
||||
- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
|
||||
- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
|
||||
- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
|
||||
- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
|
||||
- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
|
||||
- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
|
||||
- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
|
||||
- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
|
||||
-
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_sig[] = {
|
||||
- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
|
||||
- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
|
||||
- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
|
||||
- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
|
||||
- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
|
||||
- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
|
||||
- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
|
||||
- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
|
||||
- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
|
||||
- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
|
||||
- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
|
||||
- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
|
||||
- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
|
||||
- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
|
||||
- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
|
||||
- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
|
||||
- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
|
||||
- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
|
||||
- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
|
||||
- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
|
||||
- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
|
||||
- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
|
||||
- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
|
||||
- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
|
||||
- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
|
||||
- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
|
||||
- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
|
||||
- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
|
||||
- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
|
||||
- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
|
||||
- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
|
||||
- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
|
||||
- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
|
||||
- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
|
||||
- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
|
||||
- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
|
||||
- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
|
||||
- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
|
||||
- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
|
||||
- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
|
||||
- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
|
||||
- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
|
||||
- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
|
||||
- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
|
||||
- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
|
||||
- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
|
||||
- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
|
||||
- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
|
||||
-};
|
||||
-
|
||||
-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
|
||||
-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
|
||||
-static const unsigned char rsa_sigverx931_1_msg[] = {
|
||||
- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
|
||||
- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
|
||||
- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
|
||||
- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
|
||||
- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
|
||||
- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
|
||||
- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
|
||||
- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
|
||||
- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
|
||||
- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
|
||||
- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
|
||||
- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
|
||||
- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
|
||||
- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
|
||||
- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
|
||||
- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
|
||||
-};
|
||||
-
|
||||
-static const unsigned char rsa_sigverx931_1_sig[] = {
|
||||
- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
|
||||
- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
|
||||
- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
|
||||
- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
|
||||
- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
|
||||
- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
|
||||
- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
|
||||
- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
|
||||
- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
|
||||
- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
|
||||
- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
|
||||
- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
|
||||
- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
|
||||
- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
|
||||
- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
|
||||
- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
|
||||
- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
|
||||
- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
|
||||
- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
|
||||
- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
|
||||
- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
|
||||
- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
|
||||
- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
|
||||
- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
|
||||
- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
|
||||
- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
|
||||
- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
|
||||
- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
|
||||
- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
|
||||
- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
|
||||
- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
|
||||
- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
|
||||
- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
|
||||
- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
|
||||
- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
|
||||
- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
|
||||
- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
|
||||
- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
|
||||
- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
|
||||
- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
|
||||
- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
|
||||
- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
|
||||
- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
|
||||
- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
|
||||
- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
|
||||
- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
|
||||
- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
|
||||
- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
|
||||
-};
|
||||
-
|
||||
static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
{
|
||||
"pkcs1", /* pkcs1v1.5 */
|
||||
@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
NO_PSS_SALT_LEN,
|
||||
FAIL
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 3072,
|
||||
- "SHA256",
|
||||
- ITM(rsa_sigverx931_1_msg),
|
||||
- ITM(rsa_sigverx931_1_n),
|
||||
- ITM(rsa_sigverx931_1_e),
|
||||
- ITM(rsa_sigverx931_1_sig),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- FAIL
|
||||
- },
|
||||
{
|
||||
"pss",
|
||||
4096,
|
||||
--
|
||||
2.41.0
|
||||
|
114
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Normal file
114
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Normal file
@ -0,0 +1,114 @@
|
||||
From 8e388e194e665286a8996d7d5926bab5c1a6b4f9 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 15:46:40 +0200
|
||||
Subject: [PATCH 38/48]
|
||||
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
||||
|
||||
Patch-name: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
||||
Patch-id: 83
|
||||
---
|
||||
include/crypto/evp.h | 7 +++++++
|
||||
include/openssl/evp.h | 3 +++
|
||||
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
|
||||
4 files changed, 28 insertions(+)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index aa07153441..a13127bd59 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
|
||||
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
|
||||
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
|
||||
+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
|
||||
+ * HMAC verification. */
|
||||
+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
|
||||
+#endif
|
||||
+
|
||||
struct evp_mac_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 86f4e22c70..615857caf5 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -1194,6 +1194,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
void *arg);
|
||||
|
||||
/* MAC stuff */
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
|
||||
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
|
||||
const char *properties);
|
||||
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
|
||||
index 52ebb08b8f..cf5c3ecbe7 100644
|
||||
--- a/providers/implementations/macs/hmac_prov.c
|
||||
+++ b/providers/implementations/macs/hmac_prov.c
|
||||
@@ -21,6 +21,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/hmac.h>
|
||||
|
||||
+#include "crypto/evp.h"
|
||||
+
|
||||
#include "internal/ssl3_cbc.h"
|
||||
|
||||
#include "prov/implementations.h"
|
||||
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
|
||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
|
||||
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
|
||||
+ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
|
||||
+ * specifies key lengths < 112 bytes are disallowed for HMAC generation
|
||||
+ * and legacy use for HMAC verification. */
|
||||
+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch 2024-01-02 12:18:16.909596613 +0100
|
||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:20:18.465886160 +0100
|
||||
@@ -137,12 +137,13 @@ my %params = (
|
||||
# If "engine",or "properties",are specified, they should always be paired
|
||||
# with "cipher",or "digest".
|
||||
|
||||
- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
||||
- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
||||
- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
||||
- 'MAC_PARAM_SIZE' => "size", # size_t
|
||||
- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
||||
- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
||||
+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
||||
+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
||||
+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
||||
+ 'MAC_PARAM_SIZE' => "size", # size_t
|
||||
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
||||
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
||||
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
|
||||
|
||||
# KDF / PRF parameters
|
||||
'KDF_PARAM_SECRET' => "secret", # octet string
|
69
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Normal file
69
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 15:47:55 +0200
|
||||
Subject: [PATCH 39/48]
|
||||
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
||||
|
||||
Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
||||
Patch-id: 84
|
||||
---
|
||||
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
|
||||
1 file changed, 26 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||
index 349c3dd657..11820d1e69 100644
|
||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||
@@ -35,6 +35,21 @@
|
||||
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
|
||||
#define KDF_PBKDF2_MIN_ITERATIONS 1000
|
||||
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
|
||||
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
|
||||
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
|
||||
+ * shall document in the module’s Security Policy the length of
|
||||
+ * a password/passphrase used in key derivation and establish an upper bound
|
||||
+ * for the probability of having this parameter guessed at random. This
|
||||
+ * probability shall take into account not only the length of the
|
||||
+ * password/passphrase, but also the difficulty of guessing it. The decision on
|
||||
+ * the minimum length of a password used for key derivation is the vendor’s,
|
||||
+ * but the vendor shall at a minimum informally justify the decision."
|
||||
+ *
|
||||
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
|
||||
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
|
||||
+ * combined with an implicit indicator (i.e., returning an error) would cause
|
||||
+ * the module to fail ACVP testing. */
|
||||
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
|
||||
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
|
||||
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
ctx->lower_bound_checks = pkcs5 == 0;
|
||||
}
|
||||
|
||||
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
|
||||
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
|
||||
+ if (ctx->lower_bound_checks != 0
|
||||
+ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
|
||||
if (ctx->lower_bound_checks != 0
|
||||
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
|
||||
}
|
||||
|
||||
if (lower_bound_checks) {
|
||||
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
||||
return 0;
|
||||
--
|
||||
2.41.0
|
||||
|
101
0085-FIPS-RSA-disable-shake.patch
Normal file
101
0085-FIPS-RSA-disable-shake.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 15:51:55 +0200
|
||||
Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch
|
||||
|
||||
Patch-name: 0085-FIPS-RSA-disable-shake.patch
|
||||
Patch-id: 85
|
||||
---
|
||||
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
|
||||
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
|
||||
2 files changed, 44 insertions(+)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
||||
index b2f7f7dc4b..af2b0b026c 100644
|
||||
--- a/crypto/rsa/rsa_oaep.c
|
||||
+++ b/crypto/rsa/rsa_oaep.c
|
||||
@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
if (mgf1md == NULL)
|
||||
mgf1md = md;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
mdlen = EVP_MD_get_size(md);
|
||||
if (mdlen <= 0) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
|
||||
@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (mgf1md == NULL)
|
||||
mgf1md = md;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
mdlen = EVP_MD_get_size(md);
|
||||
|
||||
if (tlen <= 0 || flen <= 0)
|
||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
||||
index bb46ec64c7..c0fdf232da 100644
|
||||
--- a/crypto/rsa/rsa_pss.c
|
||||
+++ b/crypto/rsa/rsa_pss.c
|
||||
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+#endif
|
||||
+
|
||||
hLen = EVP_MD_get_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+#endif
|
||||
+
|
||||
hLen = EVP_MD_get_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
--
|
||||
2.41.0
|
||||
|
102
0088-signature-Add-indicator-for-PSS-salt-length.patch
Normal file
102
0088-signature-Add-indicator-for-PSS-salt-length.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From 98ee6faef3da1439c04f11cd2796132d27d1e607 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 15:58:07 +0200
|
||||
Subject: [PATCH 41/48] 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
||||
|
||||
Patch-name: 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
||||
Patch-id: 88
|
||||
---
|
||||
include/openssl/evp.h | 4 ++++
|
||||
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++++
|
||||
3 files changed, 26 insertions(+)
|
||||
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 615857caf5..05f2d0f75a 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -799,6 +799,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
||||
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
||||
int *outl);
|
||||
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
EVP_PKEY *pkey);
|
||||
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index cfaa4841cb..851671cfb1 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -1173,6 +1173,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
+ if (prsactx->md == NULL) {
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
|
||||
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
|
||||
+ if (prsactx->md == NULL) /* Should always be the case */
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1182,6 +1200,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch 2024-01-02 12:23:57.106998142 +0100
|
||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:26:29.687472015 +0100
|
||||
@@ -377,17 +377,18 @@ my %params = (
|
||||
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
|
||||
|
||||
# Signature parameters
|
||||
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
||||
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
||||
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
||||
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
||||
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
||||
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
||||
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
||||
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
||||
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
||||
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
||||
|
||||
# Asym cipher parameters
|
||||
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
47
0091-FIPS-RSA-encapsulate.patch
Normal file
47
0091-FIPS-RSA-encapsulate.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:01:48 +0200
|
||||
Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
|
||||
|
||||
Patch-name: 0091-FIPS-RSA-encapsulate.patch
|
||||
Patch-id: 91
|
||||
---
|
||||
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||||
index 365ae3d7d6..8a6f585d0b 100644
|
||||
--- a/providers/implementations/kem/rsa_kem.c
|
||||
+++ b/providers/implementations/kem/rsa_kem.c
|
||||
@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
|
||||
*secretlen = nlen;
|
||||
return 1;
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Step (2): Generate a random byte string z of nlen bytes where
|
||||
* 1 < z < n - 1
|
||||
@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
|
||||
if (inlen != nlen) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
|
||||
--
|
||||
2.41.0
|
||||
|
330
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Normal file
330
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Normal file
@ -0,0 +1,330 @@
|
||||
From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:07:18 +0200
|
||||
Subject: [PATCH 43/48]
|
||||
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
||||
|
||||
Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
||||
Patch-id: 93
|
||||
---
|
||||
crypto/dh/dh_backend.c | 10 ++++
|
||||
crypto/dh/dh_check.c | 12 ++--
|
||||
crypto/dh/dh_gen.c | 12 +++-
|
||||
crypto/dh/dh_key.c | 13 ++--
|
||||
crypto/dh/dh_pmeth.c | 10 +++-
|
||||
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
|
||||
test/endecode_test.c | 4 +-
|
||||
test/evp_libctx_test.c | 2 +-
|
||||
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
|
||||
test/helpers/predefined_dhparams.h | 1 +
|
||||
test/recipes/80-test_cms.t | 4 +-
|
||||
test/recipes/80-test_ssl_old.t | 3 +
|
||||
12 files changed, 118 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
|
||||
index 726843fd30..24c65ca84f 100644
|
||||
--- a/crypto/dh/dh_backend.c
|
||||
+++ b/crypto/dh/dh_backend.c
|
||||
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
|
||||
if (!dh_ffc_params_fromdata(dh, params))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (!ossl_dh_is_named_safe_prime_group(dh)) {
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required validation routines"
|
||||
+ " were removed from FIPS 186-5");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
param_priv_len =
|
||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
|
||||
if (param_priv_len != NULL
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 0b391910d6..75581ca347 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
|
||||
nid = DH_get_nid((DH *)dh);
|
||||
if (nid != NID_undef)
|
||||
return 1;
|
||||
+
|
||||
/*
|
||||
- * OR
|
||||
- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
|
||||
- * validity tests.
|
||||
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
|
||||
*/
|
||||
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
|
||||
- FFC_PARAM_TYPE_DH, ret, NULL);
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required validation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+ return 0;
|
||||
}
|
||||
#else
|
||||
int DH_check_params(const DH *dh, int *ret)
|
||||
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
|
||||
index 204662a81c..9961f21920 100644
|
||||
--- a/crypto/dh/dh_gen.c
|
||||
+++ b/crypto/dh/dh_gen.c
|
||||
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
|
||||
BN_GENCB *cb)
|
||||
{
|
||||
- int ret, res;
|
||||
+ int ret = 0;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
+ int res;
|
||||
+
|
||||
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
pbits, qbits, &res, cb);
|
||||
else
|
||||
-#endif
|
||||
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
pbits, qbits, &res, cb);
|
||||
+#else
|
||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required generation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+#endif
|
||||
if (ret > 0)
|
||||
dh->dirty_cnt++;
|
||||
return ret;
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 83773cceea..7e988368d3 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
|
||||
goto err;
|
||||
} else {
|
||||
#ifdef FIPS_MODULE
|
||||
- if (dh->params.q == NULL)
|
||||
- goto err;
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer"
|
||||
+ " allowed in FIPS mode, since the required"
|
||||
+ " generation routines were removed from FIPS"
|
||||
+ " 186-5");
|
||||
+ goto err;
|
||||
#else
|
||||
if (dh->params.q == NULL) {
|
||||
/* secret exponent length, must satisfy 2^(l-1) <= p */
|
||||
@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
|
||||
if (!BN_clear_bit(priv_key, 0))
|
||||
goto err;
|
||||
}
|
||||
- } else
|
||||
-#endif
|
||||
- {
|
||||
+ } else {
|
||||
/* Do a partial check for invalid p, q, g */
|
||||
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH, NULL))
|
||||
@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
|
||||
priv_key))
|
||||
goto err;
|
||||
}
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
|
||||
index f201eede0d..30f90d15be 100644
|
||||
--- a/crypto/dh/dh_pmeth.c
|
||||
+++ b/crypto/dh/dh_pmeth.c
|
||||
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
|
||||
prime_len, subprime_len, &res,
|
||||
pcb);
|
||||
else
|
||||
-# endif
|
||||
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
|
||||
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
prime_len, subprime_len, &res,
|
||||
pcb);
|
||||
+# else
|
||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required generation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+# endif
|
||||
if (rv <= 0) {
|
||||
DH_free(ret);
|
||||
return NULL;
|
||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
index 9a7dde7c66..b3e7bca5ac 100644
|
||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
|
||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||
return 1; /* nothing to validate */
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* In FIPS provider, always check the domain parameters to disallow
|
||||
+ * operations on keys with FIPS 186-4 params. */
|
||||
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
||||
+#endif
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
||||
/*
|
||||
* Both of these functions check parameters. DH_check_params_ex()
|
||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||
index 53385028fc..169f3ccd73 100644
|
||||
--- a/test/endecode_test.c
|
||||
+++ b/test/endecode_test.c
|
||||
@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
|
||||
* for testing only. Use a minimum key size of 2048 for security purposes.
|
||||
*/
|
||||
if (strcmp(type, "DH") == 0)
|
||||
- return get_dh512(keyctx);
|
||||
+ return get_dh2048(keyctx);
|
||||
|
||||
if (strcmp(type, "X9.42 DH") == 0)
|
||||
- return get_dhx512(keyctx);
|
||||
+ return get_dhx_ffdhe2048(keyctx);
|
||||
# endif
|
||||
|
||||
/*
|
||||
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
||||
index a7913cda4c..96a35ac1cc 100644
|
||||
--- a/test/evp_libctx_test.c
|
||||
+++ b/test/evp_libctx_test.c
|
||||
@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
|
||||
|
||||
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|
||||
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
|
||||
- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
|
||||
+ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
|
||||
goto err;
|
||||
|
||||
if (expected) {
|
||||
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
|
||||
index 4bdadc4143..e5186e4b4a 100644
|
||||
--- a/test/helpers/predefined_dhparams.c
|
||||
+++ b/test/helpers/predefined_dhparams.c
|
||||
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
|
||||
dhx512_q, sizeof(dhx512_q));
|
||||
}
|
||||
|
||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
|
||||
+ * non-well-known groups in FIPS mode. */
|
||||
+ static unsigned char dhx_p[] = {
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
|
||||
+ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
|
||||
+ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
|
||||
+ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
|
||||
+ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
|
||||
+ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
|
||||
+ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
|
||||
+ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
|
||||
+ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
|
||||
+ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
|
||||
+ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xff, 0xff, 0xff, 0xff
|
||||
+ };
|
||||
+ static unsigned char dhx_g[] = {
|
||||
+ 0x02
|
||||
+ };
|
||||
+ static unsigned char dhx_q[] = {
|
||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
|
||||
+ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
|
||||
+ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
|
||||
+ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
|
||||
+ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
|
||||
+ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
|
||||
+ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
|
||||
+ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
|
||||
+ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
|
||||
+ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
|
||||
+ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xff, 0xff, 0xff, 0xff
|
||||
+ };
|
||||
+
|
||||
+ return get_dh_from_pg(libctx, "X9.42 DH",
|
||||
+ dhx_p, sizeof(dhx_p),
|
||||
+ dhx_g, sizeof(dhx_g),
|
||||
+ dhx_q, sizeof(dhx_q));
|
||||
+}
|
||||
+
|
||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
static unsigned char dh1024_p[] = {
|
||||
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
|
||||
index f0e8709062..2ff6d6e721 100644
|
||||
--- a/test/helpers/predefined_dhparams.h
|
||||
+++ b/test/helpers/predefined_dhparams.h
|
||||
@@ -12,6 +12,7 @@
|
||||
#ifndef OPENSSL_NO_DH
|
||||
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
|
||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
|
||||
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 2a459856f0..afac836fa3 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
|
||||
],
|
||||
|
||||
[ "enveloped content test streaming S/MIME format, X9.42 DH",
|
||||
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
||||
"-stream", "-out", "{output}.cms",
|
||||
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
|
||||
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
||||
\&final_compare
|
||||
]
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index 527abcea6e..e1d38b1e62 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -390,6 +390,9 @@ sub testssl {
|
||||
skip "skipping dhe1024dsa test", 1
|
||||
if ($no_dh);
|
||||
|
||||
+ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
|
||||
+ if $provider eq "fips";
|
||||
+
|
||||
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
|
||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
98
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Normal file
98
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 5db03a4d024f1e396ff54d38ac70d9890b034074 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:10:11 +0200
|
||||
Subject: [PATCH 45/48]
|
||||
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||
|
||||
Patch-name: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
||||
Patch-id: 110
|
||||
---
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/ciphers/ciphercommon.c | 4 +++
|
||||
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
|
||||
4 files changed, 34 insertions(+)
|
||||
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 05f2d0f75a..f1a33ff6f2 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -748,6 +748,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
|
||||
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
|
||||
index fa383165d8..716add7339 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon.c
|
||||
+++ b/providers/implementations/ciphers/ciphercommon.c
|
||||
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
|
||||
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
|
||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
|
||||
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
|
||||
+ * not work in ciphercommon.c because it is compiled only once into
|
||||
+ * libcommon.a */
|
||||
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
|
||||
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
index ed95c97ff4..db7910eb0e 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
|
||||
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
|
||||
+ * not work here. */
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section C.H requires guarantees about the
|
||||
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
||||
+ * this. This provides an indicator for option 2 "The IV may be
|
||||
+ * generated internally at its entirety randomly." Note that one of the
|
||||
+ * conditions of this option is that "The IV length shall be at least
|
||||
+ * 96 bits (per SP 800-38D)." We do not specically check for this
|
||||
+ * condition here, because gcm_iv_generate will fail in this case. */
|
||||
+ if (ctx->enc && !ctx->iv_gen_rand)
|
||||
+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch 2024-01-02 12:29:45.119433637 +0100
|
||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:33:09.146723045 +0100
|
||||
@@ -101,8 +101,9 @@ my %params = (
|
||||
'CIPHER_PARAM_SPEED' => "speed", # uint
|
||||
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
|
||||
# For passing the AlgorithmIdentifier parameter in DER form
|
||||
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||
- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
|
||||
+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||
|
||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
|
||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
|
@ -0,0 +1,75 @@
|
||||
From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:12:33 +0200
|
||||
Subject: [PATCH 46/48]
|
||||
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||
|
||||
Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
||||
Patch-id: 112
|
||||
---
|
||||
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
||||
1 file changed, 37 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||
index 11820d1e69..bae2238ab5 100644
|
||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||
@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
||||
|
||||
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
+#ifdef FIPS_MODULE
|
||||
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
||||
+ * those checks are disabled, the PBKDF2 implementation will also
|
||||
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
||||
+ * NIST SP 800-132 section 5.1). */
|
||||
+ if (!ctx->lower_bound_checks)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
--
|
||||
2.41.0
|
||||
|
140
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Normal file
140
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:13:46 +0200
|
||||
Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
||||
|
||||
Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
||||
Patch-id: 113
|
||||
---
|
||||
include/openssl/core_names.h | 2 ++
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||||
4 files changed, 57 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index f1a33ff6f2..dadbf46a5a 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
||||
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
||||
# endif
|
||||
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
||||
const char *properties);
|
||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index d169bfd396..bd4dcb4e27 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||||
+ * we have received clarification from NIST on how library modules such
|
||||
+ * as OpenSSL should implement TTP validation. */
|
||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||||
#ifdef FIPS_MODULE
|
||||
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
||||
OSSL_PARAM_END
|
||||
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||||
index 8a6f585d0b..f4b7415074 100644
|
||||
--- a/providers/implementations/kem/rsa_kem.c
|
||||
+++ b/providers/implementations/kem/rsa_kem.c
|
||||
@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||||
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
{
|
||||
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM *p;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (ctx == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. We must thus mark RSASVE unapproved until we
|
||||
+ * have received clarification from NIST on how library modules such as
|
||||
+ * OpenSSL should implement TTP validation. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
- return ctx != NULL;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
||||
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
|
||||
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch 2024-01-02 12:49:04.598756268 +0100
|
||||
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:53:16.466464414 +0100
|
||||
@@ -406,6 +406,7 @@ my %params = (
|
||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||
'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
||||
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
|
||||
# Encoder / decoder parameters
|
||||
|
||||
@@ -438,8 +439,9 @@ my %params = (
|
||||
'SIGNATURE_PARAM_KAT' => "kat",
|
||||
|
||||
# KEM parameters
|
||||
- 'KEM_PARAM_OPERATION' => "operation",
|
||||
- 'KEM_PARAM_IKME' => "ikme",
|
||||
+ 'KEM_PARAM_OPERATION' => "operation",
|
||||
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||
+ 'KEM_PARAM_IKME' => "ikme",
|
||||
|
||||
# Capabilities
|
||||
|
251
0114-FIPS-enforce-EMS-support.patch
Normal file
251
0114-FIPS-enforce-EMS-support.patch
Normal file
@ -0,0 +1,251 @@
|
||||
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 16:40:56 +0200
|
||||
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
|
||||
|
||||
Patch-name: 0114-FIPS-enforce-EMS-support.patch
|
||||
Patch-id: 114
|
||||
Patch-status: |
|
||||
# We believe that some changes present in CentOS are not necessary
|
||||
# because ustream has a check for FIPS version
|
||||
---
|
||||
doc/man3/SSL_CONF_cmd.pod | 3 +++
|
||||
doc/man5/fips_config.pod | 13 +++++++++++
|
||||
include/openssl/fips_names.h | 8 +++++++
|
||||
include/openssl/ssl.h.in | 1 +
|
||||
providers/fips/fipsprov.c | 2 +-
|
||||
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
|
||||
ssl/ssl_conf.c | 1 +
|
||||
ssl/statem/extensions_srvr.c | 8 ++++++-
|
||||
ssl/t1_enc.c | 11 ++++++++--
|
||||
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
|
||||
test/sslapitest.c | 2 +-
|
||||
11 files changed, 76 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
|
||||
index ae6ca43282..b83c04a308 100644
|
||||
--- a/doc/man3/SSL_CONF_cmd.pod
|
||||
+++ b/doc/man3/SSL_CONF_cmd.pod
|
||||
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
||||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||
|
||||
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||||
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||||
+
|
||||
B<CANames>: use CA names extension, enabled by
|
||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||||
index 1c15e32a5c..f2cedaf88d 100644
|
||||
--- a/doc/man5/fips_config.pod
|
||||
+++ b/doc/man5/fips_config.pod
|
||||
@@ -15,6 +15,19 @@ for more information.
|
||||
|
||||
This functionality was added in OpenSSL 3.0.
|
||||
|
||||
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||||
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||||
+should have format
|
||||
+
|
||||
+ [fips_sect]
|
||||
+ tls1-prf-ems-check = 0
|
||||
+ activate = 1
|
||||
+
|
||||
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||||
+presence of extended master secret or not.
|
||||
+
|
||||
+The B<activate> option enforces FIPS provider activation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
||||
index 5c77f6d691..8cdd5a6bf7 100644
|
||||
--- a/include/openssl/fips_names.h
|
||||
+++ b/include/openssl/fips_names.h
|
||||
@@ -70,6 +70,14 @@ extern "C" {
|
||||
*/
|
||||
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
|
||||
|
||||
+/*
|
||||
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
||||
+ * This is disabled by default.
|
||||
+ *
|
||||
+ * Type: OSSL_PARAM_UTF8_STRING
|
||||
+ */
|
||||
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
|
||||
+
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index 0b6de603e2..26a69ca282 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
||||
* interoperability with CryptoPro CSP 3.x
|
||||
*/
|
||||
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||||
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||||
/*
|
||||
* Disable RFC8879 certificate compression
|
||||
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index 5ff9872bd8..eb9653a9df 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
if (fgbl == NULL)
|
||||
return NULL;
|
||||
init_fips_option(&fgbl->fips_security_checks, 1);
|
||||
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
|
||||
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
|
||||
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
|
||||
return fgbl;
|
||||
}
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index 25a6c79a2e..79bc7a9719 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
|
||||
static void kdf_tls1_prf_free(void *vctx)
|
||||
{
|
||||
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
||||
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
||||
|
||||
if (ctx != NULL) {
|
||||
kdf_tls1_prf_reset(ctx);
|
||||
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
}
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * The seed buffer is prepended with a label.
|
||||
+ * If EMS mode is enforced then the label "master secret" is not allowed,
|
||||
+ * We do the check this way since the PRF is used for other purposes, as well
|
||||
+ * as "extended master secret".
|
||||
+ */
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
|
||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||
ctx->sec, ctx->seclen,
|
||||
ctx->seed, ctx->seedlen,
|
||||
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
|
||||
index 5146cedb96..086db98c33 100644
|
||||
--- a/ssl/ssl_conf.c
|
||||
+++ b/ssl/ssl_conf.c
|
||||
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
||||
SSL_FLAG_TBL("ClientRenegotiation",
|
||||
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||||
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||||
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||||
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||||
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||
index 00b1ee531e..22cdabb308 100644
|
||||
--- a/ssl/statem/extensions_srvr.c
|
||||
+++ b/ssl/statem/extensions_srvr.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#define COOKIE_STATE_FORMAT_VERSION 1
|
||||
|
||||
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
||||
unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||||
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||||
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ return EXT_RETURN_FAIL;
|
||||
+ }
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
+ }
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||||
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||||
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||||
index 91238e6457..e8ad8ecd9e 100644
|
||||
--- a/ssl/t1_enc.c
|
||||
+++ b/ssl/t1_enc.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/trace.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
/* seed1 through seed5 are concatenated */
|
||||
static int tls1_PRF(SSL_CONNECTION *s,
|
||||
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
||||
}
|
||||
|
||||
err:
|
||||
- if (fatal)
|
||||
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ if (fatal) {
|
||||
+ /* The calls to this function are local so it's safe to implement the check */
|
||||
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ else
|
||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ }
|
||||
else
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||||
EVP_KDF_CTX_free(kctx);
|
||||
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
index 44040ff66b..deb6bf3fcb 100644
|
||||
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
|
||||
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
|
||||
+Availablein = fips
|
||||
+KDF = TLS1-PRF
|
||||
+Ctrl.digest = digest:SHA256
|
||||
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
+Ctrl.label = seed:master secret
|
||||
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||||
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
+Result = KDF_DERIVE_ERROR
|
||||
+
|
||||
FIPSversion = <=3.1.0
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 169e3c7466..e67b5bb44c 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
|
||||
STACK_OF(X509) *server_chain;
|
||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
SSL *clientssl = NULL, *serverssl = NULL;
|
||||
- int testresult = 0;
|
||||
+ int testresult = 0, status;
|
||||
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(), TLS1_VERSION, 0,
|
||||
--
|
||||
2.41.0
|
||||
|
85
0115-skip-quic-pairwise.patch
Normal file
85
0115-skip-quic-pairwise.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Thu, 4 Apr 2024 11:50:58 +0200
|
||||
Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch
|
||||
|
||||
Patch-name: 0115-skip-quic-pairwise.patch
|
||||
Patch-id: 115
|
||||
Patch-status: |
|
||||
# Amend tests according to Fedora/RHEL code
|
||||
---
|
||||
test/quicapitest.c | 4 +++-
|
||||
test/recipes/01-test_symbol_presence.t | 1 +
|
||||
test/recipes/30-test_pairwise_fail.t | 13 +++++++++++--
|
||||
3 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/test/quicapitest.c b/test/quicapitest.c
|
||||
index 41cf0fc7a8..0fb7492700 100644
|
||||
--- a/test/quicapitest.c
|
||||
+++ b/test/quicapitest.c
|
||||
@@ -2139,7 +2139,9 @@ int setup_tests(void)
|
||||
ADD_TEST(test_cipher_find);
|
||||
ADD_TEST(test_version);
|
||||
#if defined(DO_SSL_TRACE_TEST)
|
||||
- ADD_TEST(test_ssl_trace);
|
||||
+ if (is_fips == 0) {
|
||||
+ ADD_TEST(test_ssl_trace);
|
||||
+ }
|
||||
#endif
|
||||
ADD_TEST(test_quic_forbidden_apis_ctx);
|
||||
ADD_TEST(test_quic_forbidden_apis);
|
||||
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
|
||||
index c837d48fb4..f06ef04b1a 100644
|
||||
--- a/test/recipes/30-test_pairwise_fail.t
|
||||
+++ b/test/recipes/30-test_pairwise_fail.t
|
||||
@@ -9,7 +9,7 @@
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
|
||||
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
BEGIN {
|
||||
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
|
||||
SKIP: {
|
||||
skip "Skip RSA test because of no rsa in this build", 1
|
||||
if disabled("rsa");
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "rsa"])),
|
||||
"fips provider rsa keygen pairwise failure test");
|
||||
+ });
|
||||
}
|
||||
|
||||
SKIP: {
|
||||
skip "Skip EC test because of no ec in this build", 2
|
||||
if disabled("ec");
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "ec"])),
|
||||
"fips provider ec keygen pairwise failure test");
|
||||
+ });
|
||||
|
||||
skip "FIPS provider version is too old", 1
|
||||
if !$fips_exit;
|
||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||
+ sub {
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "eckat"])),
|
||||
"fips provider ec keygen kat failure test");
|
||||
+ });
|
||||
}
|
||||
|
||||
SKIP: {
|
||||
skip "Skip DSA tests because of no dsa in this build", 2
|
||||
- if disabled("dsa");
|
||||
+ if 1; #if disabled("dsa");
|
||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
|
||||
"fips provider dsa keygen pairwise failure test");
|
||||
--
|
||||
2.44.0
|
||||
|
84
0116-version-aliasing.patch
Normal file
84
0116-version-aliasing.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 6 Mar 2024 19:17:17 +0100
|
||||
Subject: [PATCH 46/49] 0116-version-aliasing.patch
|
||||
|
||||
Patch-name: 0116-version-aliasing.patch
|
||||
Patch-id: 116
|
||||
Patch-status: |
|
||||
# Add version aliasing due to
|
||||
# https://github.com/openssl/openssl/issues/23534
|
||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||
---
|
||||
crypto/evp/digest.c | 7 ++++++-
|
||||
crypto/evp/evp_enc.c | 7 ++++++-
|
||||
test/recipes/01-test_symbol_presence.t | 1 +
|
||||
util/libcrypto.num | 2 ++
|
||||
4 files changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||
index 42331703da..3a280acc0e 100644
|
||||
--- a/crypto/evp/digest.c
|
||||
+++ b/crypto/evp/digest.c
|
||||
@@ -553,7 +553,12 @@ legacy:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||
+EVP_MD_CTX
|
||||
+#if !defined(FIPS_MODULE)
|
||||
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||
+#endif
|
||||
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||
{
|
||||
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
||||
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index e9faf31057..5a29b8dbb7 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||
#endif /* FIPS_MODULE */
|
||||
}
|
||||
|
||||
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||
+EVP_CIPHER_CTX
|
||||
+#if !defined(FIPS_MODULE)
|
||||
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||
+#endif
|
||||
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||
{
|
||||
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
||||
|
||||
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
|
||||
index 222b1886ae..7e2f65cccb 100644
|
||||
--- a/test/recipes/01-test_symbol_presence.t
|
||||
+++ b/test/recipes/01-test_symbol_presence.t
|
||||
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
|
||||
}
|
||||
}
|
||||
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
|
||||
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
|
||||
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
|
||||
if (@duplicates) {
|
||||
note "Duplicates:";
|
||||
note join('\n', @duplicates);
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 8046454025..068e9904e2 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
||||
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
||||
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
||||
+EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||
EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION:
|
||||
+EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
||||
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
||||
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
||||
--
|
||||
2.44.0
|
||||
|
318
0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
318
0117-ignore-unknown-sigalgorithms-groups.patch
Normal file
@ -0,0 +1,318 @@
|
||||
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Thu, 14 Dec 2023 17:08:56 +0100
|
||||
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||
|
||||
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||
Patch-id: 117
|
||||
Patch-status: |
|
||||
# https://github.com/openssl/openssl/issues/23050
|
||||
---
|
||||
CHANGES.md | 13 +++++++
|
||||
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
|
||||
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
|
||||
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
|
||||
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
|
||||
5 files changed, 132 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/CHANGES.md b/CHANGES.md
|
||||
index ca29762ac2..4e21d0ddf9 100644
|
||||
--- a/CHANGES.md
|
||||
+++ b/CHANGES.md
|
||||
@@ -27,6 +27,19 @@ OpenSSL 3.2
|
||||
|
||||
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
|
||||
|
||||
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
|
||||
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
|
||||
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
|
||||
+ ignored and the configuration will still be used.
|
||||
+
|
||||
+ Similarly unknown entries that start with `?` character in a TLS
|
||||
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
|
||||
+ and the configuration will still be used.
|
||||
+
|
||||
+ In both cases if the resulting list is empty, an error is returned.
|
||||
+
|
||||
+ *Tomáš Mráz*
|
||||
+
|
||||
* A file in PKCS12 format can contain certificates and keys and may come from
|
||||
an untrusted source. The PKCS12 specification allows certain fields to be
|
||||
NULL, but OpenSSL did not correctly check for this case. A fix has been
|
||||
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
|
||||
index c26ef00306..f0566e148e 100644
|
||||
--- a/doc/man3/SSL_CTX_set1_curves.pod
|
||||
+++ b/doc/man3/SSL_CTX_set1_curves.pod
|
||||
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
|
||||
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
|
||||
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
|
||||
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
|
||||
-added by external providers.
|
||||
+added by external providers. If a group name is preceded with the C<?>
|
||||
+character, it will be ignored if an implementation is missing.
|
||||
|
||||
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
|
||||
supported groups for the SSL structure B<ssl>.
|
||||
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
|
||||
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
|
||||
was added in OpenSSL 3.0.0.
|
||||
|
||||
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
|
||||
+SSL_set1_groups_list() was added in OpenSSL 3.3.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
index eb31006346..5b7de7d956 100644
|
||||
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
|
||||
must be a null terminated string consisting of a colon separated list of
|
||||
elements, where each element is either a combination of a public key
|
||||
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
|
||||
-SignatureScheme such as rsa_pss_pss_sha256.
|
||||
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
|
||||
+with the C<?> character, it will be ignored if an implementation is missing.
|
||||
+
|
||||
|
||||
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
|
||||
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
|
||||
@@ -106,6 +108,13 @@ using a string:
|
||||
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
|
||||
L<SSL_CONF_CTX_new(3)>
|
||||
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+Support for ignoring unknown signature algorithms in
|
||||
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
|
||||
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
|
||||
+was added in OpenSSL 3.3.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 056aae3863..fe680449c5 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||
size_t i;
|
||||
uint16_t gid = 0;
|
||||
char etmp[GROUP_NAME_BUFFER_LENGTH];
|
||||
+ int ignore_unknown = 0;
|
||||
|
||||
if (elem == NULL)
|
||||
return 0;
|
||||
+ if (elem[0] == '?') {
|
||||
+ ignore_unknown = 1;
|
||||
+ ++elem;
|
||||
+ --len;
|
||||
+ }
|
||||
if (garg->gidcnt == garg->gidmax) {
|
||||
uint16_t *tmp =
|
||||
OPENSSL_realloc(garg->gid_arr,
|
||||
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||
|
||||
gid = tls1_group_name2id(garg->ctx, etmp);
|
||||
if (gid == 0) {
|
||||
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
- "group '%s' cannot be set", etmp);
|
||||
- return 0;
|
||||
+ /* Unknown group - ignore, if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
}
|
||||
for (i = 0; i < garg->gidcnt; i++)
|
||||
- if (garg->gid_arr[i] == gid)
|
||||
- return 0;
|
||||
+ if (garg->gid_arr[i] == gid) {
|
||||
+ /* Duplicate group - ignore */
|
||||
+ return 1;
|
||||
+ }
|
||||
garg->gid_arr[garg->gidcnt++] = gid;
|
||||
return 1;
|
||||
}
|
||||
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
||||
gcb.ctx = ctx;
|
||||
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
|
||||
goto end;
|
||||
+ if (gcb.gidcnt == 0) {
|
||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
+ "No valid groups in '%s'", str);
|
||||
+ goto end;
|
||||
+ }
|
||||
if (pext == NULL) {
|
||||
ret = 1;
|
||||
goto end;
|
||||
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
const SIGALG_LOOKUP *s;
|
||||
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||
+ int ignore_unknown = 0;
|
||||
+
|
||||
if (elem == NULL)
|
||||
return 0;
|
||||
+ if (elem[0] == '?') {
|
||||
+ ignore_unknown = 1;
|
||||
+ ++elem;
|
||||
+ --len;
|
||||
+ }
|
||||
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
|
||||
return 0;
|
||||
if (len > (int)(sizeof(etmp) - 1))
|
||||
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||
- return 0;
|
||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
}
|
||||
} else {
|
||||
*p = 0;
|
||||
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
return 0;
|
||||
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
||||
get_sigorhash(&sig_alg, &hash_alg, p);
|
||||
- if (sig_alg == NID_undef || hash_alg == NID_undef)
|
||||
- return 0;
|
||||
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||
i++, s++) {
|
||||
if (s->hash == hash_alg && s->sig == sig_alg) {
|
||||
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||
- return 0;
|
||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||
+ return ignore_unknown;
|
||||
+ }
|
||||
}
|
||||
|
||||
- /* Reject duplicates */
|
||||
+ /* Ignore duplicates */
|
||||
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
|
||||
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
|
||||
sarg->sigalgcnt--;
|
||||
- return 0;
|
||||
+ return 1;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||
}
|
||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||
return 0;
|
||||
+ if (sig.sigalgcnt == 0) {
|
||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||
+ "No valid signature algorithms in '%s'", str);
|
||||
+ return 0;
|
||||
+ }
|
||||
if (c == NULL)
|
||||
return 1;
|
||||
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 1c14f93ed1..184a0f1055 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -39,6 +39,7 @@
|
||||
#include "testutil.h"
|
||||
#include "testutil/output.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "internal/tlsgroups.h"
|
||||
#include "internal/ktls.h"
|
||||
#include "../ssl/ssl_local.h"
|
||||
#include "../ssl/record/methods/recmethod_local.h"
|
||||
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
|
||||
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
|
||||
# endif
|
||||
{NULL, 0, "RSA+SHA256", 1, 1},
|
||||
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
|
||||
# ifndef OPENSSL_NO_EC
|
||||
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
|
||||
{NULL, 0, "ECDSA+SHA512", 1, 0},
|
||||
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
|
||||
return testresult;
|
||||
}
|
||||
|
||||
+static int test_unknown_sigalgs_groups(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ SSL_CTX *ctx = NULL;
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
|
||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
|
||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
|
||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
|
||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "nonexistent"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "P-256:nonexistent"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
|
||||
+ "P-384:?nonexistent:?P-521"),
|
||||
+ 0))
|
||||
+ goto end;
|
||||
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
|
||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
|
||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
|
||||
+ goto end;
|
||||
+#endif
|
||||
+
|
||||
+ ret = 1;
|
||||
+ end:
|
||||
+ SSL_CTX_free(ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
#if !defined(OPENSSL_NO_EC) \
|
||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||
/*
|
||||
@@ -11519,6 +11579,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
|
||||
#endif
|
||||
ADD_ALL_TESTS(test_servername, 10);
|
||||
+ ADD_TEST(test_unknown_sigalgs_groups);
|
||||
#if !defined(OPENSSL_NO_EC) \
|
||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||
ADD_ALL_TESTS(test_sigalgs_available, 6);
|
||||
--
|
||||
2.44.0
|
||||
|
65
0121-FIPS-cms-defaults.patch
Normal file
65
0121-FIPS-cms-defaults.patch
Normal file
@ -0,0 +1,65 @@
|
||||
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
|
||||
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
|
||||
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/x509_vfy.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/cms.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
|
||||
static int cms_cb(int ok, X509_STORE_CTX *ctx);
|
||||
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
|
||||
|
||||
if (operation == SMIME_ENCRYPT) {
|
||||
if (!cipher) {
|
||||
+ if (FIPS_mode()) {
|
||||
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
|
||||
+ } else {
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
#else
|
||||
- BIO_printf(bio_err, "No cipher selected\n");
|
||||
- goto end;
|
||||
+ BIO_printf(bio_err, "No cipher selected\n");
|
||||
+ goto end;
|
||||
#endif
|
||||
+ }
|
||||
}
|
||||
|
||||
if (secret_key && !secret_keyid) {
|
||||
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
|
||||
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
|
||||
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
|
||||
@@ -14,6 +14,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cms.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/fips.h>
|
||||
#include "internal/sizes.h"
|
||||
#include "crypto/asn1.h"
|
||||
#include "crypto/evp.h"
|
||||
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
|
||||
return 0;
|
||||
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
|
||||
return 0;
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||
+ return 0;
|
||||
+ }
|
||||
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
|
||||
return 0;
|
||||
return 1;
|
||||
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
|
||||
|
||||
if (EVP_PKEY_encrypt_init(pctx) <= 0)
|
||||
goto err;
|
||||
+
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
|
16
0122-TMP-KTLS-test-skip.patch
Normal file
16
0122-TMP-KTLS-test-skip.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
|
||||
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
|
||||
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
|
||||
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
|
||||
/* sock must be connected */
|
||||
static int ktls_chk_platform(int sock)
|
||||
{
|
||||
- if (!ktls_enable(sock))
|
||||
+/* if (!ktls_enable(sock))
|
||||
return 0;
|
||||
- return 1;
|
||||
+ return 1; */
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
|
@ -0,0 +1,62 @@
|
||||
From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 17 Jun 2024 16:48:26 +0200
|
||||
Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
|
||||
providers
|
||||
|
||||
If there is no get_ctx_params() implemented in the key exchange
|
||||
provider implementation the fallback will not work. Instead
|
||||
check the gettable_ctx_params() to see if the fallback should be
|
||||
performed.
|
||||
|
||||
Fixes #24611
|
||||
|
||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
||||
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24661)
|
||||
|
||||
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
|
||||
---
|
||||
crypto/evp/pmeth_lib.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index 2caff2cd6d..d15e43be05 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
int datalen)
|
||||
{
|
||||
OSSL_PARAM os_params[2];
|
||||
+ const OSSL_PARAM *gettables;
|
||||
unsigned char *info = NULL;
|
||||
size_t info_len = 0;
|
||||
size_t info_alloc = 0;
|
||||
@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* Check for older provider that doesn't support getting this parameter */
|
||||
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
|
||||
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
|
||||
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
|
||||
+ data, datalen);
|
||||
+
|
||||
/* Get the original value length */
|
||||
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
|
||||
os_params[1] = OSSL_PARAM_construct_end();
|
||||
@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
||||
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
|
||||
return 0;
|
||||
|
||||
- /* Older provider that doesn't support getting this parameter */
|
||||
+ /* This should not happen but check to be sure. */
|
||||
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
|
||||
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
|
||||
+ return 0;
|
||||
|
||||
info_alloc = os_params[0].return_size + datalen;
|
||||
if (info_alloc == 0)
|
||||
--
|
||||
2.45.1
|
||||
|
1525
0124-PBMAC1-PKCS12-FIPS-support.patch
Normal file
1525
0124-PBMAC1-PKCS12-FIPS-support.patch
Normal file
File diff suppressed because it is too large
Load Diff
21
0125-PBMAC1-PKCS12-FIPS-default.patch
Normal file
21
0125-PBMAC1-PKCS12-FIPS-default.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c
|
||||
--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200
|
||||
+++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <openssl/asn1.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#include <openssl/provider.h>
|
||||
@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (maciter != -1) {
|
||||
+ if (EVP_default_properties_is_fips_enabled(NULL))
|
||||
+ pbmac1_pbkdf2 = 1;
|
||||
+
|
||||
if (pbmac1_pbkdf2 == 1) {
|
||||
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
|
||||
macsaltlen, maciter,
|
430
0126-pkeyutl-encap.patch
Normal file
430
0126-pkeyutl-encap.patch
Normal file
@ -0,0 +1,430 @@
|
||||
From 77a0eabe15b9c8c0fb5fde27f6ce1c593c278e20 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Wed, 7 Aug 2024 17:17:18 +0200
|
||||
Subject: [PATCH 1/3] Support of en/decapsulation in the pkeyutl command
|
||||
|
||||
---
|
||||
apps/pkeyutl.c | 83 +++++++++++++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 69 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
|
||||
index b5390c64c2a81..a14ad88217823 100644
|
||||
--- a/apps/pkeyutl.c
|
||||
+++ b/apps/pkeyutl.c
|
||||
@@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
|
||||
const char *keyfile, int keyform, int key_type,
|
||||
char *passinarg, int pkey_op, ENGINE *e,
|
||||
const int impl, int rawin, EVP_PKEY **ppkey,
|
||||
- EVP_MD_CTX *mctx, const char *digestname,
|
||||
+ EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
|
||||
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
|
||||
@@ -32,7 +32,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
|
||||
|
||||
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
|
||||
unsigned char *out, size_t *poutlen,
|
||||
- const unsigned char *in, size_t inlen);
|
||||
+ const unsigned char *in, size_t inlen,
|
||||
+ unsigned char *secret, size_t *psecretlen);
|
||||
|
||||
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
|
||||
EVP_PKEY *pkey, BIO *in,
|
||||
@@ -47,6 +48,7 @@ typedef enum OPTION_choice {
|
||||
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
|
||||
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
|
||||
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
|
||||
+ OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
|
||||
OPT_CONFIG,
|
||||
OPT_RAWIN, OPT_DIGEST
|
||||
} OPTION_CHOICE;
|
||||
@@ -64,6 +66,8 @@ const OPTIONS pkeyutl_options[] = {
|
||||
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
|
||||
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
|
||||
{"derive", OPT_DERIVE, '-', "Derive shared secret"},
|
||||
+ {"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
|
||||
+ {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
|
||||
OPT_CONFIG_OPTION,
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
@@ -81,12 +85,13 @@ const OPTIONS pkeyutl_options[] = {
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
+ {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
|
||||
{"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
|
||||
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
|
||||
{"verifyrecover", OPT_VERIFYRECOVER, '-',
|
||||
"Verify with public key, recover original data"},
|
||||
|
||||
- OPT_SECTION("Signing/Derivation"),
|
||||
+ OPT_SECTION("Signing/Derivation/Encapsulation"),
|
||||
{"digest", OPT_DIGEST, 's',
|
||||
"Specify the digest algorithm when signing the raw input data"},
|
||||
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
|
||||
@@ -94,6 +99,7 @@ const OPTIONS pkeyutl_options[] = {
|
||||
"Public key option that is read as a passphrase argument opt:passphrase"},
|
||||
{"kdf", OPT_KDF, 's', "Use KDF algorithm"},
|
||||
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
|
||||
+ {"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
@@ -103,23 +109,23 @@ const OPTIONS pkeyutl_options[] = {
|
||||
int pkeyutl_main(int argc, char **argv)
|
||||
{
|
||||
CONF *conf = NULL;
|
||||
- BIO *in = NULL, *out = NULL;
|
||||
+ BIO *in = NULL, *out = NULL, *secout = NULL;
|
||||
ENGINE *e = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
- char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
|
||||
+ char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL;
|
||||
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
|
||||
- unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
|
||||
+ unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int buf_inlen = 0, siglen = -1;
|
||||
int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
|
||||
int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
|
||||
int engine_impl = 0;
|
||||
int ret = 1, rv = -1;
|
||||
- size_t buf_outlen;
|
||||
+ size_t buf_outlen = 0, secretlen = 0;
|
||||
const char *inkey = NULL;
|
||||
const char *peerkey = NULL;
|
||||
- const char *kdfalg = NULL, *digestname = NULL;
|
||||
+ const char *kdfalg = NULL, *digestname = NULL, *kemop = NULL;
|
||||
int kdflen = 0;
|
||||
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
|
||||
@@ -147,6 +153,9 @@ int pkeyutl_main(int argc, char **argv)
|
||||
case OPT_OUT:
|
||||
outfile = opt_arg();
|
||||
break;
|
||||
+ case OPT_SECOUT:
|
||||
+ secoutfile = opt_arg();
|
||||
+ break;
|
||||
case OPT_SIGFILE:
|
||||
sigfile = opt_arg();
|
||||
break;
|
||||
@@ -216,6 +225,15 @@ int pkeyutl_main(int argc, char **argv)
|
||||
case OPT_DERIVE:
|
||||
pkey_op = EVP_PKEY_OP_DERIVE;
|
||||
break;
|
||||
+ case OPT_DECAP:
|
||||
+ pkey_op = EVP_PKEY_OP_DECAPSULATE;
|
||||
+ break;
|
||||
+ case OPT_ENCAP:
|
||||
+ pkey_op = EVP_PKEY_OP_ENCAPSULATE;
|
||||
+ break;
|
||||
+ case OPT_KEMOP:
|
||||
+ kemop = opt_arg();
|
||||
+ break;
|
||||
case OPT_KDF:
|
||||
pkey_op = EVP_PKEY_OP_DERIVE;
|
||||
key_type = KEY_NONE;
|
||||
@@ -303,7 +321,7 @@ int pkeyutl_main(int argc, char **argv)
|
||||
}
|
||||
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
|
||||
passinarg, pkey_op, e, engine_impl, rawin, &pkey,
|
||||
- mctx, digestname, libctx, app_get0_propq());
|
||||
+ mctx, digestname, kemop, libctx, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
|
||||
goto end;
|
||||
@@ -387,7 +405,7 @@ int pkeyutl_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
- if (pkey_op != EVP_PKEY_OP_DERIVE) {
|
||||
+ if (pkey_op != EVP_PKEY_OP_DERIVE && pkey_op != EVP_PKEY_OP_ENCAPSULATE) {
|
||||
in = bio_open_default(infile, 'r', FORMAT_BINARY);
|
||||
if (infile != NULL) {
|
||||
struct stat st;
|
||||
@@ -402,6 +420,16 @@ int pkeyutl_main(int argc, char **argv)
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
+ if (pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
|
||||
+ if (secoutfile == NULL) {
|
||||
+ BIO_printf(bio_err, "Encapsulation requires '-secret' argument\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ secout = bio_open_default(secoutfile, 'w', FORMAT_BINARY);
|
||||
+ if (secout == NULL)
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
if (sigfile != NULL) {
|
||||
BIO *sigbio = BIO_new_file(sigfile, "rb");
|
||||
|
||||
@@ -473,13 +501,15 @@ int pkeyutl_main(int argc, char **argv)
|
||||
rv = 1;
|
||||
} else {
|
||||
rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
|
||||
- buf_in, (size_t)buf_inlen);
|
||||
+ buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
|
||||
}
|
||||
if (rv > 0 && buf_outlen != 0) {
|
||||
buf_out = app_malloc(buf_outlen, "buffer output");
|
||||
+ if (secretlen > 0)
|
||||
+ secret = app_malloc(secretlen, "secret output");
|
||||
rv = do_keyop(ctx, pkey_op,
|
||||
buf_out, (size_t *)&buf_outlen,
|
||||
- buf_in, (size_t)buf_inlen);
|
||||
+ buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
|
||||
}
|
||||
}
|
||||
if (rv <= 0) {
|
||||
@@ -500,6 +530,8 @@ int pkeyutl_main(int argc, char **argv)
|
||||
} else {
|
||||
BIO_write(out, buf_out, buf_outlen);
|
||||
}
|
||||
+ if (secretlen > 0)
|
||||
+ BIO_write(secout, secret, secretlen);
|
||||
|
||||
end:
|
||||
if (ret != 0)
|
||||
@@ -510,9 +542,11 @@ int pkeyutl_main(int argc, char **argv)
|
||||
release_engine(e);
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
+ BIO_free_all(secout);
|
||||
OPENSSL_free(buf_in);
|
||||
OPENSSL_free(buf_out);
|
||||
OPENSSL_free(sig);
|
||||
+ OPENSSL_free(secret);
|
||||
sk_OPENSSL_STRING_free(pkeyopts);
|
||||
sk_OPENSSL_STRING_free(pkeyopts_passin);
|
||||
NCONF_free(conf);
|
||||
@@ -524,7 +558,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
|
||||
char *passinarg, int pkey_op, ENGINE *e,
|
||||
const int engine_impl, int rawin,
|
||||
EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
|
||||
- OSSL_LIB_CTX *libctx, const char *propq)
|
||||
+ const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
@@ -642,6 +676,18 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
|
||||
case EVP_PKEY_OP_DERIVE:
|
||||
rv = EVP_PKEY_derive_init(ctx);
|
||||
break;
|
||||
+
|
||||
+ case EVP_PKEY_OP_ENCAPSULATE:
|
||||
+ rv = EVP_PKEY_encapsulate_init(ctx, NULL);
|
||||
+ if (rv > 0 && kemop != NULL)
|
||||
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
|
||||
+ break;
|
||||
+
|
||||
+ case EVP_PKEY_OP_DECAPSULATE:
|
||||
+ rv = EVP_PKEY_decapsulate_init(ctx, NULL);
|
||||
+ if (rv > 0 && kemop != NULL)
|
||||
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -679,7 +725,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
|
||||
|
||||
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
|
||||
unsigned char *out, size_t *poutlen,
|
||||
- const unsigned char *in, size_t inlen)
|
||||
+ const unsigned char *in, size_t inlen,
|
||||
+ unsigned char *secret, size_t *pseclen)
|
||||
{
|
||||
int rv = 0;
|
||||
switch (pkey_op) {
|
||||
@@ -703,6 +750,14 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
|
||||
rv = EVP_PKEY_derive(ctx, out, poutlen);
|
||||
break;
|
||||
|
||||
+ case EVP_PKEY_OP_ENCAPSULATE:
|
||||
+ rv = EVP_PKEY_encapsulate(ctx, out, poutlen, secret, pseclen);
|
||||
+ break;
|
||||
+
|
||||
+ case EVP_PKEY_OP_DECAPSULATE:
|
||||
+ rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen);
|
||||
+ break;
|
||||
+
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
From 1598da873df55887c2d878549f74b7aaed6d5fde Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Wed, 7 Aug 2024 17:50:51 +0200
|
||||
Subject: [PATCH 2/3] Encap/decap in pkeyutl - documentation
|
||||
|
||||
---
|
||||
doc/man1/openssl-pkeyutl.pod.in | 33 +++++++++++++++++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
|
||||
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
|
||||
index 50c2030aa353c..9de50dd6cee8f 100644
|
||||
--- a/doc/man1/openssl-pkeyutl.pod.in
|
||||
+++ b/doc/man1/openssl-pkeyutl.pod.in
|
||||
@@ -13,6 +13,7 @@ B<openssl> B<pkeyutl>
|
||||
[B<-rawin>]
|
||||
[B<-digest> I<algorithm>]
|
||||
[B<-out> I<file>]
|
||||
+[B<-secret> I<file>]
|
||||
[B<-sigfile> I<file>]
|
||||
[B<-inkey> I<filename>|I<uri>]
|
||||
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
|
||||
@@ -28,8 +29,11 @@ B<openssl> B<pkeyutl>
|
||||
[B<-encrypt>]
|
||||
[B<-decrypt>]
|
||||
[B<-derive>]
|
||||
+[B<-encap>]
|
||||
+[B<-decap>]
|
||||
[B<-kdf> I<algorithm>]
|
||||
[B<-kdflen> I<length>]
|
||||
+[B<-kemop> I<operation>]
|
||||
[B<-pkeyopt> I<opt>:I<value>]
|
||||
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
|
||||
[B<-hexdump>]
|
||||
@@ -79,6 +83,10 @@ then the B<-rawin> option must be also specified.
|
||||
Specifies the output filename to write to or standard output by
|
||||
default.
|
||||
|
||||
+=item B<-secret> I<filename>
|
||||
+
|
||||
+Specifies the output filename to write the secret to on I<-encap>.
|
||||
+
|
||||
=item B<-sigfile> I<file>
|
||||
|
||||
Signature file, required for B<-verify> operations only
|
||||
@@ -147,6 +155,31 @@ Decrypt the input data using a private key.
|
||||
|
||||
Derive a shared secret using the peer key.
|
||||
|
||||
+=item B<-encap>
|
||||
+
|
||||
+Encapsulate a generated secret using a private key.
|
||||
+The encapsulated result (binary data) is written to standard output by default,
|
||||
+or else to the file specified with I<-out>.
|
||||
+The I<-secret> option must also be provided to specify the output file for the
|
||||
+secret value generated in the encapsulation process.
|
||||
+
|
||||
+=item B<-decap>
|
||||
+
|
||||
+Decapsulate the secret using a private key.
|
||||
+The result (binary data) is written to standard output by default, or else to
|
||||
+the file specified with I<-out>.
|
||||
+
|
||||
+=item B<-kemop> I<operation>
|
||||
+
|
||||
+This option is used for I<-encap>/I<-decap> commands and specifies the KEM
|
||||
+operation specific for the key algorithm when there is no default KEM
|
||||
+operation.
|
||||
+If the algorithm has the default KEM operation, this option can be omitted.
|
||||
+
|
||||
+See L<EVP_PKEY_CTX_set_kem_op(3)> and algorithm-specific KEM documentation e.g.
|
||||
+L<EVP_KEM-RSA(7)>, L<EVP_KEM-EC(7)>, L<EVP_KEM-X25519(7)>, and
|
||||
+L<EVP_KEM-X448(7)>.
|
||||
+
|
||||
=item B<-kdf> I<algorithm>
|
||||
|
||||
Use key derivation function I<algorithm>. The supported algorithms are
|
||||
|
||||
From 1fe7d5b3d96e2ce1e822a4e6e042959af55b0145 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Thu, 8 Aug 2024 13:45:19 +0200
|
||||
Subject: [PATCH 3/3] Encap/decap in pkeyutl - tests
|
||||
|
||||
---
|
||||
test/decap_out.bin | 3 +++
|
||||
test/encap_out.bin | 4 ++++
|
||||
test/encap_secret.bin | 3 +++
|
||||
test/recipes/20-test_pkeyutl.t | 34 ++++++++++++++++++++++++++++++++--
|
||||
4 files changed, 42 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/decap_out.bin
|
||||
create mode 100644 test/encap_out.bin
|
||||
create mode 100644 test/encap_secret.bin
|
||||
|
||||
diff --git a/test/decap_out.bin b/test/decap_out.bin
|
||||
new file mode 100644
|
||||
index 0000000000000..b94441ed1c002
|
||||
--- /dev/null
|
||||
+++ b/test/decap_out.bin
|
||||
@@ -0,0 +1,3 @@
|
||||
+6žW«¡ŠòÌn‘©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ]:\³PŸ›xñe¡ƒŽbòé)G¿fõÈ"¨ýËfË ÊýJÝ)ïþÜ<02>ì{ªHm‚\Pú<C383>+¸PÞ¸%èÄ/jÏ™%ç؆È<_æ~–
|
||||
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê×È-g,AYœ‹4<E280B9>
|
||||
+l<>ÚtÚN)~\<5C>HU4y០}qJŸ€”t#<0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=üLõ¨nmv<6D>{—éÅ¿Ô‹È£®
|
||||
\ No newline at end of file
|
||||
diff --git a/test/encap_out.bin b/test/encap_out.bin
|
||||
new file mode 100644
|
||||
index 0000000000000..024fc40550f15
|
||||
--- /dev/null
|
||||
+++ b/test/encap_out.bin
|
||||
@@ -0,0 +1,4 @@
|
||||
+¼:÷Ùy‚Ä<E2809A>‰5°ã ÿÙ[Û2ê<¾ê?«î±qÕª1·µŒ¸ºæÝ>YÎM寬3PÝ
|
||||
+ìÛO’2rÈÙŠíùAd"Gç„m‡2mÏÄ7x•Ñhú7-ÿ@:?NµÇrSê‹œKÁ¡žè`«t¥ÉŸªÓxié头' Mhøñ‘˜3r<><1F>ÞÚƒ–Sd¦ðO±£ãHT„F§þ
|
||||
+®‹kZ'xšFÛKùx”q"ÐÒúl@04E‰†ÌûŽ;c¾iA}U÷ÆŒP6ýk0–‰ó%DôòLÄ.U– aO¨(L<>Iý®QÇç¢ÏA
|
||||
+Œ[´uÔžØ4s$¨†Ò%tÕB
|
||||
\ No newline at end of file
|
||||
diff --git a/test/encap_secret.bin b/test/encap_secret.bin
|
||||
new file mode 100644
|
||||
index 0000000000000..b94441ed1c002
|
||||
--- /dev/null
|
||||
+++ b/test/encap_secret.bin
|
||||
@@ -0,0 +1,3 @@
|
||||
+6žW«¡ŠòÌn‘©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ]:\³PŸ›xñe¡ƒŽbòé)G¿fõÈ"¨ýËfË ÊýJÝ)ïþÜ<02>ì{ªHm‚\Pú<C383>+¸PÞ¸%èÄ/jÏ™%ç؆È<_æ~–
|
||||
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê×È-g,AYœ‹4<E280B9>
|
||||
+l<>ÚtÚN)~\<5C>HU4y០}qJŸ€”t#<0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=üLõ¨nmv<6D>{—éÅ¿Ô‹È£®
|
||||
\ No newline at end of file
|
||||
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
|
||||
index 76e4f0a869459..e9472a21352e2 100644
|
||||
--- a/test/recipes/20-test_pkeyutl.t
|
||||
+++ b/test/recipes/20-test_pkeyutl.t
|
||||
@@ -13,11 +13,11 @@ use File::Spec;
|
||||
use File::Basename;
|
||||
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
|
||||
use OpenSSL::Test::Utils;
|
||||
-use File::Compare qw/compare_text/;
|
||||
+use File::Compare qw/compare_text compare/;
|
||||
|
||||
setup("test_pkeyutl");
|
||||
|
||||
-plan tests => 14;
|
||||
+plan tests => 19;
|
||||
|
||||
# For the tests below we use the cert itself as the TBS file
|
||||
|
||||
@@ -200,3 +200,33 @@ SKIP: {
|
||||
"-rawin");
|
||||
};
|
||||
}
|
||||
+
|
||||
+#Encap/decap tests
|
||||
+# openssl pkeyutl -encap -pubin -inkey rsa_pub.pem -secret secret.bin -out encap_out.bin
|
||||
+# openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin
|
||||
+# decap_out is equal to secret
|
||||
+SKIP: {
|
||||
+ skip "RSA is not supported by this OpenSSL build", 3
|
||||
+ if disabled("rsa");
|
||||
+
|
||||
+ # Self-compat
|
||||
+ ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-pubin', '-kemop', 'RSASVE',
|
||||
+ '-inkey', srctop_file('test', 'testrsa2048pub.pem'),
|
||||
+ '-out', 'encap_out.bin', '-secret', 'secret.bin']))),
|
||||
+ "RSA pubkey encapsulation");
|
||||
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
|
||||
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
|
||||
+ '-in', 'encap_out.bin', '-out', 'decap_out.bin']))),
|
||||
+ "RSA pubkey decapsulation");
|
||||
+ is(compare("secret.bin", "decap_out.bin"), 0, "Secret is correctly decapsulated");
|
||||
+
|
||||
+ # Pregenerated
|
||||
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
|
||||
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
|
||||
+ '-in', srctop_file('test', 'encap_out.bin'), '-out', 'decap_out_etl.bin']))),
|
||||
+ "RSA pubkey decapsulation - pregenerated");
|
||||
+
|
||||
+ is(compare(srctop_file('test', 'encap_secret.bin'), "decap_out_etl.bin"), 0,
|
||||
+ "Secret is correctly decapsulated - pregenerated");
|
||||
+}
|
||||
+
|
201
0127-speedup-SSL_add_cert_subjects_to_stack.patch
Normal file
201
0127-speedup-SSL_add_cert_subjects_to_stack.patch
Normal file
@ -0,0 +1,201 @@
|
||||
From e2e469593a15681983d16e36d856bf8fb7de8589 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Wed, 31 Jul 2024 12:45:11 +0200
|
||||
Subject: [PATCH] Speed up SSL_add_{file,dir}_cert_subjects_to_stack
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The X509_NAME comparison function converts its arguments to DER using
|
||||
i2d_X509_NAME before comparing the results using memcmp(). For every
|
||||
invocation of the comparison function (of which there are many when
|
||||
loading many certificates), it allocates two buffers of the appropriate
|
||||
size for the DER encoding.
|
||||
|
||||
Switching to static buffers (possibly of X509_NAME_MAX size as defined
|
||||
in crypto/x509/x_name.c) would not work with multithreaded use, e.g.,
|
||||
when two threads sort two separate STACK_OF(X509_NAME)s at the same
|
||||
time. A suitable re-usable buffer could have been added to the
|
||||
STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument,
|
||||
or a pointer to the STACK_OF(X509_NAME) – but it does not.
|
||||
|
||||
Instead, copy the solution chosen in SSL_load_client_CA_file() by
|
||||
filling an LHASH_OF(X509_NAME) with all existing names in the stack and
|
||||
using that to deduplicate, rather than relying on sk_X509_NAME_find(),
|
||||
which ends up being very slow.
|
||||
|
||||
Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local
|
||||
LHASH_OF(X509_NAME)s over the complete directory it is processing.
|
||||
|
||||
In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack()
|
||||
twice, once on a directory with one entry, and once with a directory
|
||||
with 1000 certificates, and repeats this in a loop 10 times, this change
|
||||
yields a speed-up of 5.32:
|
||||
|
||||
| Benchmark 1: ./bench 10 dir-1 dir-1000
|
||||
| Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s]
|
||||
| Range (min … max): 6.658 s … 6.711 s 10 runs
|
||||
|
|
||||
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000
|
||||
| Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s]
|
||||
| Range (min … max): 1.244 s … 1.286 s 10 runs
|
||||
|
|
||||
| Summary
|
||||
| LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran
|
||||
| 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000
|
||||
|
||||
In the worst case scenario where many entries are added to a stack that
|
||||
is then repeatedly used to add more certificates, and with a larger test
|
||||
size, the speedup is still very significant. With 15000 certificates,
|
||||
a single pass to load them, followed by attempting to load a subset of
|
||||
1000 of these 15000 certificates, followed by a single certificate, the
|
||||
new approach is ~85 times faster:
|
||||
|
||||
| Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1
|
||||
| Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s]
|
||||
| Range (min … max): 173.774 s … 185.594 s 10 runs
|
||||
|
|
||||
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1
|
||||
| Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s]
|
||||
| Range (min … max): 2.057 s … 2.167 s 10 runs
|
||||
|
|
||||
| Summary
|
||||
| LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran
|
||||
| 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
ssl/ssl_cert.c | 74 ++++++++++++++++++++++++++++++++++++++++++++------
|
||||
1 file changed, 65 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
|
||||
index 0ff407bf55edc..5e5ffe39d0655 100644
|
||||
--- a/ssl/ssl_cert.c
|
||||
+++ b/ssl/ssl_cert.c
|
||||
@@ -813,16 +813,14 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
|
||||
return SSL_load_client_CA_file_ex(file, NULL, NULL);
|
||||
}
|
||||
|
||||
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
- const char *file)
|
||||
+static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
+ const char *file,
|
||||
+ LHASH_OF(X509_NAME) *name_hash)
|
||||
{
|
||||
BIO *in;
|
||||
X509 *x = NULL;
|
||||
X509_NAME *xn = NULL;
|
||||
int ret = 1;
|
||||
- int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b);
|
||||
-
|
||||
- oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
|
||||
|
||||
in = BIO_new(BIO_s_file());
|
||||
|
||||
@@ -842,12 +840,15 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
xn = X509_NAME_dup(xn);
|
||||
if (xn == NULL)
|
||||
goto err;
|
||||
- if (sk_X509_NAME_find(stack, xn) >= 0) {
|
||||
+ if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) {
|
||||
/* Duplicate. */
|
||||
X509_NAME_free(xn);
|
||||
} else if (!sk_X509_NAME_push(stack, xn)) {
|
||||
X509_NAME_free(xn);
|
||||
goto err;
|
||||
+ } else {
|
||||
+ /* Successful insert, add to hash table */
|
||||
+ lh_X509_NAME_insert(name_hash, xn);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -859,7 +860,42 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
done:
|
||||
BIO_free(in);
|
||||
X509_free(x);
|
||||
- (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
+ const char *file)
|
||||
+{
|
||||
+ X509_NAME *xn = NULL;
|
||||
+ int ret = 1;
|
||||
+ int idx = 0;
|
||||
+ int num = 0;
|
||||
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
|
||||
+
|
||||
+ if (name_hash == NULL) {
|
||||
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Pre-populate the lhash with the existing entries of the stack, since
|
||||
+ * using the LHASH_OF is much faster for duplicate checking. That's because
|
||||
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
|
||||
+ * for every single invocation of the comparison function.
|
||||
+ */
|
||||
+ num = sk_X509_NAME_num(stack);
|
||||
+ for (idx = 0; idx < num; idx++) {
|
||||
+ xn = sk_X509_NAME_value(stack, idx);
|
||||
+ lh_X509_NAME_insert(name_hash, xn);
|
||||
+ }
|
||||
+
|
||||
+ ret = add_file_cert_subjects_to_stack(stack, file, name_hash);
|
||||
+ goto done;
|
||||
+
|
||||
+ err:
|
||||
+ ret = 0;
|
||||
+ done:
|
||||
+ lh_X509_NAME_free(name_hash);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -869,8 +905,27 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
OPENSSL_DIR_CTX *d = NULL;
|
||||
const char *filename;
|
||||
int ret = 0;
|
||||
+ X509_NAME *xn = NULL;
|
||||
+ int idx = 0;
|
||||
+ int num = 0;
|
||||
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
|
||||
+
|
||||
+ if (name_hash == NULL) {
|
||||
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
- /* Note that a side effect is that the CAs will be sorted by name */
|
||||
+ /*
|
||||
+ * Pre-populate the lhash with the existing entries of the stack, since
|
||||
+ * using the LHASH_OF is much faster for duplicate checking. That's because
|
||||
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
|
||||
+ * for every single invocation of the comparison function.
|
||||
+ */
|
||||
+ num = sk_X509_NAME_num(stack);
|
||||
+ for (idx = 0; idx < num; idx++) {
|
||||
+ xn = sk_X509_NAME_value(stack, idx);
|
||||
+ lh_X509_NAME_insert(name_hash, xn);
|
||||
+ }
|
||||
|
||||
while ((filename = OPENSSL_DIR_read(&d, dir))) {
|
||||
char buf[1024];
|
||||
@@ -899,7 +954,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
#endif
|
||||
if (r <= 0 || r >= (int)sizeof(buf))
|
||||
goto err;
|
||||
- if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
|
||||
+ if (!add_file_cert_subjects_to_stack(stack, buf, name_hash))
|
||||
goto err;
|
||||
}
|
||||
|
||||
@@ -915,6 +970,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
|
||||
err:
|
||||
if (d)
|
||||
OPENSSL_DIR_end(&d);
|
||||
+ lh_X509_NAME_free(name_hash);
|
||||
|
||||
return ret;
|
||||
}
|
24
0128-SAST-findings.patch
Normal file
24
0128-SAST-findings.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c
|
||||
--- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx 2024-08-14 14:22:48.733407808 +0200
|
||||
+++ openssl-3.2.2/crypto/rsa/rsa_oaep.c 2024-08-14 14:23:32.994483135 +0200
|
||||
@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
|
||||
|
||||
mdlen = EVP_MD_get_size(md);
|
||||
|
||||
- if (tlen <= 0 || flen <= 0)
|
||||
+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
|
||||
return -1;
|
||||
/*
|
||||
* |num| is the length of the modulus; |flen| is the length of the
|
||||
diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c
|
||||
--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx 2024-08-14 14:14:13.144850097 +0200
|
||||
+++ openssl-3.2.2/crypto/x509/pcy_tree.c 2024-08-14 14:14:53.213826481 +0200
|
||||
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
|
||||
*ptree = NULL;
|
||||
|
||||
+ if (n < 0)
|
||||
+ return X509_PCY_TREE_INTERNAL;
|
||||
/* Can't do anything with just a trust anchor */
|
||||
if (n == 0)
|
||||
return X509_PCY_TREE_EMPTY;
|
109
0129-Fix-SSL_select_next_proto.patch
Normal file
109
0129-Fix-SSL_select_next_proto.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:14:33 +0100
|
||||
Subject: [PATCH 01/10] Fix SSL_select_next_proto
|
||||
|
||||
Ensure that the provided client list is non-NULL and starts with a valid
|
||||
entry. When called from the ALPN callback the client list should already
|
||||
have been validated by OpenSSL so this should not cause a problem. When
|
||||
called from the NPN callback the client list is locally configured and
|
||||
will not have already been validated. Therefore SSL_select_next_proto
|
||||
should not assume that it is correctly formatted.
|
||||
|
||||
We implement stricter checking of the client protocol list. We also do the
|
||||
same for the server list while we are about it.
|
||||
|
||||
CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
|
||||
1 file changed, 40 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index 016135fe18..cf52b317cf 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
||||
unsigned int server_len,
|
||||
const unsigned char *client, unsigned int client_len)
|
||||
{
|
||||
- unsigned int i, j;
|
||||
- const unsigned char *result;
|
||||
- int status = OPENSSL_NPN_UNSUPPORTED;
|
||||
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
||||
+
|
||||
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
||||
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
||||
+ || PACKET_remaining(&csubpkt) == 0) {
|
||||
+ *out = NULL;
|
||||
+ *outlen = 0;
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
||||
+ * a match.
|
||||
+ */
|
||||
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
||||
|
||||
/*
|
||||
* For each protocol in server preference order, see if we support it.
|
||||
*/
|
||||
- for (i = 0; i < server_len;) {
|
||||
- for (j = 0; j < client_len;) {
|
||||
- if (server[i] == client[j] &&
|
||||
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
||||
- /* We found a match */
|
||||
- result = &server[i];
|
||||
- status = OPENSSL_NPN_NEGOTIATED;
|
||||
- goto found;
|
||||
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
||||
+ if (PACKET_remaining(&ssubpkt) == 0)
|
||||
+ continue; /* Invalid - ignore it */
|
||||
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
||||
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
||||
+ PACKET_remaining(&ssubpkt))) {
|
||||
+ /* We found a match */
|
||||
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
||||
+ return OPENSSL_NPN_NEGOTIATED;
|
||||
+ }
|
||||
+ }
|
||||
+ /* Ignore spurious trailing bytes in the client list */
|
||||
+ } else {
|
||||
+ /* This should never happen */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
- j += client[j];
|
||||
- j++;
|
||||
}
|
||||
- i += server[i];
|
||||
- i++;
|
||||
+ /* Ignore spurious trailing bytes in the server list */
|
||||
}
|
||||
|
||||
- /* There's no overlap between our protocols and the server's list. */
|
||||
- result = client;
|
||||
- status = OPENSSL_NPN_NO_OVERLAP;
|
||||
-
|
||||
- found:
|
||||
- *out = (unsigned char *)result + 1;
|
||||
- *outlen = result[0];
|
||||
- return status;
|
||||
+ /*
|
||||
+ * There's no overlap between our protocols and the server's list. We use
|
||||
+ * the default opportunistic protocol selected earlier
|
||||
+ */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
--
|
||||
2.46.0
|
||||
|
@ -0,0 +1,39 @@
|
||||
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:18:27 +0100
|
||||
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
|
||||
processing NPN
|
||||
|
||||
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
|
||||
the selected_len is 0 we should fail. Previously this would fail with an
|
||||
internal_error alert because calling OPENSSL_malloc(selected_len) will
|
||||
return NULL when selected_len is 0. We make this error detection more
|
||||
explicit and return a handshake failure alert.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_clnt.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||
index 381a6c9d7b..1ab3c13d57 100644
|
||||
--- a/ssl/statem/extensions_clnt.c
|
||||
+++ b/ssl/statem/extensions_clnt.c
|
||||
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
|
||||
&selected, &selected_len,
|
||||
PACKET_data(pkt), PACKET_remaining(pkt),
|
||||
- sctx->ext.npn_select_cb_arg) !=
|
||||
- SSL_TLSEXT_ERR_OK) {
|
||||
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|
||||
+ || selected_len == 0) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.46.0
|
||||
|
34
0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
Normal file
34
0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:22:13 +0100
|
||||
Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
|
||||
|
||||
The QUIC test server was using incorrectly formatted ALPN data. With the
|
||||
previous implementation of SSL_select_next_proto this went unnoticed. With
|
||||
the new stricter implemenation it was failing.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/quic/quic_tserver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
|
||||
index 86187d06ff..15694e723f 100644
|
||||
--- a/ssl/quic/quic_tserver.c
|
||||
+++ b/ssl/quic/quic_tserver.c
|
||||
@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
|
||||
|
||||
if (srv->args.alpn == NULL) {
|
||||
alpn = alpndeflt;
|
||||
- alpnlen = sizeof(alpn);
|
||||
+ alpnlen = sizeof(alpndeflt);
|
||||
} else {
|
||||
alpn = srv->args.alpn;
|
||||
alpnlen = srv->args.alpnlen;
|
||||
--
|
||||
2.46.0
|
||||
|
78
0132-Clarify-the-SSL_select_next_proto-documentation.patch
Normal file
78
0132-Clarify-the-SSL_select_next_proto-documentation.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 11:46:38 +0100
|
||||
Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
|
||||
|
||||
We clarify the input preconditions and the expected behaviour in the event
|
||||
of no overlap.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
index 05fee2fbec..79e1a252f6 100644
|
||||
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
|
||||
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
|
||||
set the list of protocols available to be negotiated. The B<protos> must be in
|
||||
protocol-list format, described below. The length of B<protos> is specified in
|
||||
-B<protos_len>.
|
||||
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
|
||||
+protocols and no ALPN extension will be sent to the server.
|
||||
|
||||
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
|
||||
server to select which protocol to use for the incoming connection. When B<cb>
|
||||
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
|
||||
described below. The first item in the B<server>, B<server_len> list that
|
||||
matches an item in the B<client>, B<client_len> list is selected, and returned
|
||||
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
|
||||
-B<client>, so it should be copied immediately. If no match is found, the first
|
||||
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
|
||||
-function can also be used in the NPN callback.
|
||||
+B<client>, so it should be copied immediately. The client list must include at
|
||||
+least one valid (nonempty) protocol entry in the list.
|
||||
+
|
||||
+The SSL_select_next_proto() helper function can be useful from either the ALPN
|
||||
+callback or the NPN callback (described below). If no match is found, the first
|
||||
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
|
||||
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
|
||||
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
|
||||
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
|
||||
+SSL_select_next_proto().
|
||||
|
||||
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
|
||||
client needs to select a protocol from the server's provided list, and a
|
||||
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
|
||||
The length of the protocol name must be written into B<outlen>. The
|
||||
server's advertised protocols are provided in B<in> and B<inlen>. The
|
||||
callback can assume that B<in> is syntactically valid. The client must
|
||||
-select a protocol. It is fatal to the connection if this callback returns
|
||||
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
|
||||
-set via SSL_CTX_set_next_proto_select_cb().
|
||||
+select a protocol (although it may be an empty, zero length protocol). It is
|
||||
+fatal to the connection if this callback returns a value other than
|
||||
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
|
||||
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
|
||||
|
||||
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
|
||||
when a TLS server needs a list of supported protocols for Next Protocol
|
||||
@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
|
||||
=item OPENSSL_NPN_NO_OVERLAP
|
||||
|
||||
No match was found. The first item in B<client>, B<client_len> is returned in
|
||||
-B<out>, B<outlen>.
|
||||
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
|
||||
+B<client> is invalid).
|
||||
|
||||
=back
|
||||
|
||||
--
|
||||
2.46.0
|
||||
|
172
0133-Add-a-test-for-SSL_select_next_proto.patch
Normal file
172
0133-Add-a-test-for-SSL_select_next_proto.patch
Normal file
@ -0,0 +1,172 @@
|
||||
From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 31 May 2024 16:35:16 +0100
|
||||
Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 137 insertions(+)
|
||||
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index ce163322cd..15cb9060cb 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
|
||||
return testresult;
|
||||
}
|
||||
|
||||
+static struct next_proto_st {
|
||||
+ int serverlen;
|
||||
+ unsigned char server[40];
|
||||
+ int clientlen;
|
||||
+ unsigned char client[40];
|
||||
+ int expected_ret;
|
||||
+ size_t selectedlen;
|
||||
+ unsigned char selected[40];
|
||||
+} next_proto_tests[] = {
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
||||
+ OPENSSL_NPN_NEGOTIATED,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'b', 'c', 'd' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 0, { 0 },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ -1, { 0 },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 0, { 0 },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ -1, { 0 },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ },
|
||||
+ {
|
||||
+ 3, { 3, 'a', 'b', 'c' },
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 3, { 'a', 'b', 'c' }
|
||||
+ },
|
||||
+ {
|
||||
+ 4, { 3, 'a', 'b', 'c' },
|
||||
+ 3, { 3, 'a', 'b', 'c' },
|
||||
+ OPENSSL_NPN_NO_OVERLAP,
|
||||
+ 0, { 0 }
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+static int test_select_next_proto(int idx)
|
||||
+{
|
||||
+ struct next_proto_st *np = &next_proto_tests[idx];
|
||||
+ int ret = 0;
|
||||
+ unsigned char *out, *client, *server;
|
||||
+ unsigned char outlen;
|
||||
+ unsigned int clientlen, serverlen;
|
||||
+
|
||||
+ if (np->clientlen == -1) {
|
||||
+ client = NULL;
|
||||
+ clientlen = 0;
|
||||
+ } else {
|
||||
+ client = np->client;
|
||||
+ clientlen = (unsigned int)np->clientlen;
|
||||
+ }
|
||||
+ if (np->serverlen == -1) {
|
||||
+ server = NULL;
|
||||
+ serverlen = 0;
|
||||
+ } else {
|
||||
+ server = np->server;
|
||||
+ serverlen = (unsigned int)np->serverlen;
|
||||
+ }
|
||||
+
|
||||
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
|
||||
+ client, clientlen),
|
||||
+ np->expected_ret))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (np->selectedlen == 0) {
|
||||
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
|
||||
+ goto err;
|
||||
+ } else {
|
||||
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
||||
|
||||
int setup_tests(void)
|
||||
@@ -12053,6 +12189,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_handshake_retry, 16);
|
||||
ADD_TEST(test_data_retry);
|
||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
||||
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
||||
return 1;
|
||||
|
||||
err:
|
||||
--
|
||||
2.46.0
|
||||
|
1169
0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Normal file
1169
0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,39 @@
|
||||
From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 10:41:55 +0100
|
||||
Subject: [PATCH 07/10] Correct return values for
|
||||
tls_construct_stoc_next_proto_neg
|
||||
|
||||
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
|
||||
rather than EXT_RETURN_SENT. This actually makes no difference at all to
|
||||
the current control flow since this return value is ignored in this case
|
||||
anyway. But lets make it correct anyway.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_srvr.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||
index 800654450e..66ed7dacf2 100644
|
||||
--- a/ssl/statem/extensions_srvr.c
|
||||
+++ b/ssl/statem/extensions_srvr.c
|
||||
@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
s->s3.npn_seen = 1;
|
||||
+ return EXT_RETURN_SENT;
|
||||
}
|
||||
|
||||
- return EXT_RETURN_SENT;
|
||||
+ return EXT_RETURN_NOT_SENT;
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.46.0
|
||||
|
62
0136-Add-ALPN-validation-in-the-client.patch
Normal file
62
0136-Add-ALPN-validation-in-the-client.patch
Normal file
@ -0,0 +1,62 @@
|
||||
From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 11:51:54 +0100
|
||||
Subject: [PATCH 08/10] Add ALPN validation in the client
|
||||
|
||||
The ALPN protocol selected by the server must be one that we originally
|
||||
advertised. We should verify that it is.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||
index 1ab3c13d57..ff9c009ee5 100644
|
||||
--- a/ssl/statem/extensions_clnt.c
|
||||
+++ b/ssl/statem/extensions_clnt.c
|
||||
@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
size_t len;
|
||||
+ PACKET confpkt, protpkt;
|
||||
+ int valid = 0;
|
||||
|
||||
/* We must have requested it. */
|
||||
if (!s->s3.alpn_sent) {
|
||||
@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* It must be a protocol that we sent */
|
||||
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
|
||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
|
||||
+ if (PACKET_remaining(&protpkt) != len)
|
||||
+ continue;
|
||||
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
|
||||
+ /* Valid protocol found */
|
||||
+ valid = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!valid) {
|
||||
+ /* The protocol sent from the server does not match one we advertised */
|
||||
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
OPENSSL_free(s->s3.alpn_selected);
|
||||
s->s3.alpn_selected = OPENSSL_malloc(len);
|
||||
if (s->s3.alpn_selected == NULL) {
|
||||
--
|
||||
2.46.0
|
||||
|
267
0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Normal file
267
0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Normal file
@ -0,0 +1,267 @@
|
||||
From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 10:09:41 +0100
|
||||
Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
|
||||
|
||||
We already had some tests elsewhere - but this extends that testing with
|
||||
additional tests.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 229 insertions(+)
|
||||
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 15cb9060cb..7a55a2b721 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
|
||||
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
|
||||
+
|
||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||||
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
|
||||
+ unsigned int *outlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ default:
|
||||
+ case 0:
|
||||
+ *out = fooprot;
|
||||
+ *outlen = sizeof(fooprot);
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 1:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 2:
|
||||
+ return SSL_TLSEXT_ERR_NOACK;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
|
||||
+ const unsigned char *in, unsigned int inlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ *out = (unsigned char *)(fooprot + 1);
|
||||
+ *outlen = *fooprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 3:
|
||||
+ *out = (unsigned char *)(barprot + 1);
|
||||
+ *outlen = *barprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 4:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ default:
|
||||
+ case 2:
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test the NPN callbacks
|
||||
+ * Test 0: advert = foo, select = foo
|
||||
+ * Test 1: advert = <empty>, select = foo
|
||||
+ * Test 2: no advert
|
||||
+ * Test 3: advert = foo, select = bar
|
||||
+ * Test 4: advert = foo, select = <empty> (should fail)
|
||||
+ */
|
||||
+static int test_npn(int idx)
|
||||
+{
|
||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
+ TLS_client_method(), 0, TLS1_2_VERSION,
|
||||
+ &sctx, &cctx, cert, privkey)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
|
||||
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
||||
+ NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 4) {
|
||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ const unsigned char *prot;
|
||||
+ unsigned int protlen;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
|
||||
+ switch (idx) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ if (!TEST_uint_eq(protlen, 0))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 3:
|
||||
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ default:
|
||||
+ TEST_error("Should not get here");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ testresult = 1;
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
|
||||
+
|
||||
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
|
||||
+ unsigned char *outlen, const unsigned char *in,
|
||||
+ unsigned int inlen, void *arg)
|
||||
+{
|
||||
+ int *idx = (int *)arg;
|
||||
+
|
||||
+ switch (*idx) {
|
||||
+ case 0:
|
||||
+ *out = (unsigned char *)(fooprot + 1);
|
||||
+ *outlen = *fooprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 2:
|
||||
+ *out = (unsigned char *)(barprot + 1);
|
||||
+ *outlen = *barprot;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ case 3:
|
||||
+ *outlen = 0;
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+
|
||||
+ default:
|
||||
+ case 1:
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test the ALPN callbacks
|
||||
+ * Test 0: client = foo, select = foo
|
||||
+ * Test 1: client = <empty>, select = none
|
||||
+ * Test 2: client = foo, select = bar (should fail)
|
||||
+ * Test 3: client = foo, select = <empty> (should fail)
|
||||
+ */
|
||||
+static int test_alpn(int idx)
|
||||
+{
|
||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+ const unsigned char *prots = fooprot;
|
||||
+ unsigned int protslen = sizeof(fooprot);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
+ TLS_client_method(), 0, 0,
|
||||
+ &sctx, &cctx, cert, privkey)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
||||
+ NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 1) {
|
||||
+ prots = NULL;
|
||||
+ protslen = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* SSL_set_alpn_protos returns 0 for success! */
|
||||
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (idx == 2 || idx == 3) {
|
||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ const unsigned char *prot;
|
||||
+ unsigned int protlen;
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+
|
||||
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
|
||||
+ switch (idx) {
|
||||
+ case 0:
|
||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ if (!TEST_uint_eq(protlen, 0))
|
||||
+ goto end;
|
||||
+ break;
|
||||
+ default:
|
||||
+ TEST_error("Should not get here");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ testresult = 1;
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
||||
|
||||
int setup_tests(void)
|
||||
@@ -12190,6 +12415,10 @@ int setup_tests(void)
|
||||
ADD_TEST(test_data_retry);
|
||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
||||
ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
||||
+ ADD_ALL_TESTS(test_npn, 5);
|
||||
+#endif
|
||||
+ ADD_ALL_TESTS(test_alpn, 4);
|
||||
return 1;
|
||||
|
||||
err:
|
||||
--
|
||||
2.46.0
|
||||
|
199
0138-Add-a-test-for-an-empty-NextProto-message.patch
Normal file
199
0138-Add-a-test-for-an-empty-NextProto-message.patch
Normal file
@ -0,0 +1,199 @@
|
||||
From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 21 Jun 2024 14:29:26 +0100
|
||||
Subject: [PATCH 10/10] Add a test for an empty NextProto message
|
||||
|
||||
It is valid according to the spec for a NextProto message to have no
|
||||
protocols listed in it. The OpenSSL implementation however does not allow
|
||||
us to create such a message. In order to check that we work as expected
|
||||
when communicating with a client that does generate such messages we have
|
||||
to use a TLSProxy test.
|
||||
|
||||
Follow on from CVE-2024-5535
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||||
---
|
||||
test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
|
||||
util/perl/TLSProxy/Message.pm | 9 ++++
|
||||
util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
|
||||
util/perl/TLSProxy/Proxy.pm | 1 +
|
||||
4 files changed, 137 insertions(+)
|
||||
create mode 100644 test/recipes/70-test_npn.t
|
||||
create mode 100644 util/perl/TLSProxy/NextProto.pm
|
||||
|
||||
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
|
||||
new file mode 100644
|
||||
index 0000000000..f82e71af6a
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/70-test_npn.t
|
||||
@@ -0,0 +1,73 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
|
||||
+use OpenSSL::Test::Utils;
|
||||
+
|
||||
+use TLSProxy::Proxy;
|
||||
+
|
||||
+my $test_name = "test_npn";
|
||||
+setup($test_name);
|
||||
+
|
||||
+plan skip_all => "TLSProxy isn't usable on $^O"
|
||||
+ if $^O =~ /^(VMS)$/;
|
||||
+
|
||||
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
|
||||
+ if disabled("engine") || disabled("dynamic-engine");
|
||||
+
|
||||
+plan skip_all => "$test_name needs the sock feature enabled"
|
||||
+ if disabled("sock");
|
||||
+
|
||||
+plan skip_all => "$test_name needs NPN enabled"
|
||||
+ if disabled("nextprotoneg");
|
||||
+
|
||||
+plan skip_all => "$test_name needs TLSv1.2 enabled"
|
||||
+ if disabled("tls1_2");
|
||||
+
|
||||
+my $proxy = TLSProxy::Proxy->new(
|
||||
+ undef,
|
||||
+ cmdstr(app(["openssl"]), display => 1),
|
||||
+ srctop_file("apps", "server.pem"),
|
||||
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
|
||||
+);
|
||||
+
|
||||
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
|
||||
+plan tests => 1;
|
||||
+
|
||||
+my $npnseen = 0;
|
||||
+
|
||||
+# Test 1: Check sending an empty NextProto message from the client works. This is
|
||||
+# valid as per the spec, but OpenSSL does not allow you to send it.
|
||||
+# Therefore we must be prepared to receive such a message but we cannot
|
||||
+# generate it except via TLSProxy
|
||||
+$proxy->clear();
|
||||
+$proxy->filter(\&npn_filter);
|
||||
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
|
||||
+$proxy->serverflags("-nextprotoneg foo");
|
||||
+$proxy->start();
|
||||
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
|
||||
+
|
||||
+sub npn_filter
|
||||
+{
|
||||
+ my $proxy = shift;
|
||||
+ my $message;
|
||||
+
|
||||
+ # The NextProto message always appears in flight 2
|
||||
+ return if $proxy->flight != 2;
|
||||
+
|
||||
+ foreach my $message (@{$proxy->message_list}) {
|
||||
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
|
||||
+ # Our TLSproxy NextProto message support doesn't support parsing of
|
||||
+ # the message. If we repack it just creates an empty NextProto
|
||||
+ # message - which is exactly the scenario we want to test here.
|
||||
+ $message->repack();
|
||||
+ $npnseen = 1;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
|
||||
index ce22187569..fb41b2ffc8 100644
|
||||
--- a/util/perl/TLSProxy/Message.pm
|
||||
+++ b/util/perl/TLSProxy/Message.pm
|
||||
@@ -384,6 +384,15 @@ sub create_message
|
||||
[@message_frag_lens]
|
||||
);
|
||||
$message->parse();
|
||||
+ } elsif ($mt == MT_NEXT_PROTO) {
|
||||
+ $message = TLSProxy::NextProto->new(
|
||||
+ $server,
|
||||
+ $data,
|
||||
+ [@message_rec_list],
|
||||
+ $startoffset,
|
||||
+ [@message_frag_lens]
|
||||
+ );
|
||||
+ $message->parse();
|
||||
} else {
|
||||
#Unknown message type
|
||||
$message = TLSProxy::Message->new(
|
||||
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
|
||||
new file mode 100644
|
||||
index 0000000000..0e18347546
|
||||
--- /dev/null
|
||||
+++ b/util/perl/TLSProxy/NextProto.pm
|
||||
@@ -0,0 +1,54 @@
|
||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+
|
||||
+package TLSProxy::NextProto;
|
||||
+
|
||||
+use vars '@ISA';
|
||||
+push @ISA, 'TLSProxy::Message';
|
||||
+
|
||||
+sub new
|
||||
+{
|
||||
+ my $class = shift;
|
||||
+ my ($server,
|
||||
+ $data,
|
||||
+ $records,
|
||||
+ $startoffset,
|
||||
+ $message_frag_lens) = @_;
|
||||
+
|
||||
+ my $self = $class->SUPER::new(
|
||||
+ $server,
|
||||
+ TLSProxy::Message::MT_NEXT_PROTO,
|
||||
+ $data,
|
||||
+ $records,
|
||||
+ $startoffset,
|
||||
+ $message_frag_lens);
|
||||
+
|
||||
+ return $self;
|
||||
+}
|
||||
+
|
||||
+sub parse
|
||||
+{
|
||||
+ # We don't support parsing at the moment
|
||||
+}
|
||||
+
|
||||
+# This is supposed to reconstruct the on-the-wire message data following changes.
|
||||
+# For now though since we don't support parsing we just create an empty NextProto
|
||||
+# message - this capability is used in test_npn
|
||||
+sub set_message_contents
|
||||
+{
|
||||
+ my $self = shift;
|
||||
+ my $data;
|
||||
+
|
||||
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00);
|
||||
+ $self->data($data);
|
||||
+}
|
||||
+1;
|
||||
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
|
||||
index 3de10eccb9..b707722b6b 100644
|
||||
--- a/util/perl/TLSProxy/Proxy.pm
|
||||
+++ b/util/perl/TLSProxy/Proxy.pm
|
||||
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
|
||||
use TLSProxy::CertificateVerify;
|
||||
use TLSProxy::ServerKeyExchange;
|
||||
use TLSProxy::NewSessionTicket;
|
||||
+use TLSProxy::NextProto;
|
||||
|
||||
my $have_IPv6;
|
||||
my $IP_factory;
|
||||
--
|
||||
2.46.0
|
||||
|
233
0139-CVE-2024-6119.patch
Normal file
233
0139-CVE-2024-6119.patch
Normal file
@ -0,0 +1,233 @@
|
||||
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
|
||||
index 1a18174995..a09414c972 100644
|
||||
--- a/crypto/x509/v3_utl.c
|
||||
+++ b/crypto/x509/v3_utl.c
|
||||
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
|
||||
ASN1_STRING *cstr;
|
||||
|
||||
gen = sk_GENERAL_NAME_value(gens, i);
|
||||
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
|
||||
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
|
||||
- NID_id_on_SmtpUTF8Mailbox) {
|
||||
- san_present = 1;
|
||||
-
|
||||
- /*
|
||||
- * If it is not a UTF8String then that is unexpected and we
|
||||
- * treat it as no match
|
||||
- */
|
||||
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
|
||||
- cstr = gen->d.otherName->value->value.utf8string;
|
||||
-
|
||||
- /* Positive on success, negative on error! */
|
||||
- if ((rv = do_check_string(cstr, 0, equal, flags,
|
||||
- chk, chklen, peername)) != 0)
|
||||
- break;
|
||||
- }
|
||||
- } else
|
||||
+ switch (gen->type) {
|
||||
+ default:
|
||||
+ continue;
|
||||
+ case GEN_OTHERNAME:
|
||||
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
|
||||
+ default:
|
||||
continue;
|
||||
- } else {
|
||||
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
|
||||
+ case NID_id_on_SmtpUTF8Mailbox:
|
||||
+ /*-
|
||||
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
|
||||
+ *
|
||||
+ * Due to name constraint compatibility reasons described
|
||||
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
|
||||
+ * be used unless the local-part of the email address
|
||||
+ * contains non-ASCII characters. When the local-part is
|
||||
+ * ASCII, rfc822Name subjectAltName MUST be used instead
|
||||
+ * of SmtpUTF8Mailbox. This is compatible with legacy
|
||||
+ * software that supports only rfc822Name (and not
|
||||
+ * SmtpUTF8Mailbox). [...]
|
||||
+ *
|
||||
+ * SmtpUTF8Mailbox is encoded as UTF8String.
|
||||
+ *
|
||||
+ * If it is not a UTF8String then that is unexpected, and
|
||||
+ * we ignore the invalid SAN (neither set san_present nor
|
||||
+ * consider it a candidate for equality). This does mean
|
||||
+ * that the subject CN may be considered, as would be the
|
||||
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
|
||||
+ * simply absent.
|
||||
+ *
|
||||
+ * When CN-ID matching is not desirable, applications can
|
||||
+ * choose to turn it off, doing so is at this time a best
|
||||
+ * practice.
|
||||
+ */
|
||||
+ if (check_type != GEN_EMAIL
|
||||
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
|
||||
+ continue;
|
||||
+ alt_type = 0;
|
||||
+ cstr = gen->d.otherName->value->value.utf8string;
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ case GEN_EMAIL:
|
||||
+ if (check_type != GEN_EMAIL)
|
||||
continue;
|
||||
- }
|
||||
- san_present = 1;
|
||||
- if (check_type == GEN_EMAIL)
|
||||
cstr = gen->d.rfc822Name;
|
||||
- else if (check_type == GEN_DNS)
|
||||
+ break;
|
||||
+ case GEN_DNS:
|
||||
+ if (check_type != GEN_DNS)
|
||||
+ continue;
|
||||
cstr = gen->d.dNSName;
|
||||
- else
|
||||
+ break;
|
||||
+ case GEN_IPADD:
|
||||
+ if (check_type != GEN_IPADD)
|
||||
+ continue;
|
||||
cstr = gen->d.iPAddress;
|
||||
+ break;
|
||||
+ }
|
||||
+ san_present = 1;
|
||||
/* Positive on success, negative on error! */
|
||||
if ((rv = do_check_string(cstr, alt_type, equal, flags,
|
||||
chk, chklen, peername)) != 0)
|
||||
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
|
||||
index 522982ddfb..e18735d89a 100644
|
||||
--- a/test/recipes/25-test_eai_data.t
|
||||
+++ b/test/recipes/25-test_eai_data.t
|
||||
@@ -21,16 +21,18 @@ setup("test_eai_data");
|
||||
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
|
||||
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
|
||||
|
||||
-plan tests => 12;
|
||||
+plan tests => 16;
|
||||
|
||||
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
||||
my $folder = "test/recipes/25-test_eai_data";
|
||||
|
||||
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
|
||||
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
|
||||
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
|
||||
|
||||
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
|
||||
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
|
||||
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
|
||||
|
||||
my $out;
|
||||
my $outcnt = 0;
|
||||
@@ -56,10 +58,18 @@ SKIP: {
|
||||
|
||||
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
|
||||
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
|
||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
||||
|
||||
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
|
||||
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
|
||||
|
||||
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
|
||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
||||
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
|
||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
||||
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
|
||||
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
||||
+
|
||||
#Check that we get the expected failure return code
|
||||
with({ exit_checker => sub { return shift == 2; } },
|
||||
sub {
|
||||
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..e8a2c6f55d
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
|
||||
@@ -0,0 +1,21 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
|
||||
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
|
||||
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
|
||||
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
|
||||
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
|
||||
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
|
||||
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
|
||||
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
|
||||
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
|
||||
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
|
||||
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
|
||||
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
|
||||
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
|
||||
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
|
||||
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
|
||||
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
|
||||
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
|
||||
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
|
||||
+oDQ9fKfUOAmUFth2/R/eGA==
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..a74c96bf31
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
|
||||
@@ -0,0 +1,16 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
|
||||
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
|
||||
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
|
||||
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
|
||||
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
|
||||
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
|
||||
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
|
||||
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
|
||||
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
|
||||
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
|
||||
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
|
||||
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
|
||||
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
|
||||
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
|
||||
new file mode 100755
|
||||
index 0000000000..7a8dbc719f
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/25-test_eai_data/kdc.sh
|
||||
@@ -0,0 +1,41 @@
|
||||
+#! /usr/bin/env bash
|
||||
+
|
||||
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
|
||||
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
|
||||
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
|
||||
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
|
||||
+# should likewise lead to ASAN issues with email name checks.
|
||||
+
|
||||
+rm -f root-key.pem root-cert.pem
|
||||
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
|
||||
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
|
||||
+
|
||||
+exts=$(
|
||||
+ printf "%s\n%s\n%s\n%s = " \
|
||||
+ "subjectKeyIdentifier = hash" \
|
||||
+ "authorityKeyIdentifier = keyid" \
|
||||
+ "basicConstraints = CA:false" \
|
||||
+ "subjectAltName"
|
||||
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
|
||||
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
|
||||
+ printf "%s, " "email:joe@example.com"
|
||||
+ printf "%s\n" "DNS:mx1.example.com"
|
||||
+ printf "[kdc_princ_name]\n"
|
||||
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
|
||||
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
|
||||
+ printf "[kdc_principal_seq]\n"
|
||||
+ printf "name_type = EXP:0, INTEGER:1\n"
|
||||
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
|
||||
+ printf "[kdc_principal_components]\n"
|
||||
+ printf "princ1 = GeneralString:krbtgt\n"
|
||||
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
|
||||
+ )
|
||||
+
|
||||
+printf "%s\n" "$exts"
|
||||
+
|
||||
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
|
||||
+ -subj "/CN=TEST.EXAMPLE" |
|
||||
+ openssl x509 -req -out kdc-cert.pem \
|
||||
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
|
||||
+ -set_serial 2 -days 36524 \
|
||||
+ -extfile <(printf "%s\n" "$exts")
|
@ -1,582 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "ec_local.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
int field_type, /* either NID_X9_62_prime_field or
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
seed_len, param_len;
|
||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||
} EC_CURVE_DATA;
|
||||
|
||||
/* the nist prime curves */
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 28 * 6];
|
||||
} _EC_NIST_PRIME_224 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 28, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
||||
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x01,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE,
|
||||
/* b */
|
||||
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
||||
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
||||
0x23, 0x55, 0xFF, 0xB4,
|
||||
/* x */
|
||||
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
||||
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
||||
0x11, 0x5C, 0x1D, 0x21,
|
||||
/* y */
|
||||
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
||||
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
||||
0x85, 0x00, 0x7e, 0x34,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
||||
0x5C, 0x5C, 0x2A, 0x3D
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 48 * 6];
|
||||
} _EC_NIST_PRIME_384 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 48, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||
/* x */
|
||||
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||
/* y */
|
||||
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 66 * 6];
|
||||
} _EC_NIST_PRIME_521 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 66, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||
/* p */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||
/* x */
|
||||
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||
/* y */
|
||||
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||
/* order */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 32 * 6];
|
||||
} _EC_X9_62_PRIME_256V1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 32, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||
/* x */
|
||||
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||
/* y */
|
||||
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[0 + 32 * 6];
|
||||
} _EC_SECG_PRIME_256K1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 0, 32, 1
|
||||
},
|
||||
{
|
||||
/* no seed */
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
||||
/* a */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
/* b */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
||||
/* x */
|
||||
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
||||
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
||||
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
||||
/* y */
|
||||
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
||||
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
||||
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
||||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
||||
}
|
||||
};
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
} ec_list_element;
|
||||
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#else
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#endif
|
||||
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
#else
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
#endif
|
||||
/* X9.62 curves */
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
#if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp256_method,
|
||||
#else
|
||||
0,
|
||||
#endif
|
||||
"X9.62/SECG curve over a 256 bit prime field"},
|
||||
};
|
||||
|
||||
#define curve_list_length OSSL_NELEM(curve_list)
|
||||
|
||||
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||
{
|
||||
EC_GROUP *group = NULL;
|
||||
EC_POINT *P = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||
NULL;
|
||||
int ok = 0;
|
||||
int seed_len, param_len;
|
||||
const EC_METHOD *meth;
|
||||
const EC_CURVE_DATA *data;
|
||||
const unsigned char *params;
|
||||
|
||||
/* If no curve data curve method must handle everything */
|
||||
if (curve.data == NULL)
|
||||
return EC_GROUP_new(curve.meth != NULL ? curve.meth() : NULL);
|
||||
|
||||
if ((ctx = BN_CTX_new()) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
data = curve.data;
|
||||
seed_len = data->seed_len;
|
||||
param_len = data->param_len;
|
||||
params = (const unsigned char *)(data + 1); /* skip header */
|
||||
params += seed_len; /* skip seed */
|
||||
|
||||
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
||||
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
||||
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (curve.meth != 0) {
|
||||
meth = curve.meth();
|
||||
if (((group = EC_GROUP_new(meth)) == NULL) ||
|
||||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
else { /* field_type ==
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
|
||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
EC_GROUP_set_curve_name(group, curve.nid);
|
||||
|
||||
if ((P = EC_POINT_new(group)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
||||
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (seed_len) {
|
||||
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
ok = 1;
|
||||
err:
|
||||
if (!ok) {
|
||||
EC_GROUP_free(group);
|
||||
group = NULL;
|
||||
}
|
||||
EC_POINT_free(P);
|
||||
BN_CTX_free(ctx);
|
||||
BN_free(p);
|
||||
BN_free(a);
|
||||
BN_free(b);
|
||||
BN_free(order);
|
||||
BN_free(x);
|
||||
BN_free(y);
|
||||
return group;
|
||||
}
|
||||
|
||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||
{
|
||||
size_t i;
|
||||
EC_GROUP *ret = NULL;
|
||||
|
||||
if (nid <= 0)
|
||||
return NULL;
|
||||
|
||||
for (i = 0; i < curve_list_length; i++)
|
||||
if (curve_list[i].nid == nid) {
|
||||
ret = ec_group_new_from_data(curve_list[i]);
|
||||
break;
|
||||
}
|
||||
|
||||
if (ret == NULL) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
size_t i, min;
|
||||
|
||||
if (r == NULL || nitems == 0)
|
||||
return curve_list_length;
|
||||
|
||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
|
||||
for (i = 0; i < min; i++) {
|
||||
r[i].nid = curve_list[i].nid;
|
||||
r[i].comment = curve_list[i].comment;
|
||||
}
|
||||
|
||||
return curve_list_length;
|
||||
}
|
||||
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
|
||||
typedef struct {
|
||||
const char *name; /* NIST Name of curve */
|
||||
int nid; /* Curve NID */
|
||||
} EC_NIST_NAME;
|
||||
|
||||
static EC_NIST_NAME nist_curves[] = {
|
||||
{"B-163", NID_sect163r2},
|
||||
{"B-233", NID_sect233r1},
|
||||
{"B-283", NID_sect283r1},
|
||||
{"B-409", NID_sect409r1},
|
||||
{"B-571", NID_sect571r1},
|
||||
{"K-163", NID_sect163k1},
|
||||
{"K-233", NID_sect233k1},
|
||||
{"K-283", NID_sect283k1},
|
||||
{"K-409", NID_sect409k1},
|
||||
{"K-571", NID_sect571k1},
|
||||
{"P-192", NID_X9_62_prime192v1},
|
||||
{"P-224", NID_secp224r1},
|
||||
{"P-256", NID_X9_62_prime256v1},
|
||||
{"P-384", NID_secp384r1},
|
||||
{"P-521", NID_secp521r1}
|
||||
};
|
||||
|
||||
const char *EC_curve_nid2nist(int nid)
|
||||
{
|
||||
size_t i;
|
||||
for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
|
||||
if (nist_curves[i].nid == nid)
|
||||
return nist_curves[i].name;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int EC_curve_nist2nid(const char *name)
|
||||
{
|
||||
size_t i;
|
||||
for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
|
||||
if (strcmp(nist_curves[i].name, name) == 0)
|
||||
return nist_curves[i].nid;
|
||||
}
|
||||
return NID_undef;
|
||||
}
|
||||
|
||||
#define NUM_BN_FIELDS 6
|
||||
/*
|
||||
* Validates EC domain parameter data for known named curves.
|
||||
* This can be used when a curve is loaded explicitly (without a curve
|
||||
* name) or to validate that domain parameters have not been modified.
|
||||
*
|
||||
* Returns: The nid associated with the found named curve, or NID_undef
|
||||
* if not found. If there was an error it returns -1.
|
||||
*/
|
||||
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||
{
|
||||
int ret = -1, nid, len, field_type, param_len;
|
||||
size_t i, seed_len;
|
||||
const unsigned char *seed, *params_seed, *params;
|
||||
unsigned char *param_bytes = NULL;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_POINT *generator = NULL;
|
||||
const EC_METHOD *meth;
|
||||
const BIGNUM *cofactor = NULL;
|
||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||
|
||||
meth = EC_GROUP_method_of(group);
|
||||
if (meth == NULL)
|
||||
return -1;
|
||||
/* Use the optional named curve nid as a search field */
|
||||
nid = EC_GROUP_get_curve_name(group);
|
||||
field_type = EC_METHOD_get_field_type(meth);
|
||||
seed_len = EC_GROUP_get_seed_len(group);
|
||||
seed = EC_GROUP_get0_seed(group);
|
||||
cofactor = EC_GROUP_get0_cofactor(group);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
/*
|
||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||
* all zero-padded to be the same size. The size of the padding is
|
||||
* determined by either the number of bytes in the field modulus (p) or the
|
||||
* EC group order, whichever is larger.
|
||||
*/
|
||||
param_len = BN_num_bytes(group->order);
|
||||
len = BN_num_bytes(group->field);
|
||||
if (len > param_len)
|
||||
param_len = len;
|
||||
|
||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||
if (param_bytes == NULL)
|
||||
goto end;
|
||||
|
||||
/* Create the bignums */
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Fill in the bn array with the same values as the internal curves
|
||||
* i.e. the values are p, a, b, x, y, order.
|
||||
*/
|
||||
/* Get p, a & b */
|
||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||
/* Get x & y */
|
||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||
/* Get order */
|
||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Convert the bignum array to bytes that are joined together to form
|
||||
* a single buffer that contains data for all fields.
|
||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||
*/
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
const ec_list_element curve = curve_list[i];
|
||||
|
||||
data = curve.data;
|
||||
/* Get the raw order byte data */
|
||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||
params = params_seed + data->seed_len;
|
||||
|
||||
/* Look for unique fields in the fixed curve data */
|
||||
if (data->field_type == field_type
|
||||
&& param_len == data->param_len
|
||||
&& (nid <= 0 || nid == curve.nid)
|
||||
/* check the optional cofactor (ignore if its zero) */
|
||||
&& (BN_is_zero(cofactor)
|
||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||
/* Check the optional seed (ignore if its not set) */
|
||||
&& (data->seed_len == 0 || seed_len == 0
|
||||
|| ((size_t)data->seed_len == seed_len
|
||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||
/* Check that the groups params match the built-in curve params */
|
||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||
== 0) {
|
||||
ret = curve.nid;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Gets here if the group was not found */
|
||||
ret = NID_undef;
|
||||
end:
|
||||
OPENSSL_free(param_bytes);
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
1546
SOURCES/ectest.c
1546
SOURCES/ectest.c
File diff suppressed because it is too large
Load Diff
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Quit out if anything fails.
|
||||
set -e
|
||||
|
||||
# Clean out patent-or-otherwise-encumbered code.
|
||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
||||
# EC: ????????? ??/??/2020
|
||||
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
||||
|
||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||
|
||||
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find test -name "ectest.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||
echo Removing EC2M references from $h
|
||||
cat $h | \
|
||||
awk 'BEGIN {ech=1;} \
|
||||
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||
{if(ech>0) {;print $0};} \
|
||||
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||
mv $h.hobbled $h
|
||||
done
|
@ -1,31 +0,0 @@
|
||||
From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Mon, 26 Apr 2021 14:40:17 +0200
|
||||
Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name
|
||||
is given
|
||||
|
||||
The flag only affects which record types are queried (A or AAAA, or
|
||||
both), and when node is NULL, it prevents getaddrinfo returning the
|
||||
right address associated with the loopback interface.
|
||||
|
||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||
---
|
||||
crypto/bio/b_addr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
|
||||
index b023bbda40..ea15601f3d 100644
|
||||
--- a/crypto/bio/b_addr.c
|
||||
+++ b/crypto/bio/b_addr.c
|
||||
@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||
hints.ai_protocol = protocol;
|
||||
# ifdef AI_ADDRCONFIG
|
||||
# ifdef AF_UNSPEC
|
||||
- if (family == AF_UNSPEC)
|
||||
+ if (host != NULL && family == AF_UNSPEC)
|
||||
# endif
|
||||
hints.ai_flags |= AI_ADDRCONFIG;
|
||||
# endif
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,27 +0,0 @@
|
||||
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
|
||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu Mar 26 15:59:00 2020 +0100
|
||||
|
||||
s_server: Properly indicate ALPN protocol mismatch
|
||||
|
||||
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
|
||||
an alert is sent to the client on ALPN protocol mismatch.
|
||||
|
||||
Fixes: #2708
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/11415)
|
||||
|
||||
diff --git a/apps/s_server.c b/apps/s_server.c
|
||||
index bcc83e562c..591c6c19c5 100644
|
||||
--- a/apps/s_server.c
|
||||
+++ b/apps/s_server.c
|
||||
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
||||
if (SSL_select_next_proto
|
||||
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
||||
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
||||
- return SSL_TLSEXT_ERR_NOACK;
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
if (!s_quiet) {
|
@ -1,12 +0,0 @@
|
||||
diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
|
||||
--- openssl-1.1.1b/apps/ca.c.dgst 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/apps/ca.c 2019-03-15 15:53:46.622267688 +0100
|
||||
@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
|
||||
{"enddate", OPT_ENDDATE, 's',
|
||||
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
|
||||
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
|
||||
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
|
||||
+ {"md", OPT_MD, 's', "md to use; see openssl help for list"},
|
||||
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
|
||||
{"keyfile", OPT_KEYFILE, 's', "Private key"},
|
||||
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
|
File diff suppressed because it is too large
Load Diff
@ -1,40 +0,0 @@
|
||||
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
|
||||
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
|
||||
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
|
||||
@@ -678,6 +678,7 @@ my %targets = (
|
||||
cxxflags => add("-m64"),
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
perlasm_scheme => "linux64le",
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -718,6 +719,7 @@ my %targets = (
|
||||
"linux-aarch64" => {
|
||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
|
||||
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
|
||||
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -835,7 +835,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
|
||||
|
||||
uninstall_html_docs:
|
@ -1,36 +0,0 @@
|
||||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static int init_srp(SSL *s, unsigned int context);
|
||||
#endif
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
static int init_etm(SSL *s, unsigned int context);
|
||||
static int init_ems(SSL *s, unsigned int context);
|
||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||
@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
|
||||
TLSEXT_TYPE_ec_point_formats,
|
||||
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
|
||||
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
|
||||
- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
||||
}
|
||||
#endif
|
||||
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
+{
|
||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
+ s->ext.peer_ecpointformats = NULL;
|
||||
+ s->ext.peer_ecpointformats_len = 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int init_etm(SSL *s, unsigned int context)
|
||||
{
|
||||
s->ext.use_etm = 0;
|
@ -1,56 +0,0 @@
|
||||
diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
|
||||
--- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/CA.pl.in 2018-07-25 17:26:58.388624296 +0200
|
||||
@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# default openssl.cnf file has setup as per the following
|
||||
-my $CATOP = "./demoCA";
|
||||
+my $CATOP = "/etc/pki/CA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
|
||||
--- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths 2018-07-25 17:26:58.378624057 +0200
|
||||
+++ openssl-1.1.1-pre8/apps/openssl.cnf 2018-07-27 13:20:08.198513471 +0200
|
||||
@@ -23,6 +23,22 @@ oid_section = new_oids
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
+# Load default TLS policy configuration
|
||||
+
|
||||
+openssl_conf = default_modules
|
||||
+
|
||||
+[ default_modules ]
|
||||
+
|
||||
+ssl_conf = ssl_module
|
||||
+
|
||||
+[ ssl_module ]
|
||||
+
|
||||
+system_default = crypto_policy
|
||||
+
|
||||
+[ crypto_policy ]
|
||||
+
|
||||
+.include /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
+
|
||||
[ new_oids ]
|
||||
|
||||
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
||||
@@ -43,7 +59,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
@@ -329,7 +345,7 @@ default_tsa = tsa_config1 # the default
|
||||
[ tsa_config1 ]
|
||||
|
||||
# These are used by the TSA reply generation only.
|
||||
-dir = ./demoCA # TSA root directory
|
||||
+dir = /etc/pki/CA # TSA root directory
|
||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||
crypto_device = builtin # OpenSSL engine to use for signing
|
||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
@ -1,179 +0,0 @@
|
||||
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:21 +0100
|
||||
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
|
||||
|
||||
The calculation in some cases does not finish for non-prime p.
|
||||
|
||||
This fixes CVE-2022-0778.
|
||||
|
||||
Based on patch by David Benjamin <davidben@google.com>.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
|
||||
1 file changed, 18 insertions(+), 12 deletions(-)
|
||||
|
||||
From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:30 +0100
|
||||
Subject: [PATCH] Add documentation of BN_mod_sqrt()
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
doc/man3/BN_add.pod | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:35 +0100
|
||||
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
test/bntest.c | 11 ++++++++++-
|
||||
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
|
||||
2 files changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
|
||||
index 1723d5ded5a8..53b0f559855c 100644
|
||||
--- a/crypto/bn/bn_sqrt.c
|
||||
+++ b/crypto/bn/bn_sqrt.c
|
||||
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
/*
|
||||
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||
- * Theory", algorithm 1.5.1). 'p' must be prime!
|
||||
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||
+ * an incorrect "result" will be returned.
|
||||
*/
|
||||
{
|
||||
BIGNUM *ret = in;
|
||||
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
goto vrfy;
|
||||
}
|
||||
|
||||
- /* find smallest i such that b^(2^i) = 1 */
|
||||
- i = 1;
|
||||
- if (!BN_mod_sqr(t, b, p, ctx))
|
||||
- goto end;
|
||||
- while (!BN_is_one(t)) {
|
||||
- i++;
|
||||
- if (i == e) {
|
||||
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||
- goto end;
|
||||
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||
+ for (i = 1; i < e; i++) {
|
||||
+ if (i == 1) {
|
||||
+ if (!BN_mod_sqr(t, b, p, ctx))
|
||||
+ goto end;
|
||||
+
|
||||
+ } else {
|
||||
+ if (!BN_mod_mul(t, t, t, p, ctx))
|
||||
+ goto end;
|
||||
}
|
||||
- if (!BN_mod_mul(t, t, t, p, ctx))
|
||||
- goto end;
|
||||
+ if (BN_is_one(t))
|
||||
+ break;
|
||||
+ }
|
||||
+ /* If not found, a is not a square or p is not prime. */
|
||||
+ if (i >= e) {
|
||||
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
/* t := y^2^(e - i - 1) */
|
||||
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
|
||||
index dccd4790ede7..1f5e37a4d183 100644
|
||||
--- a/doc/man3/BN_add.pod
|
||||
+++ b/doc/man3/BN_add.pod
|
||||
@@ -3,7 +3,7 @@
|
||||
=head1 NAME
|
||||
|
||||
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
||||
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||
arithmetic operations on BIGNUMs
|
||||
|
||||
=head1 SYNOPSIS
|
||||
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
||||
|
||||
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||
|
||||
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||
+
|
||||
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||
|
||||
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
||||
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||
result in I<r>.
|
||||
|
||||
+BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||
+C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||
+prime, otherwise an error or an incorrect "result" will be returned.
|
||||
+The result is stored into I<in> which can be NULL. The result will be
|
||||
+newly allocated in that case.
|
||||
+
|
||||
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||
(C<r=a^p>). This function is faster than repeated applications of
|
||||
BN_mul().
|
||||
@@ -108,7 +116,10 @@ the arguments.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
-For all functions, 1 is returned for success, 0 on error. The return
|
||||
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||
+not a prime), or NULL.
|
||||
+
|
||||
+For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||
|
||||
diff --git a/test/bntest.c b/test/bntest.c
|
||||
index 390dd800733e..1cab660bcafb 100644
|
||||
--- a/test/bntest.c
|
||||
+++ b/test/bntest.c
|
||||
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|
||||
|| !TEST_ptr(ret2 = BN_new()))
|
||||
goto err;
|
||||
|
||||
+ if (BN_is_negative(mod_sqrt)) {
|
||||
+ /* A negative testcase */
|
||||
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
|
||||
+ goto err;
|
||||
+
|
||||
+ st = 1;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
/* There are two possible answers. */
|
||||
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
|
||||
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|
||||
|| !TEST_true(BN_sub(ret2, p, ret)))
|
||||
goto err;
|
||||
|
||||
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
|
||||
index 5ea4d031f271..e28cc6bfb02e 100644
|
||||
--- a/test/recipes/10-test_bn_data/bnmod.txt
|
||||
+++ b/test/recipes/10-test_bn_data/bnmod.txt
|
||||
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
|
||||
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
|
||||
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||
+
|
||||
+# Negative testcases for BN_mod_sqrt()
|
||||
+
|
||||
+# This one triggers an infinite loop with unfixed implementation
|
||||
+# It should just fail.
|
||||
+ModSqrt = -1
|
||||
+A = 20a7ee
|
||||
+P = 460201
|
||||
+
|
||||
+ModSqrt = -1
|
||||
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
|
||||
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
@ -1,74 +0,0 @@
|
||||
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Tue, 26 Apr 2022 12:40:24 +0200
|
||||
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
|
||||
|
||||
Except on VMS where it is safe.
|
||||
|
||||
This fixes CVE-2022-1292.
|
||||
|
||||
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
|
||||
---
|
||||
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
|
||||
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index fa7c6c9fef91..83c1cc80e08a 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -152,6 +152,23 @@ sub check_file {
|
||||
return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
+sub compute_hash {
|
||||
+ my $fh;
|
||||
+ if ( $^O eq "VMS" ) {
|
||||
+ # VMS uses the open through shell
|
||||
+ # The file names are safe there and list form is unsupported
|
||||
+ if (!open($fh, "-|", join(' ', @_))) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!open($fh, "-|", @_)) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ return (<$fh>, <$fh>);
|
||||
+}
|
||||
|
||||
# Link a certificate to its subject name hash value, each hash is of
|
||||
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
||||
@@ -161,10 +178,12 @@ sub check_file {
|
||||
|
||||
sub link_hash_cert {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/\"/\\\"/g;
|
||||
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
||||
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
||||
|
||||
sub link_hash_crl {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/'/'\\''/g;
|
||||
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
@ -1,255 +0,0 @@
|
||||
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Fiala <daniel@openssl.org>
|
||||
Date: Sun, 29 May 2022 20:11:24 +0200
|
||||
Subject: [PATCH] Fix file operations in c_rehash.
|
||||
|
||||
CVE-2022-2068
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
|
||||
---
|
||||
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
|
||||
1 file changed, 107 insertions(+), 109 deletions(-)
|
||||
|
||||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index cfd18f5da110..9d2a6f6db73b 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||||
}
|
||||
exit($errorcount);
|
||||
|
||||
+sub copy_file {
|
||||
+ my ($src_fname, $dst_fname) = @_;
|
||||
+
|
||||
+ if (open(my $in, "<", $src_fname)) {
|
||||
+ if (open(my $out, ">", $dst_fname)) {
|
||||
+ print $out $_ while (<$in>);
|
||||
+ close $out;
|
||||
+ } else {
|
||||
+ warn "Cannot open $dst_fname for write, $!";
|
||||
+ }
|
||||
+ close $in;
|
||||
+ } else {
|
||||
+ warn "Cannot open $src_fname for read, $!";
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
sub hash_dir {
|
||||
- my %hashlist;
|
||||
- print "Doing $_[0]\n";
|
||||
- chdir $_[0];
|
||||
- opendir(DIR, ".");
|
||||
- my @flist = sort readdir(DIR);
|
||||
- closedir DIR;
|
||||
- if ( $removelinks ) {
|
||||
- # Delete any existing symbolic links
|
||||
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
- if (-l $_) {
|
||||
- print "unlink $_" if $verbose;
|
||||
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
- # Check to see if certificates and/or CRLs present.
|
||||
- my ($cert, $crl) = check_file($fname);
|
||||
- if (!$cert && !$crl) {
|
||||
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
- next;
|
||||
- }
|
||||
- link_hash_cert($fname) if ($cert);
|
||||
- link_hash_crl($fname) if ($crl);
|
||||
- }
|
||||
+ my $dir = shift;
|
||||
+ my %hashlist;
|
||||
+
|
||||
+ print "Doing $dir\n";
|
||||
+
|
||||
+ if (!chdir $dir) {
|
||||
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||||
+ my @flist = sort readdir(DIR);
|
||||
+ closedir DIR;
|
||||
+ if ( $removelinks ) {
|
||||
+ # Delete any existing symbolic links
|
||||
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
+ if (-l $_) {
|
||||
+ print "unlink $_\n" if $verbose;
|
||||
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
+ # Check to see if certificates and/or CRLs present.
|
||||
+ my ($cert, $crl) = check_file($fname);
|
||||
+ if (!$cert && !$crl) {
|
||||
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
+ next;
|
||||
+ }
|
||||
+ link_hash_cert($fname) if ($cert);
|
||||
+ link_hash_crl($fname) if ($crl);
|
||||
+ }
|
||||
+
|
||||
+ chdir $pwd;
|
||||
}
|
||||
|
||||
sub check_file {
|
||||
- my ($is_cert, $is_crl) = (0,0);
|
||||
- my $fname = $_[0];
|
||||
- open IN, $fname;
|
||||
- while(<IN>) {
|
||||
- if (/^-----BEGIN (.*)-----/) {
|
||||
- my $hdr = $1;
|
||||
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
- $is_cert = 1;
|
||||
- last if ($is_crl);
|
||||
- } elsif ($hdr eq "X509 CRL") {
|
||||
- $is_crl = 1;
|
||||
- last if ($is_cert);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- close IN;
|
||||
- return ($is_cert, $is_crl);
|
||||
+ my ($is_cert, $is_crl) = (0,0);
|
||||
+ my $fname = $_[0];
|
||||
+
|
||||
+ open(my $in, "<", $fname);
|
||||
+ while(<$in>) {
|
||||
+ if (/^-----BEGIN (.*)-----/) {
|
||||
+ my $hdr = $1;
|
||||
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
+ $is_cert = 1;
|
||||
+ last if ($is_crl);
|
||||
+ } elsif ($hdr eq "X509 CRL") {
|
||||
+ $is_crl = 1;
|
||||
+ last if ($is_cert);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ close $in;
|
||||
+ return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
sub compute_hash {
|
||||
@@ -177,76 +203,48 @@ sub compute_hash {
|
||||
# certificate fingerprints
|
||||
|
||||
sub link_hash_cert {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "copy $fname -> $hash\n" if $verbose;
|
||||
- if (open($in, "<", $fname)) {
|
||||
- if (open($out,">", $hash)) {
|
||||
- print $out $_ while (<$in>);
|
||||
- close $out;
|
||||
- } else {
|
||||
- warn "can't open $hash for write, $!";
|
||||
- }
|
||||
- close $in;
|
||||
- } else {
|
||||
- warn "can't open $fname for read, $!";
|
||||
- }
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'cert');
|
||||
}
|
||||
|
||||
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||||
|
||||
sub link_hash_crl {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".r$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "cp $fname -> $hash\n" if $verbose;
|
||||
- system ("cp", $fname, $hash);
|
||||
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'crl');
|
||||
+}
|
||||
+
|
||||
+sub link_hash {
|
||||
+ my ($fname, $type) = @_;
|
||||
+ my $is_cert = $type eq 'cert';
|
||||
+
|
||||
+ my ($hash, $fprint) = compute_hash($openssl,
|
||||
+ $is_cert ? "x509" : "crl",
|
||||
+ $is_cert ? $x509hash : $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
+ chomp $hash;
|
||||
+ chomp $fprint;
|
||||
+ return if !$hash;
|
||||
+ $fprint =~ s/^.*=//;
|
||||
+ $fprint =~ tr/://d;
|
||||
+ my $suffix = 0;
|
||||
+ # Search for an unused hash filename
|
||||
+ my $crlmark = $is_cert ? "" : "r";
|
||||
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||||
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||||
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||||
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||||
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ $suffix++;
|
||||
+ }
|
||||
+ $hash .= ".$crlmark$suffix";
|
||||
+ if ($symlink_exists) {
|
||||
+ print "link $fname -> $hash\n" if $verbose;
|
||||
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
+ } else {
|
||||
+ print "copy $fname -> $hash\n" if $verbose;
|
||||
+ copy_file($fname, $hash);
|
||||
+ }
|
||||
+ $hashlist{$hash} = $fprint;
|
||||
}
|
@ -1,152 +0,0 @@
|
||||
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Chernyakhovsky <achernya@google.com>
|
||||
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
||||
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
||||
that performs operations on 6 16-byte blocks concurrently (the
|
||||
"grandloop") and then proceeds to handle the "short" tail (which can
|
||||
be anywhere from 0 to 5 blocks) that remain.
|
||||
|
||||
As part of initialization, the assembly initializes $len to the true
|
||||
length, less 96 bytes and converts it to a pointer so that the $inp
|
||||
can be compared to it. Each iteration of "grandloop" checks to see if
|
||||
there's a full 96-byte chunk to process, and if so, continues. Once
|
||||
this has been exhausted, it falls through to "short", which handles
|
||||
the remaining zero to five blocks.
|
||||
|
||||
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
||||
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
||||
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
||||
chunk currently being handled. If $inp == $len, that means that
|
||||
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
||||
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
||||
fall-through is intended.
|
||||
|
||||
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
||||
of the last 96-byte chunk was completely omitted. The contents of
|
||||
`out` in this position were never written to. Additionally, since
|
||||
those bytes were never processed, the authentication tag generated is
|
||||
also incorrect.
|
||||
|
||||
The same fencepost error, and identical logic, exists in both
|
||||
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
||||
|
||||
This addresses CVE-2022-2097.
|
||||
|
||||
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||
Co-authored-by: David Benjamin <davidben@google.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
|
||||
---
|
||||
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
||||
index fe2b26542ab6..812758e02e04 100644
|
||||
--- a/crypto/aes/asm/aesni-x86.pl
|
||||
+++ b/crypto/aes/asm/aesni-x86.pl
|
||||
@@ -2027,7 +2027,7 @@ sub aesni_generate6
|
||||
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
||||
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||
&cmp ($inp,$len); # done yet?
|
||||
- &jb (&label("grandloop"));
|
||||
+ &jbe (&label("grandloop"));
|
||||
|
||||
&set_label("short");
|
||||
&add ($len,16*6);
|
||||
@@ -2453,7 +2453,7 @@ sub aesni_generate6
|
||||
&pxor ($rndkey1,$inout5);
|
||||
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||
&cmp ($inp,$len); # done yet?
|
||||
- &jb (&label("grandloop"));
|
||||
+ &jbe (&label("grandloop"));
|
||||
|
||||
&set_label("short");
|
||||
&add ($len,16*6);
|
||||
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Chernyakhovsky <achernya@google.com>
|
||||
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
||||
Subject: [PATCH] AES OCB test vectors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
||||
|
||||
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||
Co-authored-by: David Benjamin <davidben@google.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
|
||||
---
|
||||
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
|
||||
index 1c02ea1e9c2d..e12670d9a4b4 100644
|
||||
--- a/test/recipes/30-test_evp_data/evpciph.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evpciph.txt
|
||||
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
|
||||
Operation = DECRYPT
|
||||
Result = CIPHERFINAL_ERROR
|
||||
|
||||
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = C14DFF7D62A13C4A3422456207453190
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|
||||
+
|
||||
Title = AES XTS test vectors from IEEE Std 1619-2007
|
||||
|
||||
# Using the same key twice for encryption is always banned.
|
@ -1,805 +0,0 @@
|
||||
From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 20 Jan 2023 15:26:54 +0000
|
||||
Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption
|
||||
|
||||
A timing based side channel exists in the OpenSSL RSA Decryption
|
||||
implementation which could be sufficient to recover a plaintext across
|
||||
a network in a Bleichenbacher style attack. To achieve a successful
|
||||
decryption an attacker would have to be able to send a very large number
|
||||
of trial messages for decryption. The vulnerability affects all RSA
|
||||
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
||||
|
||||
Patch written by Dmitry Belyavsky and Hubert Kario
|
||||
|
||||
CVE-2022-4304
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_blind.c | 14 -
|
||||
crypto/bn/bn_err.c | 2 +
|
||||
crypto/bn/bn_local.h | 14 +
|
||||
crypto/bn/build.info | 3 +-
|
||||
crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++
|
||||
crypto/err/openssl.txt | 3 +-
|
||||
crypto/rsa/rsa_ossl.c | 17 +-
|
||||
include/crypto/bn.h | 5 +
|
||||
include/openssl/bnerr.h | 1 +
|
||||
9 files changed, 653 insertions(+), 20 deletions(-)
|
||||
create mode 100644 crypto/bn/rsa_sup_mul.c
|
||||
|
||||
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
||||
index 76fc7ebcff..6e9d239321 100644
|
||||
--- a/crypto/bn/bn_blind.c
|
||||
+++ b/crypto/bn/bn_blind.c
|
||||
@@ -13,20 +13,6 @@
|
||||
|
||||
#define BN_BLINDING_COUNTER 32
|
||||
|
||||
-struct bn_blinding_st {
|
||||
- BIGNUM *A;
|
||||
- BIGNUM *Ai;
|
||||
- BIGNUM *e;
|
||||
- BIGNUM *mod; /* just a reference */
|
||||
- CRYPTO_THREAD_ID tid;
|
||||
- int counter;
|
||||
- unsigned long flags;
|
||||
- BN_MONT_CTX *m_ctx;
|
||||
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
- CRYPTO_RWLOCK *lock;
|
||||
-};
|
||||
-
|
||||
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
||||
{
|
||||
BN_BLINDING *ret = NULL;
|
||||
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
|
||||
index dd87c152cf..3dd8d9a568 100644
|
||||
--- a/crypto/bn/bn_err.c
|
||||
+++ b/crypto/bn/bn_err.c
|
||||
@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
|
||||
+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
|
||||
+ "ossl_bn_rsa_do_unblind"},
|
||||
{0, NULL}
|
||||
};
|
||||
|
||||
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
||||
index 62a969b134..4d8cb64675 100644
|
||||
--- a/crypto/bn/bn_local.h
|
||||
+++ b/crypto/bn/bn_local.h
|
||||
@@ -283,6 +283,20 @@ struct bn_gencb_st {
|
||||
} cb;
|
||||
};
|
||||
|
||||
+struct bn_blinding_st {
|
||||
+ BIGNUM *A;
|
||||
+ BIGNUM *Ai;
|
||||
+ BIGNUM *e;
|
||||
+ BIGNUM *mod; /* just a reference */
|
||||
+ CRYPTO_THREAD_ID tid;
|
||||
+ int counter;
|
||||
+ unsigned long flags;
|
||||
+ BN_MONT_CTX *m_ctx;
|
||||
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
+ CRYPTO_RWLOCK *lock;
|
||||
+};
|
||||
+
|
||||
/*-
|
||||
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
||||
*
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index b9ed5322fa..c9fe2fdada 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
|
||||
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
|
||||
{- $target{bn_asm_src} -} \
|
||||
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
||||
- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
|
||||
+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
|
||||
+ rsa_sup_mul.c
|
||||
|
||||
INCLUDE[bn_exp.o]=..
|
||||
|
||||
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
||||
new file mode 100644
|
||||
index 0000000000..acafefd5fe
|
||||
--- /dev/null
|
||||
+++ b/crypto/bn/rsa_sup_mul.c
|
||||
@@ -0,0 +1,614 @@
|
||||
+#include <openssl/e_os2.h>
|
||||
+#include <stddef.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/rsaerr.h>
|
||||
+#include "internal/numbers.h"
|
||||
+#include "internal/constant_time.h"
|
||||
+#include "bn_local.h"
|
||||
+
|
||||
+# if BN_BYTES == 8
|
||||
+typedef uint64_t limb_t;
|
||||
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
||||
+/* nonstandard; implemented by gcc on 64-bit platforms */
|
||||
+typedef __uint128_t limb2_t;
|
||||
+# define HAVE_LIMB2_T
|
||||
+# endif
|
||||
+# define LIMB_BIT_SIZE 64
|
||||
+# define LIMB_BYTE_SIZE 8
|
||||
+# elif BN_BYTES == 4
|
||||
+typedef uint32_t limb_t;
|
||||
+typedef uint64_t limb2_t;
|
||||
+# define LIMB_BIT_SIZE 32
|
||||
+# define LIMB_BYTE_SIZE 4
|
||||
+# define HAVE_LIMB2_T
|
||||
+# else
|
||||
+# error "Not supported"
|
||||
+# endif
|
||||
+
|
||||
+/*
|
||||
+ * For multiplication we're using schoolbook multiplication,
|
||||
+ * so if we have two numbers, each with 6 "digits" (words)
|
||||
+ * the multiplication is calculated as follows:
|
||||
+ * A B C D E F
|
||||
+ * x I J K L M N
|
||||
+ * --------------
|
||||
+ * N*F
|
||||
+ * N*E
|
||||
+ * N*D
|
||||
+ * N*C
|
||||
+ * N*B
|
||||
+ * N*A
|
||||
+ * M*F
|
||||
+ * M*E
|
||||
+ * M*D
|
||||
+ * M*C
|
||||
+ * M*B
|
||||
+ * M*A
|
||||
+ * L*F
|
||||
+ * L*E
|
||||
+ * L*D
|
||||
+ * L*C
|
||||
+ * L*B
|
||||
+ * L*A
|
||||
+ * K*F
|
||||
+ * K*E
|
||||
+ * K*D
|
||||
+ * K*C
|
||||
+ * K*B
|
||||
+ * K*A
|
||||
+ * J*F
|
||||
+ * J*E
|
||||
+ * J*D
|
||||
+ * J*C
|
||||
+ * J*B
|
||||
+ * J*A
|
||||
+ * I*F
|
||||
+ * I*E
|
||||
+ * I*D
|
||||
+ * I*C
|
||||
+ * I*B
|
||||
+ * + I*A
|
||||
+ * ==========================
|
||||
+ * N*B N*D N*F
|
||||
+ * + N*A N*C N*E
|
||||
+ * + M*B M*D M*F
|
||||
+ * + M*A M*C M*E
|
||||
+ * + L*B L*D L*F
|
||||
+ * + L*A L*C L*E
|
||||
+ * + K*B K*D K*F
|
||||
+ * + K*A K*C K*E
|
||||
+ * + J*B J*D J*F
|
||||
+ * + J*A J*C J*E
|
||||
+ * + I*B I*D I*F
|
||||
+ * + I*A I*C I*E
|
||||
+ *
|
||||
+ * 1+1 1+3 1+5
|
||||
+ * 1+0 1+2 1+4
|
||||
+ * 0+1 0+3 0+5
|
||||
+ * 0+0 0+2 0+4
|
||||
+ *
|
||||
+ * 0 1 2 3 4 5 6
|
||||
+ * which requires n^2 multiplications and 2n full length additions
|
||||
+ * as we can keep every other result of limb multiplication in two separate
|
||||
+ * limbs
|
||||
+ */
|
||||
+
|
||||
+#if defined HAVE_LIMB2_T
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb2_t t;
|
||||
+ /*
|
||||
+ * this is idiomatic code to tell compiler to use the native mul
|
||||
+ * those three lines will actually compile to single instruction
|
||||
+ */
|
||||
+
|
||||
+ t = (limb2_t)a * b;
|
||||
+ *hi = t >> LIMB_BIT_SIZE;
|
||||
+ *lo = (limb_t)t;
|
||||
+}
|
||||
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
||||
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
||||
+#pragma intrinsic(_umul128)
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ *lo = _umul128(a, b, hi);
|
||||
+}
|
||||
+#else
|
||||
+/*
|
||||
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
||||
+ * high 64 bits of multiplication"
|
||||
+ */
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb_t a_low = (limb_t)(uint32_t)a;
|
||||
+ limb_t a_hi = a >> 32;
|
||||
+ limb_t b_low = (limb_t)(uint32_t)b;
|
||||
+ limb_t b_hi = b >> 32;
|
||||
+
|
||||
+ limb_t p0 = a_low * b_low;
|
||||
+ limb_t p1 = a_low * b_hi;
|
||||
+ limb_t p2 = a_hi * b_low;
|
||||
+ limb_t p3 = a_hi * b_hi;
|
||||
+
|
||||
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
||||
+
|
||||
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
||||
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* add two limbs with carry in, return carry out */
|
||||
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
||||
+{
|
||||
+ limb_t carry1, carry2, t;
|
||||
+ /*
|
||||
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
||||
+ * use add with carry on assembly level
|
||||
+ */
|
||||
+
|
||||
+ *ret = a + carry;
|
||||
+ if (*ret < a)
|
||||
+ carry1 = 1;
|
||||
+ else
|
||||
+ carry1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t + b;
|
||||
+ if (*ret < t)
|
||||
+ carry2 = 1;
|
||||
+ else
|
||||
+ carry2 = 0;
|
||||
+
|
||||
+ return carry1 + carry2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * add two numbers of the same size, return overflow
|
||||
+ *
|
||||
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
||||
+ * return overflow from addition (0 or 1)
|
||||
+ */
|
||||
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t c = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for(i = n - 1; i > -1; i--)
|
||||
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
||||
+
|
||||
+ return c;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * return number of limbs necessary for temporary values
|
||||
+ * when multiplying numbers n limbs large
|
||||
+ */
|
||||
+static ossl_inline size_t mul_limb_numb(size_t n)
|
||||
+{
|
||||
+ return 2 * n * 2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * multiply two numbers of the same size
|
||||
+ *
|
||||
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
||||
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
||||
+ * long
|
||||
+ */
|
||||
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i, j, k;
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[2 * n];
|
||||
+
|
||||
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ for (k = 0; k < i + n + 1; k++) {
|
||||
+ r_even[k] = 0;
|
||||
+ r_odd[k] = 0;
|
||||
+ }
|
||||
+ for (j = 0; j < n; j++) {
|
||||
+ /*
|
||||
+ * place results from even and odd limbs in separate arrays so that
|
||||
+ * we don't have to calculate overflow every time we get individual
|
||||
+ * limb multiplication result
|
||||
+ */
|
||||
+ if (j % 2 == 0)
|
||||
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
||||
+ }
|
||||
+ /*
|
||||
+ * skip the least significant limbs when adding multiples of
|
||||
+ * more significant limbs (they're zero anyway)
|
||||
+ */
|
||||
+ add(ret, ret, r_even, n + i + 1);
|
||||
+ add(ret, ret, r_odd, n + i + 1);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* modifies the value in place by performing a right shift by one bit */
|
||||
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
||||
+{
|
||||
+ limb_t shift_in = 0, shift_out = 0;
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ shift_out = val[i] & 1;
|
||||
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
||||
+ shift_in = shift_out;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* extend the LSB of flag to all bits of limb */
|
||||
+static ossl_inline limb_t mk_mask(limb_t flag)
|
||||
+{
|
||||
+ flag |= flag << 1;
|
||||
+ flag |= flag << 2;
|
||||
+ flag |= flag << 4;
|
||||
+ flag |= flag << 8;
|
||||
+ flag |= flag << 16;
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ flag |= flag << 32;
|
||||
+#endif
|
||||
+ return flag;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * copy from either a or b to ret based on flag
|
||||
+ * when flag == 0, then copies from b
|
||||
+ * when flag == 1, then copies from a
|
||||
+ */
|
||||
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ /*
|
||||
+ * would be more efficient with non volatile mask, but then gcc
|
||||
+ * generates code with jumps
|
||||
+ */
|
||||
+ volatile limb_t mask;
|
||||
+ size_t i;
|
||||
+
|
||||
+ mask = mk_mask(flag);
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
||||
+#else
|
||||
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
||||
+{
|
||||
+ limb_t borrow1, borrow2, t;
|
||||
+ /*
|
||||
+ * while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction
|
||||
+ */
|
||||
+
|
||||
+ *ret = a - borrow;
|
||||
+ if (*ret > a)
|
||||
+ borrow1 = 1;
|
||||
+ else
|
||||
+ borrow1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t)
|
||||
+ borrow2 = 1;
|
||||
+ else
|
||||
+ borrow2 = 0;
|
||||
+
|
||||
+ return borrow1 + borrow2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * place the result of a - b into ret, return the borrow bit.
|
||||
+ * All arrays need to be n limbs long
|
||||
+ */
|
||||
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t borrow = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for (i = n - 1; i > -1; i--)
|
||||
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
||||
+
|
||||
+ return borrow;
|
||||
+}
|
||||
+
|
||||
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
||||
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
||||
+{
|
||||
+ return (anum + modnum) * 3;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place the result in ret
|
||||
+ * size of a is defined by anum, size of ret and mod is modnum,
|
||||
+ * size of tmp is returned by mod_limb_numb()
|
||||
+ */
|
||||
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *atmp, *modtmp, *rettmp;
|
||||
+ limb_t res;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ atmp = tmp;
|
||||
+ modtmp = &tmp[anum + modnum];
|
||||
+ rettmp = &tmp[(anum + modnum) * 2];
|
||||
+
|
||||
+ for (i = modnum; i <modnum + anum; i++)
|
||||
+ atmp[i] = a[i-modnum];
|
||||
+
|
||||
+ for (i = 0; i < modnum; i++)
|
||||
+ modtmp[i] = mod[i];
|
||||
+
|
||||
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
||||
+ rshift1(modtmp, anum + modnum);
|
||||
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
||||
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
||||
+ }
|
||||
+
|
||||
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
||||
+}
|
||||
+
|
||||
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
||||
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
||||
+{
|
||||
+ return 2 * (anum + 1);
|
||||
+}
|
||||
+
|
||||
+/* multiply a by m, add to ret, return carry */
|
||||
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
||||
+ limb_t m, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry = 0;
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[anum + 1];
|
||||
+
|
||||
+ for (i = 0; i < anum; i++) {
|
||||
+ /*
|
||||
+ * place the results from even and odd limbs in separate arrays
|
||||
+ * so that we have to worry about carry just once
|
||||
+ */
|
||||
+ if (i % 2 == 0)
|
||||
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
||||
+ }
|
||||
+ /* assert: add() carry here will be equal zero */
|
||||
+ add(r_even, r_even, r_odd, anum + 1);
|
||||
+ /*
|
||||
+ * while here it will not overflow as the max value from multiplication
|
||||
+ * is -2 while max overflow from addition is 1, so the max value of
|
||||
+ * carry is -1 (i.e. max int)
|
||||
+ */
|
||||
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
||||
+
|
||||
+ return carry;
|
||||
+}
|
||||
+
|
||||
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
||||
+{
|
||||
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place result in ret
|
||||
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
||||
+ * smallest power of two big enough to fit mod and that's also a power
|
||||
+ * of the count of number of bits in limb_t (B).
|
||||
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
||||
+ * anum must be <= 2 * modnum
|
||||
+ * ret needs to be modnum words long
|
||||
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
||||
+ */
|
||||
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry, v;
|
||||
+ limb_t *res, *rp, *tmp2;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ res = tmp;
|
||||
+ /*
|
||||
+ * for intermediate result we need an integer twice as long as modulus
|
||||
+ * but keep the input in the least significant limbs
|
||||
+ */
|
||||
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
||||
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
||||
+ rp = &res[modnum];
|
||||
+ tmp2 = &res[modnum * 2];
|
||||
+
|
||||
+ carry = 0;
|
||||
+
|
||||
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
||||
+ for (i = modnum; i > 0; i--, rp--) {
|
||||
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
|
||||
+ v = v + carry + rp[-1];
|
||||
+ carry |= (v != rp[-1]);
|
||||
+ carry &= (v <= rp[-1]);
|
||||
+ rp[-1] = v;
|
||||
+ }
|
||||
+
|
||||
+ /* perform the final reduction by mod... */
|
||||
+ carry -= sub(ret, rp, mod, modnum);
|
||||
+
|
||||
+ /* ...conditionally */
|
||||
+ cselect(carry, ret, rp, ret, modnum);
|
||||
+}
|
||||
+
|
||||
+/* allocated buffer should be freed afterwards */
|
||||
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
||||
+{
|
||||
+ int i;
|
||||
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ limb_t *ptr = buf + (limbs - real_limbs);
|
||||
+
|
||||
+ for (i = 0; i < real_limbs; i++)
|
||||
+ ptr[i] = bn->d[real_limbs - i - 1];
|
||||
+}
|
||||
+
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+static ossl_inline uint64_t be64(uint64_t host)
|
||||
+{
|
||||
+ const union {
|
||||
+ long one;
|
||||
+ char little;
|
||||
+ } is_endian = { 1 };
|
||||
+
|
||||
+ if (is_endian.little) {
|
||||
+ uint64_t big = 0;
|
||||
+
|
||||
+ big |= (host & 0xff00000000000000) >> 56;
|
||||
+ big |= (host & 0x00ff000000000000) >> 40;
|
||||
+ big |= (host & 0x0000ff0000000000) >> 24;
|
||||
+ big |= (host & 0x000000ff00000000) >> 8;
|
||||
+ big |= (host & 0x00000000ff000000) << 8;
|
||||
+ big |= (host & 0x0000000000ff0000) << 24;
|
||||
+ big |= (host & 0x000000000000ff00) << 40;
|
||||
+ big |= (host & 0x00000000000000ff) << 56;
|
||||
+ return big;
|
||||
+ } else {
|
||||
+ return host;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+/* Not all platforms have htobe32(). */
|
||||
+static ossl_inline uint32_t be32(uint32_t host)
|
||||
+{
|
||||
+ const union {
|
||||
+ long one;
|
||||
+ char little;
|
||||
+ } is_endian = { 1 };
|
||||
+
|
||||
+ if (is_endian.little) {
|
||||
+ uint32_t big = 0;
|
||||
+
|
||||
+ big |= (host & 0xff000000) >> 24;
|
||||
+ big |= (host & 0x00ff0000) >> 8;
|
||||
+ big |= (host & 0x0000ff00) << 8;
|
||||
+ big |= (host & 0x000000ff) << 24;
|
||||
+ return big;
|
||||
+ } else {
|
||||
+ return host;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
||||
+ * similar to BN_BLINDING_invert_ex() arguments.
|
||||
+ * to_mod is RSA modulus.
|
||||
+ * buf and num is the serialization buffer and its length.
|
||||
+ *
|
||||
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
||||
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
||||
+ */
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num)
|
||||
+{
|
||||
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
||||
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
||||
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
||||
+ size_t l_tmp_count = 0;
|
||||
+ int ret = 0;
|
||||
+ size_t i;
|
||||
+ unsigned char *tmp;
|
||||
+ const BIGNUM *arg1 = intermediate;
|
||||
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
||||
+
|
||||
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+
|
||||
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
||||
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ BN_to_limb(arg1, l_im, l_size);
|
||||
+ BN_to_limb(arg2, l_mul, l_size);
|
||||
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
||||
+
|
||||
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ } else {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ }
|
||||
+
|
||||
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
||||
+ blinding->m_ctx->n0[0], l_tmp);
|
||||
+ } else {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
||||
+ }
|
||||
+
|
||||
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
||||
+ if (num < BN_num_bytes(to_mod)) {
|
||||
+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ memset(buf, 0, num);
|
||||
+ tmp = buf + num - BN_num_bytes(to_mod);
|
||||
+ for (i = 0; i < l_mod_count; i++) {
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+ l_buf = be64(l_ret[i]);
|
||||
+#else
|
||||
+ l_buf = be32(l_ret[i]);
|
||||
+#endif
|
||||
+ if (i == 0) {
|
||||
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
||||
+
|
||||
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
||||
+ tmp += delta;
|
||||
+ } else {
|
||||
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
||||
+ tmp += LIMB_BYTE_SIZE;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = num;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(l_im);
|
||||
+ OPENSSL_free(l_mul);
|
||||
+ OPENSSL_free(l_mod);
|
||||
+ OPENSSL_free(l_tmp);
|
||||
+ OPENSSL_free(l_ret);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 9f91a4a811..ba3a46d5b9 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -1,4 +1,4 @@
|
||||
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
|
||||
BN_F_BN_SET_WORDS:144:bn_set_words
|
||||
BN_F_BN_STACK_PUSH:148:BN_STACK_push
|
||||
BN_F_BN_USUB:115:BN_usub
|
||||
+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
|
||||
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
|
||||
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
|
||||
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
|
||||
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
||||
index b52a66f6a6..6c3c0cf78d 100644
|
||||
--- a/crypto/rsa/rsa_ossl.c
|
||||
+++ b/crypto/rsa/rsa_ossl.c
|
||||
@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||
BN_free(d);
|
||||
}
|
||||
|
||||
- if (blinding)
|
||||
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
+ if (blinding) {
|
||||
+ /*
|
||||
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||
+ * 0-padded BN BE serialization
|
||||
+ */
|
||||
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
||||
+ buf, num);
|
||||
+ if (j == 0)
|
||||
goto err;
|
||||
-
|
||||
- j = BN_bn2binpad(ret, buf, num);
|
||||
+ } else {
|
||||
+ j = BN_bn2binpad(ret, buf, num);
|
||||
+ if (j < 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
||||
index 60afda1dad..b5f36fb25a 100644
|
||||
--- a/include/crypto/bn.h
|
||||
+++ b/include/crypto/bn.h
|
||||
@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
||||
const BIGNUM *d, BN_CTX *ctx);
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num);
|
||||
|
||||
#endif
|
||||
diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
|
||||
index 9f3c7cfaab..a0752cea52 100644
|
||||
--- a/include/openssl/bnerr.h
|
||||
+++ b/include/openssl/bnerr.h
|
||||
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
|
||||
# define BN_F_BN_SET_WORDS 144
|
||||
# define BN_F_BN_STACK_PUSH 148
|
||||
# define BN_F_BN_USUB 115
|
||||
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
|
||||
|
||||
/*
|
||||
* BN reason codes.
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,103 +0,0 @@
|
||||
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
||||
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
|
||||
PEM_read_bio_ex
|
||||
|
||||
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
||||
allocated for the header and data buffers. However we were not clearing
|
||||
the ptrs stored in *header and *data. Since, on success, the caller is
|
||||
responsible for freeing these ptrs this can potentially lead to a double
|
||||
free if the caller frees them even on failure.
|
||||
|
||||
Thanks to Dawei Wang for reporting this issue.
|
||||
|
||||
Based on a proposed patch by Kurt Roeckx.
|
||||
|
||||
CVE-2022-4450
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
crypto/pem/pem_lib.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
||||
index d416d939ea..328c30cdbb 100644
|
||||
--- a/crypto/pem/pem_lib.c
|
||||
+++ b/crypto/pem/pem_lib.c
|
||||
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
||||
*data = pem_malloc(len, flags);
|
||||
if (*header == NULL || *data == NULL) {
|
||||
pem_free(*header, flags, 0);
|
||||
+ *header = NULL;
|
||||
pem_free(*data, flags, 0);
|
||||
+ *data = NULL;
|
||||
goto end;
|
||||
}
|
||||
BIO_read(headerB, *header, headerlen);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
||||
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
|
||||
|
||||
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
||||
ptrs and therefore there should be no double free if we free the ptrs on
|
||||
error.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/test/pemtest.c b/test/pemtest.c
|
||||
index 3203d976be..edeb0a1205 100644
|
||||
--- a/test/pemtest.c
|
||||
+++ b/test/pemtest.c
|
||||
@@ -83,9 +83,39 @@ static int test_invalid(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int test_empty_payload(void)
|
||||
+{
|
||||
+ BIO *b;
|
||||
+ static char *emptypay =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "-\n" /* Base64 EOF character */
|
||||
+ "-----END CERTIFICATE-----";
|
||||
+ char *name = NULL, *header = NULL;
|
||||
+ unsigned char *data = NULL;
|
||||
+ long len;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
||||
+ if (!TEST_ptr(b))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Expected to fail because the payload is empty */
|
||||
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ OPENSSL_free(name);
|
||||
+ OPENSSL_free(header);
|
||||
+ OPENSSL_free(data);
|
||||
+ BIO_free(b);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
||||
ADD_TEST(test_invalid);
|
||||
+ ADD_TEST(test_empty_payload);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,186 +0,0 @@
|
||||
From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
||||
Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF
|
||||
|
||||
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
||||
be part of an invalid BIO chain. This causes a "use after free" when the
|
||||
BIO is eventually freed.
|
||||
|
||||
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
||||
Buehler.
|
||||
|
||||
Thanks to Octavio Galland for reporting this issue.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 32 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
||||
index 760e4846a4..f8d4b1b9aa 100644
|
||||
--- a/crypto/asn1/bio_ndef.c
|
||||
+++ b/crypto/asn1/bio_ndef.c
|
||||
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
||||
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
||||
void *parg);
|
||||
|
||||
+/*
|
||||
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
||||
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
||||
+ *
|
||||
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
||||
+ */
|
||||
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
{
|
||||
NDEF_SUPPORT *ndef_aux = NULL;
|
||||
BIO *asn_bio = NULL;
|
||||
const ASN1_AUX *aux = it->funcs;
|
||||
ASN1_STREAM_ARG sarg;
|
||||
+ BIO *pop_bio = NULL;
|
||||
|
||||
if (!aux || !aux->asn1_cb) {
|
||||
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
|
||||
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
out = BIO_push(asn_bio, out);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
+ pop_bio = asn_bio;
|
||||
|
||||
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
||||
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
||||
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
||||
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
||||
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
||||
- * needs.
|
||||
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
||||
+ * ASN1 structure needs.
|
||||
*/
|
||||
|
||||
sarg.out = out;
|
||||
sarg.ndef_bio = NULL;
|
||||
sarg.boundary = NULL;
|
||||
|
||||
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
||||
+ /*
|
||||
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
||||
+ * middle of some partially built, but not returned BIO chain.
|
||||
+ */
|
||||
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
||||
+ /*
|
||||
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
||||
+ * clean up block
|
||||
+ */
|
||||
+ ndef_aux = NULL;
|
||||
goto err;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * We must not fail now because the callback has prepended additional
|
||||
+ * BIOs to the chain
|
||||
+ */
|
||||
|
||||
ndef_aux->val = val;
|
||||
ndef_aux->it = it;
|
||||
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
ndef_aux->boundary = sarg.boundary;
|
||||
ndef_aux->out = out;
|
||||
|
||||
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
||||
-
|
||||
return sarg.ndef_bio;
|
||||
|
||||
err:
|
||||
+ /* BIO_pop() is NULL safe */
|
||||
+ (void)BIO_pop(pop_bio);
|
||||
BIO_free(asn_bio);
|
||||
OPENSSL_free(ndef_aux);
|
||||
return NULL;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
||||
Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is
|
||||
handled correctly
|
||||
|
||||
Test for the issue fixed in the previous commit
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
||||
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
||||
2 files changed, 31 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/smime-certs/badrsa.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 5dc6a3aebe..ec11bfc253 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
setup("test_cms");
|
||||
@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
|
||||
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
|
||||
|
||||
-plan tests => 6;
|
||||
+plan tests => 7;
|
||||
|
||||
my @smime_pkcs7_tests = (
|
||||
|
||||
@@ -584,3 +584,14 @@ sub check_availability {
|
||||
|
||||
return "";
|
||||
}
|
||||
+
|
||||
+# Check that we get the expected failure return code
|
||||
+with({ exit_checker => sub { return shift == 6; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
||||
+ '-in', srctop_file("test", "smcont.txt"),
|
||||
+ '-stream', '-recip',
|
||||
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
||||
+ ])),
|
||||
+ "Check failure during BIO setup with -stream is handled correctly");
|
||||
+ });
|
||||
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f824fc2267
|
||||
--- /dev/null
|
||||
+++ b/test/smime-certs/badrsa.pem
|
||||
@@ -0,0 +1,18 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
||||
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
||||
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
||||
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
||||
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
||||
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
||||
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
||||
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
||||
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
||||
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
||||
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
||||
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
||||
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
||||
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
||||
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
||||
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||
Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
||||
(1.1.1)
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
CHANGES | 18 +++++++++++++++++-
|
||||
crypto/x509v3/v3_genn.c | 2 +-
|
||||
include/openssl/x509v3.h | 2 +-
|
||||
test/v3nametest.c | 8 ++++++++
|
||||
4 files changed, 27 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
|
||||
index 87a5eff47c..e54ddc55c9 100644
|
||||
--- a/crypto/x509v3/v3_genn.c
|
||||
+++ b/crypto/x509v3/v3_genn.c
|
||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
|
||||
index 90fa3592ce..e61c0f29d4 100644
|
||||
--- a/include/openssl/x509v3.h
|
||||
+++ b/include/openssl/x509v3.h
|
||||
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
|
||||
OTHERNAME *otherName; /* otherName */
|
||||
ASN1_IA5STRING *rfc822Name;
|
||||
ASN1_IA5STRING *dNSName;
|
||||
- ASN1_TYPE *x400Address;
|
||||
+ ASN1_STRING *x400Address;
|
||||
X509_NAME *directoryName;
|
||||
EDIPARTYNAME *ediPartyName;
|
||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
||||
index d1852190b8..37819da8fd 100644
|
||||
--- a/test/v3nametest.c
|
||||
+++ b/test/v3nametest.c
|
||||
@@ -646,6 +646,14 @@ static struct gennamedata {
|
||||
0xb7, 0x09, 0x02, 0x02
|
||||
},
|
||||
15
|
||||
+ }, {
|
||||
+ /*
|
||||
+ * Regression test for CVE-2023-0286.
|
||||
+ */
|
||||
+ {
|
||||
+ 0xa3, 0x00
|
||||
+ },
|
||||
+ 2
|
||||
}
|
||||
};
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,127 +0,0 @@
|
||||
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Thu, 6 Jul 2023 16:36:35 +0100
|
||||
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
|
||||
|
||||
The DH_check() function checks numerous aspects of the key or parameters
|
||||
that have been supplied. Some of those checks use the supplied modulus
|
||||
value even if it is excessively large.
|
||||
|
||||
There is already a maximum DH modulus size (10,000 bits) over which
|
||||
OpenSSL will not generate or derive keys. DH_check() will however still
|
||||
perform various tests for validity on such a large modulus. We introduce a
|
||||
new maximum (32,768) over which DH_check() will just fail.
|
||||
|
||||
An application that calls DH_check() and supplies a key or parameters
|
||||
obtained from an untrusted source could be vulnerable to a Denial of
|
||||
Service attack.
|
||||
|
||||
The function DH_check() is itself called by a number of other OpenSSL
|
||||
functions. An application calling any of those other functions may
|
||||
similarly be affected. The other functions affected by this are
|
||||
DH_check_ex() and EVP_PKEY_param_check().
|
||||
|
||||
CVE-2023-3446
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21452)
|
||||
|
||||
Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528]
|
||||
---
|
||||
crypto/dh/dh_check.c | 6 ++++++
|
||||
crypto/dh/dh_err.c | 3 ++-
|
||||
crypto/err/openssl.txt | 3 ++-
|
||||
include/openssl/dh.h | 3 +++
|
||||
include/openssl/dherr.h | 3 ++-
|
||||
5 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 4ac169e75c..e5f9dd5030 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!DH_check_params(dh, ret))
|
||||
return 0;
|
||||
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 7285587b4a..92800d3fcc 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
|
||||
"dh_builtin_genparams"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 9f91a4a811..c0a3cd720b 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
|
||||
DH_F_COMPUTE_KEY:102:compute_key
|
||||
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
|
||||
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
|
||||
+DH_F_DH_CHECK:126:DH_check
|
||||
DH_F_DH_CHECK_EX:121:DH_check_ex
|
||||
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
|
||||
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 3527540cdd..892e31559d 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -29,6 +29,9 @@ extern "C" {
|
||||
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||
# endif
|
||||
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
|
||||
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
|
||||
+# endif
|
||||
|
||||
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
|
||||
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
|
||||
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 916b3bed0b..528c819856 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
|
||||
# define DH_F_COMPUTE_KEY 102
|
||||
# define DH_F_DHPARAMS_PRINT_FP 101
|
||||
# define DH_F_DH_BUILTIN_GENPARAMS 106
|
||||
+# define DH_F_DH_CHECK 126
|
||||
# define DH_F_DH_CHECK_EX 121
|
||||
# define DH_F_DH_CHECK_PARAMS_EX 122
|
||||
# define DH_F_DH_CHECK_PUB_KEY_EX 123
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 21 Jul 2023 11:39:41 +0200
|
||||
Subject: [PATCH] DH_check(): Do not try checking q properties if it is
|
||||
obviously invalid
|
||||
|
||||
If |q| >= |p| then the q value is obviously wrong as q
|
||||
is supposed to be a prime divisor of p-1.
|
||||
|
||||
We check if p is overly large so this added test implies that
|
||||
q is not large either when performing subsequent tests using that
|
||||
q value.
|
||||
|
||||
Otherwise if it is too large these additional checks of the q value
|
||||
such as the primality test can then trigger DoS by doing overly long
|
||||
computations.
|
||||
|
||||
Fixes CVE-2023-3817
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21551)
|
||||
|
||||
Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5]
|
||||
---
|
||||
crypto/dh/dh_check.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 2001d2e7cb..9ae96991eb 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
|
||||
/* Note: according to documentation - this only checks the params */
|
||||
int DH_check(const DH *dh, int *ret)
|
||||
{
|
||||
- int ok = 0, r;
|
||||
+ int ok = 0, r, q_good = 0;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
|
||||
@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)
|
||||
if (t2 == NULL)
|
||||
goto err;
|
||||
|
||||
- if (dh->q) {
|
||||
+ if (dh->q != NULL) {
|
||||
+ if (BN_ucmp(dh->p, dh->q) > 0)
|
||||
+ q_good = 1;
|
||||
+ else
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||
+ }
|
||||
+
|
||||
+ if (q_good) {
|
||||
if (BN_cmp(dh->g, BN_value_one()) <= 0)
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
else if (BN_cmp(dh->g, dh->p) >= 0)
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,154 +0,0 @@
|
||||
From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
||||
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
||||
|
||||
We already check for an excessively large P in DH_generate_key(), but not in
|
||||
DH_check_pub_key(), and none of them check for an excessively large Q.
|
||||
|
||||
This change adds all the missing excessive size checks of P and Q.
|
||||
|
||||
It's to be noted that behaviours surrounding excessively sized P and Q
|
||||
differ. DH_check() raises an error on the excessively sized P, but only
|
||||
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
||||
DH_check_pub_key().
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/22518)
|
||||
|
||||
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
|
||||
Backported-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/dh/dh_check.c | 17 +++++++++++++++++
|
||||
crypto/dh/dh_err.c | 1 +
|
||||
crypto/dh/dh_key.c | 10 ++++++++++
|
||||
crypto/err/openssl.txt | 1 +
|
||||
include/openssl/dh.h | 6 ++++--
|
||||
include/openssl/dherr.h | 1 +
|
||||
6 files changed, 34 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index ae1b03bc92..424a3bb4cd 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
*ret = 0;
|
||||
+
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
BN_CTX_start(ctx);
|
||||
+
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ /* This may look strange here, but returning 1 after setting ret is
|
||||
+ * correct. See also the behavior of the pub_key^q == 1 mod p check
|
||||
+ * further down, which behaves in the same way. */
|
||||
+ ok = 1;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
tmp = BN_CTX_get(ctx);
|
||||
if (tmp == NULL || !BN_set_word(tmp, 1))
|
||||
goto err;
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 92800d3fcc..b3b1e7a706 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||
"parameter encoding error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||
"unable to check generator"},
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 117f2fa883..9f5e6f6d4c 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -140,6 +140,11 @@ static int generate_key(DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
|
||||
goto err;
|
||||
}
|
||||
+
|
||||
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode()
|
||||
&& (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index c0a3cd720b..5e0ff47516 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||
+DH_R_Q_TOO_LARGE:130:q too large
|
||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||
DSA_R_BAD_Q_VALUE:102:bad q value
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 6c6ff3636a..b7df43b44f 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
/* #define DH_GENERATOR_3 3 */
|
||||
# define DH_GENERATOR_5 5
|
||||
|
||||
-/* DH_check error codes */
|
||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||
# define DH_CHECK_P_NOT_PRIME 0x01
|
||||
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
|
||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||
+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */
|
||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||
|
||||
/* DH_check_pub_key error codes */
|
||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 528c819856..d66c35aa8e 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void);
|
||||
# define DH_R_NON_FIPS_METHOD 202
|
||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||
# define DH_R_PEER_KEY_ERROR 111
|
||||
+# define DH_R_Q_TOO_LARGE 130
|
||||
# define DH_R_SHARED_INFO_ERROR 113
|
||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,34 +0,0 @@
|
||||
diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c
|
||||
--- openssl-1.1.1k/apps/s_socket.c.addr-ipv6 2021-07-16 15:14:08.491986682 +0200
|
||||
+++ openssl-1.1.1k/apps/s_socket.c 2021-07-16 15:23:21.271329197 +0200
|
||||
@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch
|
||||
const BIO_ADDRINFO *next;
|
||||
int sock_family, sock_type, sock_protocol, sock_port;
|
||||
const BIO_ADDR *sock_address;
|
||||
+ int sock_family_fallback = AF_UNSPEC;
|
||||
+ const BIO_ADDR *sock_address_fallback = NULL;
|
||||
int sock_options = BIO_SOCK_REUSEADDR;
|
||||
int ret = 0;
|
||||
|
||||
@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch
|
||||
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
|
||||
if (sock_family == AF_INET
|
||||
&& BIO_ADDRINFO_family(next) == AF_INET6) {
|
||||
+ /* In case AF_INET6 is returned but not supported by the
|
||||
+ * kernel, retry with the first detected address family */
|
||||
+ sock_family_fallback = sock_family;
|
||||
+ sock_address_fallback = sock_address;
|
||||
sock_family = AF_INET6;
|
||||
sock_address = BIO_ADDRINFO_address(next);
|
||||
} else if (sock_family == AF_INET6
|
||||
@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch
|
||||
}
|
||||
|
||||
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
|
||||
+ if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
|
||||
+ asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
|
||||
+ sock_address = sock_address_fallback;
|
||||
+ }
|
||||
if (asock == INVALID_SOCKET
|
||||
|| !BIO_listen(asock, sock_address, sock_options)) {
|
||||
BIO_ADDRINFO_free(res);
|
@ -1,266 +0,0 @@
|
||||
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
|
||||
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
|
||||
#endif /* OPENSSL_NO_RSA */
|
||||
|
||||
enum {
|
||||
- R_EC_P160,
|
||||
- R_EC_P192,
|
||||
R_EC_P224,
|
||||
R_EC_P256,
|
||||
R_EC_P384,
|
||||
R_EC_P521,
|
||||
-#ifndef OPENSSL_NO_EC2M
|
||||
- R_EC_K163,
|
||||
- R_EC_K233,
|
||||
- R_EC_K283,
|
||||
- R_EC_K409,
|
||||
- R_EC_K571,
|
||||
- R_EC_B163,
|
||||
- R_EC_B233,
|
||||
- R_EC_B283,
|
||||
- R_EC_B409,
|
||||
- R_EC_B571,
|
||||
-#endif
|
||||
- R_EC_BRP256R1,
|
||||
- R_EC_BRP256T1,
|
||||
- R_EC_BRP384R1,
|
||||
- R_EC_BRP384T1,
|
||||
- R_EC_BRP512R1,
|
||||
- R_EC_BRP512T1,
|
||||
R_EC_X25519,
|
||||
R_EC_X448
|
||||
};
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static OPT_PAIR ecdsa_choices[] = {
|
||||
- {"ecdsap160", R_EC_P160},
|
||||
- {"ecdsap192", R_EC_P192},
|
||||
{"ecdsap224", R_EC_P224},
|
||||
{"ecdsap256", R_EC_P256},
|
||||
{"ecdsap384", R_EC_P384},
|
||||
{"ecdsap521", R_EC_P521},
|
||||
-# ifndef OPENSSL_NO_EC2M
|
||||
- {"ecdsak163", R_EC_K163},
|
||||
- {"ecdsak233", R_EC_K233},
|
||||
- {"ecdsak283", R_EC_K283},
|
||||
- {"ecdsak409", R_EC_K409},
|
||||
- {"ecdsak571", R_EC_K571},
|
||||
- {"ecdsab163", R_EC_B163},
|
||||
- {"ecdsab233", R_EC_B233},
|
||||
- {"ecdsab283", R_EC_B283},
|
||||
- {"ecdsab409", R_EC_B409},
|
||||
- {"ecdsab571", R_EC_B571},
|
||||
-# endif
|
||||
- {"ecdsabrp256r1", R_EC_BRP256R1},
|
||||
- {"ecdsabrp256t1", R_EC_BRP256T1},
|
||||
- {"ecdsabrp384r1", R_EC_BRP384R1},
|
||||
- {"ecdsabrp384t1", R_EC_BRP384T1},
|
||||
- {"ecdsabrp512r1", R_EC_BRP512R1},
|
||||
- {"ecdsabrp512t1", R_EC_BRP512T1}
|
||||
};
|
||||
# define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
|
||||
|
||||
static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
|
||||
|
||||
static const OPT_PAIR ecdh_choices[] = {
|
||||
- {"ecdhp160", R_EC_P160},
|
||||
- {"ecdhp192", R_EC_P192},
|
||||
{"ecdhp224", R_EC_P224},
|
||||
{"ecdhp256", R_EC_P256},
|
||||
{"ecdhp384", R_EC_P384},
|
||||
{"ecdhp521", R_EC_P521},
|
||||
-# ifndef OPENSSL_NO_EC2M
|
||||
- {"ecdhk163", R_EC_K163},
|
||||
- {"ecdhk233", R_EC_K233},
|
||||
- {"ecdhk283", R_EC_K283},
|
||||
- {"ecdhk409", R_EC_K409},
|
||||
- {"ecdhk571", R_EC_K571},
|
||||
- {"ecdhb163", R_EC_B163},
|
||||
- {"ecdhb233", R_EC_B233},
|
||||
- {"ecdhb283", R_EC_B283},
|
||||
- {"ecdhb409", R_EC_B409},
|
||||
- {"ecdhb571", R_EC_B571},
|
||||
-# endif
|
||||
- {"ecdhbrp256r1", R_EC_BRP256R1},
|
||||
- {"ecdhbrp256t1", R_EC_BRP256T1},
|
||||
- {"ecdhbrp384r1", R_EC_BRP384R1},
|
||||
- {"ecdhbrp384t1", R_EC_BRP384T1},
|
||||
- {"ecdhbrp512r1", R_EC_BRP512R1},
|
||||
- {"ecdhbrp512t1", R_EC_BRP512T1},
|
||||
{"ecdhx25519", R_EC_X25519},
|
||||
{"ecdhx448", R_EC_X448}
|
||||
};
|
||||
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
|
||||
unsigned int bits;
|
||||
} test_curves[] = {
|
||||
/* Prime Curves */
|
||||
- {"secp160r1", NID_secp160r1, 160},
|
||||
- {"nistp192", NID_X9_62_prime192v1, 192},
|
||||
{"nistp224", NID_secp224r1, 224},
|
||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
{"nistp521", NID_secp521r1, 521},
|
||||
-# ifndef OPENSSL_NO_EC2M
|
||||
- /* Binary Curves */
|
||||
- {"nistk163", NID_sect163k1, 163},
|
||||
- {"nistk233", NID_sect233k1, 233},
|
||||
- {"nistk283", NID_sect283k1, 283},
|
||||
- {"nistk409", NID_sect409k1, 409},
|
||||
- {"nistk571", NID_sect571k1, 571},
|
||||
- {"nistb163", NID_sect163r2, 163},
|
||||
- {"nistb233", NID_sect233r1, 233},
|
||||
- {"nistb283", NID_sect283r1, 283},
|
||||
- {"nistb409", NID_sect409r1, 409},
|
||||
- {"nistb571", NID_sect571r1, 571},
|
||||
-# endif
|
||||
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
|
||||
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
|
||||
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
|
||||
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
|
||||
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
|
||||
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
|
||||
/* Other and ECDH only ones */
|
||||
{"X25519", NID_X25519, 253},
|
||||
{"X448", NID_X448, 448}
|
||||
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
- ecdsa_c[R_EC_P160][0] = count / 1000;
|
||||
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
|
||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||
+ ecdsa_c[R_EC_P224][0] = count / 1000;
|
||||
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
|
||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
||||
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
||||
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
||||
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
-# ifndef OPENSSL_NO_EC2M
|
||||
+# if 0
|
||||
ecdsa_c[R_EC_K163][0] = count / 1000;
|
||||
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
# endif
|
||||
|
||||
- ecdh_c[R_EC_P160][0] = count / 1000;
|
||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||
+ ecdh_c[R_EC_P224][0] = count / 1000;
|
||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
||||
ecdh_doit[i] = 0;
|
||||
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
-# ifndef OPENSSL_NO_EC2M
|
||||
+# if 0
|
||||
ecdh_c[R_EC_K163][0] = count / 1000;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (BN_num_bits(p) < 224) {
|
||||
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
|
||||
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
|
||||
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
|
||||
@@ -32,23 +32,6 @@ typedef struct {
|
||||
} ecdsa_cavs_kat_t;
|
||||
|
||||
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
||||
- /* prime KATs from X9.62 */
|
||||
- {NID_X9_62_prime192v1, NID_sha1,
|
||||
- "616263", /* "abc" */
|
||||
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
||||
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
||||
- "5ca5c0d69716dfcb3474373902",
|
||||
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
||||
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
||||
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
||||
- {NID_X9_62_prime239v1, NID_sha1,
|
||||
- "616263", /* "abc" */
|
||||
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
||||
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
||||
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
||||
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
||||
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
||||
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
||||
/* prime KATs from NIST CAVP */
|
||||
{NID_secp224r1, NID_sha224,
|
||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
|
||||
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
|
||||
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
|
||||
if disabled("ec");
|
||||
|
||||
my @prime_curves = qw(
|
||||
- secp112r1
|
||||
- secp112r2
|
||||
- secp128r1
|
||||
- secp128r2
|
||||
- secp160k1
|
||||
- secp160r1
|
||||
- secp160r2
|
||||
- secp192k1
|
||||
- secp224k1
|
||||
secp224r1
|
||||
secp256k1
|
||||
secp384r1
|
||||
secp521r1
|
||||
- prime192v1
|
||||
- prime192v2
|
||||
- prime192v3
|
||||
- prime239v1
|
||||
- prime239v2
|
||||
- prime239v3
|
||||
prime256v1
|
||||
- wap-wsg-idm-ecid-wtls6
|
||||
- wap-wsg-idm-ecid-wtls7
|
||||
- wap-wsg-idm-ecid-wtls8
|
||||
- wap-wsg-idm-ecid-wtls9
|
||||
- wap-wsg-idm-ecid-wtls12
|
||||
- brainpoolP160r1
|
||||
- brainpoolP160t1
|
||||
- brainpoolP192r1
|
||||
- brainpoolP192t1
|
||||
- brainpoolP224r1
|
||||
- brainpoolP224t1
|
||||
- brainpoolP256r1
|
||||
- brainpoolP256t1
|
||||
- brainpoolP320r1
|
||||
- brainpoolP320t1
|
||||
- brainpoolP384r1
|
||||
- brainpoolP384t1
|
||||
- brainpoolP512r1
|
||||
- brainpoolP512t1
|
||||
);
|
||||
|
||||
my @binary_curves = qw(
|
||||
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
|
||||
if !disabled("sm2");
|
||||
|
||||
my @curve_aliases = qw(
|
||||
- P-192
|
||||
P-224
|
||||
P-256
|
||||
P-384
|
@ -1,57 +0,0 @@
|
||||
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
|
||||
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "crypto/evp.h"
|
||||
|
||||
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
|
||||
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/evp.h"
|
||||
#include "kdf_local.h"
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
|
||||
@@ -20,7 +20,7 @@
|
||||
#include "crypto/fips.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
-#ifdef __linux
|
||||
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||
# include <sys/syscall.h>
|
||||
# include <sys/random.h>
|
||||
# ifdef DEVRANDOM_WAIT
|
||||
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
|
||||
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -50,10 +50,6 @@
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
-#ifndef OPENSSL_FIPS
|
||||
-# error FIPS is disabled.
|
||||
-#endif
|
||||
-
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
int FIPS_module_mode_set(int onoff);
|
||||
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||
|
||||
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||
|
||||
+#else
|
||||
+
|
||||
+# define fips_in_post() 0
|
||||
+
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
@ -1,408 +0,0 @@
|
||||
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
|
||||
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
- randfile.c rand_lib.c rand_err.c rand_egd.c \
|
||||
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||
|
||||
INCLUDE[drbg_ctr.o]=../modes
|
||||
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
|
||||
|
||||
|
||||
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
|
||||
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
|
||||
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
|
||||
|
||||
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
|
||||
|
||||
@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
|
||||
drbg->parent = parent;
|
||||
|
||||
if (parent == NULL) {
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ drbg->get_entropy = rand_crngt_get_entropy;
|
||||
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
|
||||
+#else
|
||||
drbg->get_entropy = rand_drbg_get_entropy;
|
||||
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
|
||||
+#endif
|
||||
#ifndef RAND_DRBG_GET_RANDOM_NONCE
|
||||
drbg->get_nonce = rand_drbg_get_nonce;
|
||||
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -0,0 +1,118 @@
|
||||
+/*
|
||||
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include "crypto/rand.h"
|
||||
+#include "internal/thread_once.h"
|
||||
+#include "rand_local.h"
|
||||
+
|
||||
+static RAND_POOL *crngt_pool;
|
||||
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
|
||||
+
|
||||
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
|
||||
+ = &rand_crngt_get_entropy_cb;
|
||||
+
|
||||
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||
+ unsigned int *md_size)
|
||||
+{
|
||||
+ int r;
|
||||
+ size_t n;
|
||||
+ unsigned char *p;
|
||||
+
|
||||
+ n = rand_pool_acquire_entropy(crngt_pool);
|
||||
+ if (n >= CRNGT_BUFSIZ) {
|
||||
+ p = rand_pool_detach(crngt_pool);
|
||||
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
||||
+ if (r != 0)
|
||||
+ memcpy(buf, p, CRNGT_BUFSIZ);
|
||||
+ rand_pool_reattach(crngt_pool, p);
|
||||
+ return r;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void rand_crngt_cleanup(void)
|
||||
+{
|
||||
+ rand_pool_free(crngt_pool);
|
||||
+ crngt_pool = NULL;
|
||||
+}
|
||||
+
|
||||
+int rand_crngt_init(void)
|
||||
+{
|
||||
+ unsigned char buf[CRNGT_BUFSIZ];
|
||||
+
|
||||
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
|
||||
+ return 0;
|
||||
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
|
||||
+ OPENSSL_cleanse(buf, sizeof(buf));
|
||||
+ return 1;
|
||||
+ }
|
||||
+ rand_crngt_cleanup();
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
|
||||
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
|
||||
+{
|
||||
+ return OPENSSL_init_crypto(0, NULL)
|
||||
+ && rand_crngt_init()
|
||||
+ && OPENSSL_atexit(&rand_crngt_cleanup);
|
||||
+}
|
||||
+
|
||||
+int rand_crngt_single_init(void)
|
||||
+{
|
||||
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
|
||||
+}
|
||||
+
|
||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len,
|
||||
+ int prediction_resistance)
|
||||
+{
|
||||
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
|
||||
+ unsigned int sz;
|
||||
+ RAND_POOL *pool;
|
||||
+ size_t q, r = 0, s, t = 0;
|
||||
+ int attempts = 3;
|
||||
+
|
||||
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
|
||||
+ return 0;
|
||||
+
|
||||
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
|
||||
+ s = q > sizeof(buf) ? sizeof(buf) : q;
|
||||
+ if (!crngt_get_entropy(buf, md, &sz)
|
||||
+ || memcmp(crngt_prev, md, sz) == 0
|
||||
+ || !rand_pool_add(pool, buf, s, s * 8))
|
||||
+ goto err;
|
||||
+ memcpy(crngt_prev, md, sz);
|
||||
+ t += s;
|
||||
+ attempts++;
|
||||
+ }
|
||||
+ r = t;
|
||||
+ *pout = rand_pool_detach(pool);
|
||||
+err:
|
||||
+ OPENSSL_cleanse(buf, sizeof(buf));
|
||||
+ rand_pool_free(pool);
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char *out, size_t outlen)
|
||||
+{
|
||||
+ OPENSSL_secure_clear_free(out, outlen);
|
||||
+}
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
|
||||
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -33,7 +33,15 @@
|
||||
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
|
||||
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
|
||||
|
||||
-
|
||||
+/*
|
||||
+ * The number of bytes that constitutes an atomic lump of entropy with respect
|
||||
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
|
||||
+ * arbitrary, the smaller the value, the less entropy is consumed on first
|
||||
+ * read but the higher the probability of the test failing by accident.
|
||||
+ *
|
||||
+ * The value is in bytes.
|
||||
+ */
|
||||
+#define CRNGT_BUFSIZ 16
|
||||
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
@@ -44,6 +52,8 @@
|
||||
*/
|
||||
# define DRBG_MAX_LENGTH INT32_MAX
|
||||
|
||||
+/* The default nonce */
|
||||
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
|
||||
|
||||
/*
|
||||
* Maximum allocation size for RANDOM_POOL buffers
|
||||
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
|
||||
/* initializes the AES-CTR DRBG implementation */
|
||||
int drbg_ctr_init(RAND_DRBG *drbg);
|
||||
|
||||
+/*
|
||||
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
|
||||
+ * These need to be exposed for the unit tests.
|
||||
+ */
|
||||
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||
+ unsigned int *md_size);
|
||||
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
|
||||
+ unsigned int *md_size);
|
||||
+int rand_crngt_init(void);
|
||||
+void rand_crngt_cleanup(void);
|
||||
+
|
||||
+/*
|
||||
+ * Expose the run once initialisation function for the unit tests because.
|
||||
+ * they need to restart from scratch to validate the first block is skipped
|
||||
+ * properly.
|
||||
+ */
|
||||
+int rand_crngt_single_init(void);
|
||||
+
|
||||
#endif
|
||||
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
|
||||
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
||||
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
|
||||
+/* CRNG test entropy filter callbacks. */
|
||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len,
|
||||
+ int prediction_resistance);
|
||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char *out, size_t outlen);
|
||||
+
|
||||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
|
||||
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
|
||||
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
||||
return t->noncelen;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Disable CRNG testing if it is enabled.
|
||||
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
|
||||
+ * for which the default personalisation string is used.
|
||||
+ */
|
||||
+static int disable_crngt(RAND_DRBG *drbg)
|
||||
+{
|
||||
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
|
||||
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
|
||||
+
|
||||
+ if (drbg->get_entropy != rand_crngt_get_entropy)
|
||||
+ return 1;
|
||||
+
|
||||
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
|
||||
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
|
||||
+ &rand_drbg_cleanup_entropy,
|
||||
+ &rand_drbg_get_nonce,
|
||||
+ &rand_drbg_cleanup_nonce))
|
||||
+ || (instantiate
|
||||
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
|
||||
+ sizeof(pers) - 1)))
|
||||
+ return 0;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int uninstantiate(RAND_DRBG *drbg)
|
||||
{
|
||||
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
||||
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
|
||||
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
|
||||
return 0;
|
||||
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
- kat_nonce, NULL))) {
|
||||
+ kat_nonce, NULL))
|
||||
+ || !TEST_true(disable_crngt(drbg))) {
|
||||
failures++;
|
||||
goto err;
|
||||
}
|
||||
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
|
||||
unsigned int reseed_counter_tmp;
|
||||
int ret = 0;
|
||||
|
||||
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
|
||||
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
|
||||
+ || !TEST_true(disable_crngt(drbg)))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|
||||
|| !TEST_ptr_eq(private->parent, master))
|
||||
return 0;
|
||||
|
||||
+ /* Disable CRNG testing for the master DRBG */
|
||||
+ if (!TEST_true(disable_crngt(master)))
|
||||
+ return 0;
|
||||
+
|
||||
/* uninstantiate the three global DRBGs */
|
||||
RAND_DRBG_uninstantiate(private);
|
||||
RAND_DRBG_uninstantiate(public);
|
||||
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
|
||||
size_t rand_buflen;
|
||||
size_t required_seed_buflen = 0;
|
||||
|
||||
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
|
||||
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())
|
||||
+ || !TEST_true(disable_crngt(master)))
|
||||
return 0;
|
||||
|
||||
#ifdef OPENSSL_RAND_SEED_NONE
|
||||
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * A list of the FIPS DRGB types.
|
||||
+ */
|
||||
+static const struct s_drgb_types {
|
||||
+ int nid;
|
||||
+ int flags;
|
||||
+} drgb_types[] = {
|
||||
+ { NID_aes_128_ctr, 0 },
|
||||
+ { NID_aes_192_ctr, 0 },
|
||||
+ { NID_aes_256_ctr, 0 },
|
||||
+};
|
||||
+
|
||||
+/* Six cases for each covers seed sizes up to 32 bytes */
|
||||
+static const size_t crngt_num_cases = 6;
|
||||
+
|
||||
+static size_t crngt_case, crngt_idx;
|
||||
+
|
||||
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||
+ unsigned int *md_size)
|
||||
+{
|
||||
+ size_t i, z;
|
||||
+
|
||||
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
|
||||
+ return 0;
|
||||
+ /* Generate a block of unique data unless this is the duplication point */
|
||||
+ z = crngt_idx++;
|
||||
+ if (z > 0 && crngt_case == z)
|
||||
+ z--;
|
||||
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
|
||||
+ buf[i] = (unsigned char)(i + 'A' + z);
|
||||
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
||||
+}
|
||||
+
|
||||
+static int test_crngt(int n)
|
||||
+{
|
||||
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
|
||||
+ RAND_DRBG *drbg = NULL;
|
||||
+ unsigned char buff[100];
|
||||
+ size_t ent;
|
||||
+ int res = 0;
|
||||
+ int expect;
|
||||
+
|
||||
+ if (!TEST_true(rand_crngt_single_init()))
|
||||
+ return 0;
|
||||
+ rand_crngt_cleanup();
|
||||
+
|
||||
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
|
||||
+ return 0;
|
||||
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
|
||||
+ crngt_case = n % crngt_num_cases;
|
||||
+ crngt_idx = 0;
|
||||
+ crngt_get_entropy = &crngt_entropy_cb;
|
||||
+ if (!TEST_true(rand_crngt_init()))
|
||||
+ goto err;
|
||||
+#ifndef OPENSSL_FIPS
|
||||
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
|
||||
+ &rand_crngt_cleanup_entropy,
|
||||
+ &rand_drbg_get_nonce,
|
||||
+ &rand_drbg_cleanup_nonce)))
|
||||
+ goto err;
|
||||
+#endif
|
||||
+ expect = crngt_case == 0 || crngt_case > ent;
|
||||
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
|
||||
+ goto err;
|
||||
+ if (!expect)
|
||||
+ goto fin;
|
||||
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
|
||||
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
|
||||
+ goto err;
|
||||
+ if (!expect)
|
||||
+ goto fin;
|
||||
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+fin:
|
||||
+ res = 1;
|
||||
+err:
|
||||
+ if (!res)
|
||||
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
|
||||
+ crngt_case, crngt_idx);
|
||||
+ uninstantiate(drbg);
|
||||
+ RAND_DRBG_free(drbg);
|
||||
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
|
||||
+ return res;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
||||
@@ -1025,5 +1146,6 @@ int setup_tests(void)
|
||||
#if defined(OPENSSL_THREADS)
|
||||
ADD_TEST(test_multi_thread);
|
||||
#endif
|
||||
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
|
||||
return 1;
|
||||
}
|
@ -1,200 +0,0 @@
|
||||
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
||||
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
||||
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
@@ -237,6 +238,7 @@ static const struct {
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
+ int fips_allowed;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#else
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#endif
|
||||
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||
#if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
for (i = 0; i < curve_list_length; i++)
|
||||
if (curve_list[i].nid == nid) {
|
||||
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||
+ return NULL;
|
||||
+ }
|
||||
ret = ec_group_new_from_data(curve_list[i]);
|
||||
break;
|
||||
}
|
||||
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
- size_t i, min;
|
||||
+ size_t i, j, num;
|
||||
+ int fips_mode = FIPS_mode();
|
||||
|
||||
- if (r == NULL || nitems == 0)
|
||||
- return curve_list_length;
|
||||
+ num = curve_list_length;
|
||||
+ if (fips_mode)
|
||||
+ for (i = 0; i < curve_list_length; i++) {
|
||||
+ if (!curve_list[i].fips_allowed)
|
||||
+ --num;
|
||||
+ }
|
||||
|
||||
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
+ if (r == NULL || nitems == 0) {
|
||||
+ return num;
|
||||
+ }
|
||||
|
||||
- for (i = 0; i < min; i++) {
|
||||
- r[i].nid = curve_list[i].nid;
|
||||
- r[i].comment = curve_list[i].comment;
|
||||
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||
+ if (j >= nitems)
|
||||
+ break;
|
||||
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||
+ r[j].nid = curve_list[i].nid;
|
||||
+ r[j].comment = curve_list[i].comment;
|
||||
+ ++j;
|
||||
+ }
|
||||
}
|
||||
|
||||
- return curve_list_length;
|
||||
+ return num;
|
||||
}
|
||||
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
||||
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||
#endif
|
||||
};
|
||||
|
||||
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||
+#endif
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||
+#endif
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
+ TLSEXT_SIGALG_dsa_sha224,
|
||||
+ TLSEXT_SIGALG_dsa_sha256,
|
||||
+ TLSEXT_SIGALG_dsa_sha384,
|
||||
+ TLSEXT_SIGALG_dsa_sha512,
|
||||
+#endif
|
||||
+};
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const uint16_t suiteb_sigalgs[] = {
|
||||
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||
}
|
||||
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||
return NULL;
|
||||
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
||||
+ return NULL;
|
||||
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||
|
||||
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||
} else if (s->cert->conf_sigalgs) {
|
||||
*psigs = s->cert->conf_sigalgs;
|
||||
return s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ *psigs = tls12_fips_sigalgs;
|
||||
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
*psigs = tls12_sigalgs;
|
||||
return OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||
if (s->cert->conf_sigalgs) {
|
||||
sigs = s->cert->conf_sigalgs;
|
||||
siglen = s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ sigs = tls12_fips_sigalgs;
|
||||
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
sigs = tls12_sigalgs;
|
||||
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
||||
if (lu->sig == NID_id_GostR3410_2012_256
|
||||
|| lu->sig == NID_id_GostR3410_2012_512
|
||||
|| lu->sig == NID_id_GostR3410_2001) {
|
||||
+ if (FIPS_mode())
|
||||
+ return 0;
|
||||
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||
if (s->server && SSL_IS_TLS13(s))
|
||||
return 0;
|
||||
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||
const uint16_t *sent_sigs;
|
||||
size_t sent_sigslen;
|
||||
|
||||
+ if (fatalerrs && FIPS_mode()) {
|
||||
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user